# Flog Txt Version 1 # Analyzer Version: 4.3.0 # Analyzer Build Date: Sep 20 2021 05:59:55 # Log Creation Date: 28.09.2021 06:45:43.102 Process: id = "1" image_name = "revised proforma invoice_new order.exe" filename = "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe" page_root = "0x3b74b000" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x448" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e95f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 114 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 115 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 116 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 117 start_va = 0x50000 end_va = 0xeffff monitored = 1 entry_point = 0xaf3ae region_type = mapped_file name = "revised proforma invoice_new order.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe") Region: id = 118 start_va = 0xf0000 end_va = 0xf3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 119 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 120 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 121 start_va = 0x2d0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 122 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 123 start_va = 0x77040000 end_va = 0x771bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 124 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 125 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 126 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 127 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 128 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 129 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 130 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 270 start_va = 0x4c0000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 271 start_va = 0x748b0000 end_va = 0x748b7fff monitored = 0 entry_point = 0x748b20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 272 start_va = 0x748c0000 end_va = 0x7491bfff monitored = 0 entry_point = 0x748ff9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 273 start_va = 0x74920000 end_va = 0x7495efff monitored = 0 entry_point = 0x7494e088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 274 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 275 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 276 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 277 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076c40000" filename = "" Region: id = 278 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 279 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076d60000" filename = "" Region: id = 280 start_va = 0x540000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 281 start_va = 0x74a20000 end_va = 0x74a69fff monitored = 1 entry_point = 0x74a22e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 282 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 283 start_va = 0x75150000 end_va = 0x75196fff monitored = 0 entry_point = 0x751574c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 284 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 285 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 286 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 287 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 288 start_va = 0x110000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 289 start_va = 0x730000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 290 start_va = 0x1c0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 291 start_va = 0x75ca0000 end_va = 0x75d3ffff monitored = 0 entry_point = 0x75cb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 292 start_va = 0x74cf0000 end_va = 0x74d9bfff monitored = 0 entry_point = 0x74cfa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 293 start_va = 0x753d0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753d4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 294 start_va = 0x75710000 end_va = 0x757fffff monitored = 0 entry_point = 0x75720569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 295 start_va = 0x74b90000 end_va = 0x74beffff monitored = 0 entry_point = 0x74baa3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 296 start_va = 0x74b80000 end_va = 0x74b8bfff monitored = 0 entry_point = 0x74b810e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 297 start_va = 0x8b0000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 298 start_va = 0x74990000 end_va = 0x74a1cfff monitored = 1 entry_point = 0x749a2860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 299 start_va = 0x72bf0000 end_va = 0x72bf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 300 start_va = 0x74c90000 end_va = 0x74ce6fff monitored = 0 entry_point = 0x74ca9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 301 start_va = 0x74e80000 end_va = 0x74f0ffff monitored = 0 entry_point = 0x74e96343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 302 start_va = 0x75b00000 end_va = 0x75bfffff monitored = 0 entry_point = 0x75b1b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 303 start_va = 0x77010000 end_va = 0x77019fff monitored = 0 entry_point = 0x770136a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 304 start_va = 0x74bf0000 end_va = 0x74c8cfff monitored = 0 entry_point = 0x74c23fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 305 start_va = 0x210000 end_va = 0x22dfff monitored = 0 entry_point = 0x22158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 306 start_va = 0x8b0000 end_va = 0xa37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 307 start_va = 0xa60000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 308 start_va = 0x210000 end_va = 0x22dfff monitored = 0 entry_point = 0x22158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 309 start_va = 0x75c40000 end_va = 0x75c9ffff monitored = 0 entry_point = 0x75c5158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 310 start_va = 0x751a0000 end_va = 0x7526bfff monitored = 0 entry_point = 0x751a168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 311 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 312 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 313 start_va = 0x1d0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 314 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 315 start_va = 0xc00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 316 start_va = 0x210000 end_va = 0x2abfff monitored = 1 entry_point = 0x26f3ae region_type = mapped_file name = "revised proforma invoice_new order.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe") Region: id = 317 start_va = 0x210000 end_va = 0x2abfff monitored = 1 entry_point = 0x26f3ae region_type = mapped_file name = "revised proforma invoice_new order.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe") Region: id = 318 start_va = 0x73b80000 end_va = 0x73b88fff monitored = 0 entry_point = 0x73b81220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 319 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 320 start_va = 0x71a60000 end_va = 0x7220efff monitored = 1 entry_point = 0x71a7d0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 321 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 322 start_va = 0x74970000 end_va = 0x74983fff monitored = 0 entry_point = 0x7497ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\SysWOW64\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140_clr0400.dll") Region: id = 323 start_va = 0x723b0000 end_va = 0x7245afff monitored = 0 entry_point = 0x72445f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\SysWOW64\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase_clr0400.dll") Region: id = 324 start_va = 0x210000 end_va = 0x210fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 325 start_va = 0x220000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 326 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 327 start_va = 0x240000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 328 start_va = 0x250000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 329 start_va = 0x260000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 330 start_va = 0x270000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 331 start_va = 0x280000 end_va = 0x280fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 332 start_va = 0x290000 end_va = 0x290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 333 start_va = 0x3d0000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 334 start_va = 0x420000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 335 start_va = 0x5f0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 336 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 337 start_va = 0x2070000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 338 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 339 start_va = 0x2a0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 340 start_va = 0x2170000 end_va = 0x416ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 341 start_va = 0x540000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 342 start_va = 0x41a0000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 343 start_va = 0x42f0000 end_va = 0x43effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 344 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 345 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 346 start_va = 0x8a0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 347 start_va = 0x4210000 end_va = 0x424ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004210000" filename = "" Region: id = 348 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 349 start_va = 0x43f0000 end_va = 0x46befff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 350 start_va = 0x6fea0000 end_va = 0x712aafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 351 start_va = 0x75270000 end_va = 0x753cbfff monitored = 0 entry_point = 0x752bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 352 start_va = 0x73ab0000 end_va = 0x73b2ffff monitored = 0 entry_point = 0x73ac37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 353 start_va = 0x46c0000 end_va = 0x48cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 354 start_va = 0x46c0000 end_va = 0x479efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 355 start_va = 0x4890000 end_va = 0x48cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 356 start_va = 0x2a0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 357 start_va = 0x74960000 end_va = 0x74962fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 358 start_va = 0x72180000 end_va = 0x72208fff monitored = 1 entry_point = 0x72181130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 359 start_va = 0x758a0000 end_va = 0x7592efff monitored = 0 entry_point = 0x758a3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 360 start_va = 0x2b0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 361 start_va = 0x6f440000 end_va = 0x6fe94fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 362 start_va = 0x730000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 363 start_va = 0x75ff0000 end_va = 0x76c39fff monitored = 0 entry_point = 0x76071601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 364 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 365 start_va = 0x2030000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 366 start_va = 0x48e0000 end_va = 0x49dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048e0000" filename = "" Region: id = 367 start_va = 0x73700000 end_va = 0x737f4fff monitored = 0 entry_point = 0x73710d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 368 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 369 start_va = 0x3d0000 end_va = 0x3d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 370 start_va = 0x3e0000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 371 start_va = 0x73c50000 end_va = 0x73dedfff monitored = 0 entry_point = 0x73c7e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 372 start_va = 0x420000 end_va = 0x420fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 373 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 374 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 375 start_va = 0x73890000 end_va = 0x738dbfff monitored = 0 entry_point = 0x73892c14 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 376 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 377 start_va = 0x75a70000 end_va = 0x75af2fff monitored = 0 entry_point = 0x75a723d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 378 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 379 start_va = 0x73e30000 end_va = 0x748affff monitored = 0 entry_point = 0x73e36b95 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll") Region: id = 380 start_va = 0x75800000 end_va = 0x75804fff monitored = 0 entry_point = 0x75801438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 381 start_va = 0x73df0000 end_va = 0x73e2bfff monitored = 0 entry_point = 0x73df3089 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 382 start_va = 0x753f0000 end_va = 0x755eafff monitored = 0 entry_point = 0x753f22d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 383 start_va = 0x490000 end_va = 0x490fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 384 start_va = 0x4a0000 end_va = 0x4a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 385 start_va = 0x75930000 end_va = 0x75a65fff monitored = 0 entry_point = 0x75931b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 386 start_va = 0x755f0000 end_va = 0x756e4fff monitored = 0 entry_point = 0x755f1865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 387 start_va = 0x74fc0000 end_va = 0x750e0fff monitored = 0 entry_point = 0x74fc158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 388 start_va = 0x75810000 end_va = 0x7581bfff monitored = 0 entry_point = 0x7581238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 389 start_va = 0x4aa0000 end_va = 0x4adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004aa0000" filename = "" Region: id = 390 start_va = 0x4bb0000 end_va = 0x4caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bb0000" filename = "" Region: id = 391 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 392 start_va = 0x73c10000 end_va = 0x73c30fff monitored = 0 entry_point = 0x73c1145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 393 start_va = 0x74f70000 end_va = 0x74fb4fff monitored = 0 entry_point = 0x74f711e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 394 start_va = 0x4cb0000 end_va = 0x4daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004cb0000" filename = "" Region: id = 395 start_va = 0x75e50000 end_va = 0x75fecfff monitored = 0 entry_point = 0x75e517e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 396 start_va = 0x74f40000 end_va = 0x74f66fff monitored = 0 entry_point = 0x74f458b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 397 start_va = 0x756f0000 end_va = 0x75701fff monitored = 0 entry_point = 0x756f1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 398 start_va = 0x4b0000 end_va = 0x4bcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 399 start_va = 0x5e0000 end_va = 0x5e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 400 start_va = 0x770000 end_va = 0x786fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 401 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 402 start_va = 0x73c40000 end_va = 0x73c4afff monitored = 0 entry_point = 0x73c41992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 403 start_va = 0x5e0000 end_va = 0x5e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 404 start_va = 0x2000000 end_va = 0x202ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 405 start_va = 0xa40000 end_va = 0xa43fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 406 start_va = 0x4250000 end_va = 0x42b5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 407 start_va = 0xa50000 end_va = 0xa5dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 408 start_va = 0x4170000 end_va = 0x4170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004170000" filename = "" Region: id = 426 start_va = 0x4b00000 end_va = 0x4b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 427 start_va = 0x4de0000 end_va = 0x4edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004de0000" filename = "" Region: id = 428 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 445 start_va = 0x73950000 end_va = 0x73966fff monitored = 0 entry_point = 0x73953573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 446 start_va = 0x2030000 end_va = 0x206bfff monitored = 0 entry_point = 0x203128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 447 start_va = 0x2030000 end_va = 0x206bfff monitored = 0 entry_point = 0x203128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 448 start_va = 0x2030000 end_va = 0x206bfff monitored = 0 entry_point = 0x203128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 449 start_va = 0x2030000 end_va = 0x206bfff monitored = 0 entry_point = 0x203128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 450 start_va = 0x2030000 end_va = 0x206bfff monitored = 0 entry_point = 0x203128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 451 start_va = 0x73910000 end_va = 0x7394afff monitored = 0 entry_point = 0x7391128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 452 start_va = 0x73a80000 end_va = 0x73a8dfff monitored = 0 entry_point = 0x73a81235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 703 start_va = 0x49f0000 end_va = 0x4a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049f0000" filename = "" Region: id = 704 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 705 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 706 start_va = 0x2030000 end_va = 0x2030fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002030000" filename = "" Region: id = 707 start_va = 0x4820000 end_va = 0x485ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004820000" filename = "" Region: id = 708 start_va = 0x5230000 end_va = 0x532ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005230000" filename = "" Region: id = 709 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 710 start_va = 0x2040000 end_va = 0x2043fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1265 start_va = 0x47a0000 end_va = 0x4801fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 1266 start_va = 0x48d0000 end_va = 0x49cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048d0000" filename = "" Region: id = 1267 start_va = 0x4810000 end_va = 0x4851fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004810000" filename = "" Region: id = 1268 start_va = 0x2050000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 1269 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1270 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1271 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1272 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 1273 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1274 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1275 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1276 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1277 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1278 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1279 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1280 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1281 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1282 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1283 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1284 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1285 start_va = 0x72370000 end_va = 0x72382fff monitored = 1 entry_point = 0x7237d900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 1286 start_va = 0x5100000 end_va = 0x53d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 1287 start_va = 0x72390000 end_va = 0x723a6fff monitored = 0 entry_point = 0x723935fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1288 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1289 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1290 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1291 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1292 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1293 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1294 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1295 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1296 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1297 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1298 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1299 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1300 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1301 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1302 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1303 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1304 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1305 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1306 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1307 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1308 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1309 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1310 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1311 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1312 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1313 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1314 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1315 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1316 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1317 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1318 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1319 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1320 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1321 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1322 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1323 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1324 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1325 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1326 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1327 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1328 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1329 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1330 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1331 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1332 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1333 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1334 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1335 start_va = 0x4de0000 end_va = 0x4e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004de0000" filename = "" Region: id = 1336 start_va = 0x4ed0000 end_va = 0x4fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ed0000" filename = "" Region: id = 1337 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1338 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1339 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1340 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1341 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1342 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1343 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1344 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1345 start_va = 0x6ec20000 end_va = 0x6f437fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 1346 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1347 start_va = 0x41e0000 end_va = 0x4203fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041e0000" filename = "" Region: id = 1348 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1349 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1350 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1351 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1352 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1353 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1354 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1355 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1356 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1357 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1358 start_va = 0x4180000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1359 start_va = 0x4190000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 1360 start_va = 0x42c0000 end_va = 0x42cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 1361 start_va = 0x42d0000 end_va = 0x42dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 1362 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1381 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1422 start_va = 0x4a60000 end_va = 0x4a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a60000" filename = "" Region: id = 1423 start_va = 0x54d0000 end_va = 0x55cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054d0000" filename = "" Region: id = 1424 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Thread: id = 1 os_tid = 0xe5c [0052.645] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0056.371] GetCurrentProcessId () returned 0xe58 [0056.377] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x3ce90c | out: lpLuid=0x3ce90c*(LowPart=0x14, HighPart=0)) returned 1 [0056.380] GetCurrentProcess () returned 0xffffffff [0056.380] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x3ce908 | out: TokenHandle=0x3ce908*=0x1f4) returned 1 [0056.382] AdjustTokenPrivileges (in: TokenHandle=0x1f4, DisableAllPrivileges=0, NewState=0x2172484*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0056.382] CloseHandle (hObject=0x1f4) returned 1 [0056.415] EnumWindows (lpEnumFunc=0x7307e6, lParam=0x0) returned 0 [0056.418] GetWindowThreadProcessId (in: hWnd=0x30128, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x554 [0056.418] GetWindowThreadProcessId (in: hWnd=0x300b0, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.418] GetWindowThreadProcessId (in: hWnd=0x300ea, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.419] GetWindowThreadProcessId (in: hWnd=0x400be, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.419] GetWindowThreadProcessId (in: hWnd=0x101ca, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x544 [0056.419] GetWindowThreadProcessId (in: hWnd=0x10130, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x50c [0056.419] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.419] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.419] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.419] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.419] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.419] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.420] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.420] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.420] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.420] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x44c [0056.420] GetWindowThreadProcessId (in: hWnd=0x5009c, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.420] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0x47c [0056.420] GetWindowThreadProcessId (in: hWnd=0x402f0, lpdwProcessId=0x3cef14 | out: lpdwProcessId=0x3cef14) returned 0xe5c [0056.420] GetWindow (hWnd=0x402f0, uCmd=0x4) returned 0x0 [0056.421] IsWindowVisible (hWnd=0x402f0) returned 1 [0056.432] ShowWindow (hWnd=0x402f0, nCmdShow=0) returned 1 [0056.539] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x67c3b0 [0056.539] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x66aa78 [0059.141] ShellExecuteExW (in: pExecInfo=0x2173970*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Start-Sleep -s 5", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2173970*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Start-Sleep -s 5", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x360)) returned 1 [0068.929] LocalFree (hMem=0x67c3b0) returned 0x0 [0068.929] LocalFree (hMem=0x66aa78) returned 0x0 [0068.936] GetCurrentProcess () returned 0xffffffff [0068.936] GetCurrentProcess () returned 0xffffffff [0068.938] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3cef80, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3cef80*=0x218) returned 1 [0068.942] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x3cef78*=0x218, lpdwindex=0x3ced9c | out: lpdwindex=0x3ced9c) returned 0x0 [0093.897] CloseHandle (hObject=0x218) returned 1 [0093.898] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x6a8000 [0093.898] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x6c0618 [0093.898] ShellExecuteExW (in: pExecInfo=0x2173b50*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Start-Sleep -s 5", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2173b50*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Start-Sleep -s 5", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x38c)) returned 1 [0093.945] LocalFree (hMem=0x6a8000) returned 0x0 [0093.945] LocalFree (hMem=0x6c0618) returned 0x0 [0093.945] GetCurrentProcess () returned 0xffffffff [0093.945] GetCurrentProcess () returned 0xffffffff [0093.945] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x38c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3cef80, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3cef80*=0x310) returned 1 [0093.945] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x3cef78*=0x310, lpdwindex=0x3ced9c | out: lpdwindex=0x3ced9c) returned 0x0 [0112.764] CloseHandle (hObject=0x310) returned 1 [0112.765] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x6a8020 [0112.765] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x6c0678 [0112.765] ShellExecuteExW (in: pExecInfo=0x2173cf0*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Start-Sleep -s 5", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2173cf0*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Start-Sleep -s 5", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x390)) returned 1 [0112.822] LocalFree (hMem=0x6a8020) returned 0x0 [0112.822] LocalFree (hMem=0x6c0678) returned 0x0 [0112.822] GetCurrentProcess () returned 0xffffffff [0112.822] GetCurrentProcess () returned 0xffffffff [0112.822] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3cef80, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3cef80*=0x384) returned 1 [0112.823] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x3cef78*=0x384, lpdwindex=0x3ced9c | out: lpdwindex=0x3ced9c) returned 0x0 [0129.939] CloseHandle (hObject=0x384) returned 1 [0129.982] EtwEventRegister () returned 0x0 [0129.995] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe.config", nBufferLength=0x105, lpBuffer=0x3ce868, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe.config", lpFilePart=0x0) returned 0x48 [0129.995] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x3ceab0) returned 1 [0129.995] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe.config" (normalized: "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x3ced74 | out: lpFileInformation=0x3ced74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0129.996] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x3ceaac) returned 1 [0130.518] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x3cca54 | out: pfEnabled=0x3cca54) returned 0x0 [0168.230] CoTaskMemAlloc (cb=0x21) returned 0x66a6e8 [0168.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\amsi.dll", cchWideChar=28, lpMultiByteStr=0x2188650, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\amsi.dll", lpUsedDefaultChar=0x0) returned 28 [0168.230] LoadLibraryA (lpLibFileName="C:\\Windows\\System32\\amsi.dll") returned 0x0 [0168.233] CoTaskMemFree (pv=0x66a6e8) [0168.236] CoTaskMemAlloc (cb=0x13) returned 0x6a7fe0 [0168.236] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AmsiScanBuffer", cchWideChar=14, lpMultiByteStr=0x21886c4, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AmsiScanBuffer", lpUsedDefaultChar=0x0) returned 14 [0168.236] GetProcAddress (hModule=0x0, lpProcName="AmsiScanBuffer") returned 0x0 [0168.236] CoTaskMemFree (pv=0x6a7fe0) [0168.241] VirtualProtect (in: lpAddress=0x0, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x3cea58 | out: lpflOldProtect=0x3cea58*=0x0) returned 0 [0168.268] GetCurrentProcessId () returned 0xe58 [0168.273] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe58) returned 0x334 [0168.278] EnumProcessModules (in: hProcess=0x334, lphModule=0x218bdf4, cb=0x100, lpcbNeeded=0x3cea20 | out: lphModule=0x218bdf4, lpcbNeeded=0x3cea20) returned 1 [0168.281] GetModuleInformation (in: hProcess=0x334, hModule=0x50000, lpmodinfo=0x218bf40, cb=0xc | out: lpmodinfo=0x218bf40*(lpBaseOfDll=0x50000, SizeOfImage=0xa0000, EntryPoint=0xaf3ae)) returned 1 [0168.282] CoTaskMemAlloc (cb=0x804) returned 0x6d3490 [0168.282] GetModuleBaseNameW (in: hProcess=0x334, hModule=0x50000, lpBaseName=0x6d3490, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0168.282] CoTaskMemFree (pv=0x6d3490) [0168.283] CoTaskMemAlloc (cb=0x804) returned 0x6d3490 [0168.283] GetModuleFileNameExW (in: hProcess=0x334, hModule=0x50000, lpFilename=0x6d3490, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe")) returned 0x41 [0168.283] CoTaskMemFree (pv=0x6d3490) [0168.284] CloseHandle (hObject=0x334) returned 1 [0168.289] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ce288 | out: phkResult=0x3ce288*=0x0) returned 0x2 [0168.290] RegCloseKey (hKey=0x80000002) returned 0x0 [0168.291] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x3ce530, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x41 [0168.313] CoTaskMemAlloc (cb=0x20c) returned 0x6c9760 [0168.313] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x6c9760 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25 [0168.313] CoTaskMemFree (pv=0x6c9760) [0168.313] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x3ce500, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0168.315] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x3ce514, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x26 [0168.316] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Itself.exe", nBufferLength=0x105, lpBuffer=0x3ce504, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Itself.exe", lpFilePart=0x0) returned 0x30 [0168.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x3ce48c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0168.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Itself.exe", nBufferLength=0x105, lpBuffer=0x3ce504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Itself.exe", lpFilePart=0x0) returned 0x38 [0168.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x3ce77c) returned 1 [0168.316] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Itself.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\itself.exe"), fInfoLevelId=0x0, lpFileInformation=0x218fd74 | out: lpFileInformation=0x218fd74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0168.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x3ce778) returned 1 [0168.317] GetCurrentProcessId () returned 0xe58 [0168.317] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe58) returned 0x48 [0168.317] EnumProcessModules (in: hProcess=0x48, lphModule=0x218ff90, cb=0x100, lpcbNeeded=0x3ce9f4 | out: lphModule=0x218ff90, lpcbNeeded=0x3ce9f4) returned 1 [0168.318] GetModuleInformation (in: hProcess=0x48, hModule=0x50000, lpmodinfo=0x21900d0, cb=0xc | out: lpmodinfo=0x21900d0*(lpBaseOfDll=0x50000, SizeOfImage=0xa0000, EntryPoint=0xaf3ae)) returned 1 [0168.318] CoTaskMemAlloc (cb=0x804) returned 0x6d3490 [0168.318] GetModuleBaseNameW (in: hProcess=0x48, hModule=0x50000, lpBaseName=0x6d3490, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0168.318] CoTaskMemFree (pv=0x6d3490) [0168.318] CoTaskMemAlloc (cb=0x804) returned 0x6d3490 [0168.318] GetModuleFileNameExW (in: hProcess=0x48, hModule=0x50000, lpFilename=0x6d3490, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe")) returned 0x41 [0168.319] CoTaskMemFree (pv=0x6d3490) [0168.319] CloseHandle (hObject=0x48) returned 1 [0168.320] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x3ce504, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x41 [0168.320] CoTaskMemAlloc (cb=0x20c) returned 0x6c9760 [0168.320] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x6c9760 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25 [0168.320] CoTaskMemFree (pv=0x6c9760) [0168.320] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x3ce500, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0168.320] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x3ce514, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x26 [0168.321] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x3ce504, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0168.321] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x3ce77c) returned 1 [0168.321] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe"), fInfoLevelId=0x0, lpFileInformation=0x2192938 | out: lpFileInformation=0x2192938*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0168.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x3ce778) returned 1 [0168.331] CopyFileW (lpExistingFileName="C:\\Users\\kEecfMwgj\\Desktop\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\revised proforma invoice_new order.exe"), lpNewFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe"), bFailIfExists=1) returned 1 [0168.755] CoTaskMemAlloc (cb=0xd) returned 0x6d3760 [0168.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a2fe0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.755] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.756] CoTaskMemFree (pv=0x6d3760) [0168.756] CoTaskMemAlloc (cb=0x11) returned 0x6a8100 [0168.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResumeThread", cchWideChar=12, lpMultiByteStr=0x21a3018, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResumeThread", lpUsedDefaultChar=0x0) returned 12 [0168.756] GetProcAddress (hModule=0x75d40000, lpProcName="ResumeThread") returned 0x75d543a7 [0168.756] CoTaskMemFree (pv=0x6a8100) [0168.766] CoTaskMemAlloc (cb=0xd) returned 0x6d3760 [0168.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a32c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.766] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.766] CoTaskMemFree (pv=0x6d3760) [0168.766] CoTaskMemAlloc (cb=0x1a) returned 0x6cd2e8 [0168.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64SetThreadContext", cchWideChar=21, lpMultiByteStr=0x21a32f8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64SetThreadContext", lpUsedDefaultChar=0x0) returned 21 [0168.767] GetProcAddress (hModule=0x75d40000, lpProcName="Wow64SetThreadContext") returned 0x75dd5933 [0168.767] CoTaskMemFree (pv=0x6cd2e8) [0168.775] CoTaskMemAlloc (cb=0xd) returned 0x6d37a8 [0168.775] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a3574, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.775] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.776] CoTaskMemFree (pv=0x6d37a8) [0168.776] CoTaskMemAlloc (cb=0x15) returned 0x6d2dc8 [0168.776] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetThreadContext", cchWideChar=16, lpMultiByteStr=0x21a35ac, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetThreadContext", lpUsedDefaultChar=0x0) returned 16 [0168.776] GetProcAddress (hModule=0x75d40000, lpProcName="SetThreadContext") returned 0x75dd5933 [0168.776] CoTaskMemFree (pv=0x6d2dc8) [0168.778] CoTaskMemAlloc (cb=0xd) returned 0x6d37a8 [0168.778] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a381c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.778] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.778] CoTaskMemFree (pv=0x6d37a8) [0168.778] CoTaskMemAlloc (cb=0x15) returned 0x6d2e68 [0168.778] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetThreadContext", cchWideChar=16, lpMultiByteStr=0x21a3854, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThreadContext", lpUsedDefaultChar=0x0) returned 16 [0168.778] GetProcAddress (hModule=0x75d40000, lpProcName="GetThreadContext") returned 0x75d7799c [0168.778] CoTaskMemFree (pv=0x6d2e68) [0168.780] CoTaskMemAlloc (cb=0xd) returned 0x6d37a8 [0168.780] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a3aa4, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.780] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.781] CoTaskMemFree (pv=0x6d37a8) [0168.781] CoTaskMemAlloc (cb=0x13) returned 0x6d2dc8 [0168.781] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VirtualAllocEx", cchWideChar=14, lpMultiByteStr=0x21a3adc, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VirtualAllocEx", lpUsedDefaultChar=0x0) returned 14 [0168.781] GetProcAddress (hModule=0x75d40000, lpProcName="VirtualAllocEx") returned 0x75d6d980 [0168.781] CoTaskMemFree (pv=0x6d2dc8) [0168.791] CoTaskMemAlloc (cb=0xd) returned 0x6d3760 [0168.791] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a3d4c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.791] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.791] CoTaskMemFree (pv=0x6d3760) [0168.791] CoTaskMemAlloc (cb=0x17) returned 0x6d2e68 [0168.791] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WriteProcessMemory", cchWideChar=18, lpMultiByteStr=0x21a3d84, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WriteProcessMemory", lpUsedDefaultChar=0x0) returned 18 [0168.791] GetProcAddress (hModule=0x75d40000, lpProcName="WriteProcessMemory") returned 0x75d6d9b0 [0168.792] CoTaskMemFree (pv=0x6d2e68) [0168.798] CoTaskMemAlloc (cb=0xa) returned 0x6d37a8 [0168.798] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ntdll", cchWideChar=5, lpMultiByteStr=0x21a401c, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntdll", lpUsedDefaultChar=0x0) returned 5 [0168.798] LoadLibraryA (lpLibFileName="ntdll") returned 0x77040000 [0168.798] CoTaskMemFree (pv=0x6d37a8) [0168.798] CoTaskMemAlloc (cb=0x19) returned 0x6cd2e8 [0168.798] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ZwUnmapViewOfSection", cchWideChar=20, lpMultiByteStr=0x21a4048, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZwUnmapViewOfSection", lpUsedDefaultChar=0x0) returned 20 [0168.799] GetProcAddress (hModule=0x77040000, lpProcName="ZwUnmapViewOfSection") returned 0x7705fc70 [0168.799] CoTaskMemFree (pv=0x6cd2e8) [0168.805] CoTaskMemAlloc (cb=0xd) returned 0x6d37a8 [0168.805] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a42a4, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.805] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.806] CoTaskMemFree (pv=0x6d37a8) [0168.806] CoTaskMemAlloc (cb=0x13) returned 0x6d2e68 [0168.806] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateProcessA", cchWideChar=14, lpMultiByteStr=0x21a42dc, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateProcessA", lpUsedDefaultChar=0x0) returned 14 [0168.806] GetProcAddress (hModule=0x75d40000, lpProcName="CreateProcessA") returned 0x75d51072 [0168.806] CoTaskMemFree (pv=0x6d2e68) [0168.820] CoTaskMemAlloc (cb=0xd) returned 0x6d37a8 [0168.820] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a44f4, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.820] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.820] CoTaskMemFree (pv=0x6d37a8) [0168.820] CoTaskMemAlloc (cb=0x10) returned 0x6d37a8 [0168.821] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CloseHandle", cchWideChar=11, lpMultiByteStr=0x21a452c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CloseHandle", lpUsedDefaultChar=0x0) returned 11 [0168.821] GetProcAddress (hModule=0x75d40000, lpProcName="CloseHandle") returned 0x75d513f0 [0168.821] CoTaskMemFree (pv=0x6d37a8) [0168.826] CoTaskMemAlloc (cb=0xd) returned 0x6d37a8 [0168.826] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x21a478c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8 [0168.826] LoadLibraryA (lpLibFileName="kernel32") returned 0x75d40000 [0168.826] CoTaskMemFree (pv=0x6d37a8) [0168.826] CoTaskMemAlloc (cb=0x16) returned 0x6d2e68 [0168.826] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ReadProcessMemory", cchWideChar=17, lpMultiByteStr=0x21a47c4, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReadProcessMemory", lpUsedDefaultChar=0x0) returned 17 [0168.827] GetProcAddress (hModule=0x75d40000, lpProcName="ReadProcessMemory") returned 0x75d6cfa4 [0168.827] CoTaskMemFree (pv=0x6d2e68) [0169.046] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", cchWideChar=76, lpMultiByteStr=0x3ce7f8, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpUsedDefaultChar=0x0) returned 76 [0169.046] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x3ce87c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3ce9b4 | out: lpCommandLine="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpProcessInformation=0x3ce9b4*(hProcess=0x360, hThread=0x38c, dwProcessId=0xb2c, dwThreadId=0xb30)) returned 1 [0169.086] CoTaskMemFree (pv=0x0) [0169.086] CoTaskMemFree (pv=0x0) [0169.089] GetThreadContext (in: hThread=0x38c, lpContext=0x21825b4 | out: lpContext=0x21825b4*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0xecf3ae, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0169.122] EnumProcesses (in: lpidProcess=0x2182898, cb=0x8ca0, lpcbNeeded=0x3ce9f0 | out: lpidProcess=0x2182898, lpcbNeeded=0x3ce9f0) returned 1 [0169.142] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0169.146] GetWindowTextW (in: hWnd=0x0, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.146] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0169.147] GetWindowTextW (in: hWnd=0x0, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.147] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x108) returned 0x48 [0169.148] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.151] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.152] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.153] CoTaskMemFree (pv=0x48d2060) [0169.160] CloseHandle (hObject=0x48) returned 1 [0169.161] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.161] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x14c) returned 0x48 [0169.161] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.161] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.161] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.161] CoTaskMemFree (pv=0x48d2060) [0169.161] CloseHandle (hObject=0x48) returned 1 [0169.162] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.162] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x170) returned 0x48 [0169.162] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.162] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.162] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.162] CoTaskMemFree (pv=0x48d2060) [0169.162] CloseHandle (hObject=0x48) returned 1 [0169.162] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.163] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x17c) returned 0x48 [0169.163] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.163] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.163] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.163] CoTaskMemFree (pv=0x48d2060) [0169.163] CloseHandle (hObject=0x48) returned 1 [0169.163] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.163] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1a4) returned 0x48 [0169.163] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.164] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.164] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.164] CoTaskMemFree (pv=0x48d2060) [0169.164] CloseHandle (hObject=0x48) returned 1 [0169.164] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.164] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1d0) returned 0x48 [0169.164] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.165] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.165] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.165] CoTaskMemFree (pv=0x48d2060) [0169.165] CloseHandle (hObject=0x48) returned 1 [0169.165] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.165] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1d8) returned 0x48 [0169.165] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.165] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.165] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.166] CoTaskMemFree (pv=0x48d2060) [0169.166] CloseHandle (hObject=0x48) returned 1 [0169.166] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.166] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e0) returned 0x48 [0169.166] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.166] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.166] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.167] CoTaskMemFree (pv=0x48d2060) [0169.167] CloseHandle (hObject=0x48) returned 1 [0169.167] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.167] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x248) returned 0x48 [0169.167] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.167] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.167] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.168] CoTaskMemFree (pv=0x48d2060) [0169.168] CloseHandle (hObject=0x48) returned 1 [0169.168] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.168] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x288) returned 0x48 [0169.168] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.168] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.168] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.168] CoTaskMemFree (pv=0x48d2060) [0169.168] CloseHandle (hObject=0x48) returned 1 [0169.168] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.169] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2b8) returned 0x48 [0169.169] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.169] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.169] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.169] CoTaskMemFree (pv=0x48d2060) [0169.169] CloseHandle (hObject=0x48) returned 1 [0169.170] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.170] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x308) returned 0x48 [0169.170] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.170] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.170] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.170] CoTaskMemFree (pv=0x48d2060) [0169.170] CloseHandle (hObject=0x48) returned 1 [0169.170] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.170] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x334) returned 0x48 [0169.171] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.171] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.171] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.171] CoTaskMemFree (pv=0x48d2060) [0169.171] CloseHandle (hObject=0x48) returned 1 [0169.171] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.171] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3ec) returned 0x48 [0169.171] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.171] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.171] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.172] CoTaskMemFree (pv=0x48d2060) [0169.172] CloseHandle (hObject=0x48) returned 1 [0169.172] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.172] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x330) returned 0x48 [0169.172] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.172] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.172] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.173] CoTaskMemFree (pv=0x48d2060) [0169.173] CloseHandle (hObject=0x48) returned 1 [0169.173] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.173] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x438) returned 0x48 [0169.173] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.173] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.173] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.173] CoTaskMemFree (pv=0x48d2060) [0169.174] CloseHandle (hObject=0x48) returned 1 [0169.174] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.174] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x448) returned 0x48 [0169.174] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.174] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.174] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.174] CoTaskMemFree (pv=0x48d2060) [0169.175] CloseHandle (hObject=0x48) returned 1 [0169.175] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.175] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x48c) returned 0x48 [0169.175] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.175] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.175] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.175] CoTaskMemFree (pv=0x48d2060) [0169.175] CloseHandle (hObject=0x48) returned 1 [0169.175] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.176] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4b0) returned 0x48 [0169.176] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.176] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.176] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.176] CoTaskMemFree (pv=0x48d2060) [0169.176] CloseHandle (hObject=0x48) returned 1 [0169.176] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.176] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4c8) returned 0x48 [0169.177] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.177] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.177] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.177] CoTaskMemFree (pv=0x48d2060) [0169.177] CloseHandle (hObject=0x48) returned 1 [0169.177] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.177] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x5c4) returned 0x48 [0169.177] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.178] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.178] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.178] CoTaskMemFree (pv=0x48d2060) [0169.178] CloseHandle (hObject=0x48) returned 1 [0169.178] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.178] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7ec) returned 0x48 [0169.178] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.178] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.178] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.179] CoTaskMemFree (pv=0x48d2060) [0169.179] CloseHandle (hObject=0x48) returned 1 [0169.179] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.179] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x698) returned 0x48 [0169.179] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.179] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.179] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.180] CoTaskMemFree (pv=0x48d2060) [0169.180] CloseHandle (hObject=0x48) returned 1 [0169.180] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.180] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6c8) returned 0x48 [0169.180] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.180] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.180] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.181] CoTaskMemFree (pv=0x48d2060) [0169.181] CloseHandle (hObject=0x48) returned 1 [0169.181] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.181] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x380) returned 0x48 [0169.181] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.182] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.182] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="iexplore.exe") returned 0xc [0169.183] CoTaskMemFree (pv=0x48d2060) [0169.183] CloseHandle (hObject=0x48) returned 1 [0169.183] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.183] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x788) returned 0x48 [0169.183] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.184] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.184] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="iexplore.exe") returned 0xc [0169.184] CoTaskMemFree (pv=0x48d2060) [0169.184] CloseHandle (hObject=0x48) returned 1 [0169.184] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.184] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x754) returned 0x48 [0169.184] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.185] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.185] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.185] CoTaskMemFree (pv=0x48d2060) [0169.185] CloseHandle (hObject=0x48) returned 1 [0169.185] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.185] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x970) returned 0x48 [0169.185] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.186] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.186] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="positive-if.exe") returned 0xf [0169.186] CoTaskMemFree (pv=0x48d2060) [0169.186] CloseHandle (hObject=0x48) returned 1 [0169.186] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.187] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x978) returned 0x48 [0169.187] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.187] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.187] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="author.exe") returned 0xa [0169.188] CoTaskMemFree (pv=0x48d2060) [0169.188] CloseHandle (hObject=0x48) returned 1 [0169.188] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.188] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x980) returned 0x48 [0169.188] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.189] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.189] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="here.exe") returned 0x8 [0169.189] CoTaskMemFree (pv=0x48d2060) [0169.189] CloseHandle (hObject=0x48) returned 1 [0169.189] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.189] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x988) returned 0x48 [0169.189] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.190] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.190] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="bag_between.exe") returned 0xf [0169.190] CoTaskMemFree (pv=0x48d2060) [0169.190] CloseHandle (hObject=0x48) returned 1 [0169.190] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.191] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x990) returned 0x48 [0169.191] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.191] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.191] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="eat.exe") returned 0x7 [0169.192] CoTaskMemFree (pv=0x48d2060) [0169.192] CloseHandle (hObject=0x48) returned 1 [0169.192] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.192] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x998) returned 0x48 [0169.192] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.193] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.193] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="sit_sing.exe") returned 0xc [0169.193] CoTaskMemFree (pv=0x48d2060) [0169.193] CloseHandle (hObject=0x48) returned 1 [0169.193] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.193] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9a0) returned 0x48 [0169.193] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.194] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.194] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="professional six offer.exe") returned 0x1a [0169.194] CoTaskMemFree (pv=0x48d2060) [0169.194] CloseHandle (hObject=0x48) returned 1 [0169.194] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.194] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9a8) returned 0x48 [0169.194] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.195] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.195] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="address body.exe") returned 0x10 [0169.196] CoTaskMemFree (pv=0x48d2060) [0169.196] CloseHandle (hObject=0x48) returned 1 [0169.196] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.196] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9b0) returned 0x48 [0169.196] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.197] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.197] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="model.exe") returned 0x9 [0169.197] CoTaskMemFree (pv=0x48d2060) [0169.197] CloseHandle (hObject=0x48) returned 1 [0169.197] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.197] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9b8) returned 0x48 [0169.197] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.198] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.198] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="when.exe") returned 0x8 [0169.198] CoTaskMemFree (pv=0x48d2060) [0169.198] CloseHandle (hObject=0x48) returned 1 [0169.198] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.199] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9c0) returned 0x48 [0169.199] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.199] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.199] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="debate.exe") returned 0xa [0169.200] CoTaskMemFree (pv=0x48d2060) [0169.200] CloseHandle (hObject=0x48) returned 1 [0169.200] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.200] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9c8) returned 0x48 [0169.200] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.200] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.200] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="school.exe") returned 0xa [0169.201] CoTaskMemFree (pv=0x48d2060) [0169.201] CloseHandle (hObject=0x48) returned 1 [0169.201] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.201] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9d0) returned 0x48 [0169.201] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.202] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.202] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="make_agency.exe") returned 0xf [0169.202] CoTaskMemFree (pv=0x48d2060) [0169.202] CloseHandle (hObject=0x48) returned 1 [0169.202] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.202] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9d8) returned 0x48 [0169.203] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.203] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.203] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="up_with_whether.exe") returned 0x13 [0169.204] CoTaskMemFree (pv=0x48d2060) [0169.204] CloseHandle (hObject=0x48) returned 1 [0169.204] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.204] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9e0) returned 0x48 [0169.204] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.204] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.204] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="himself_easy_trip.exe") returned 0x15 [0169.205] CoTaskMemFree (pv=0x48d2060) [0169.205] CloseHandle (hObject=0x48) returned 1 [0169.205] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.205] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa1c) returned 0x48 [0169.205] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.206] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.206] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="capital.exe") returned 0xb [0169.206] CoTaskMemFree (pv=0x48d2060) [0169.206] CloseHandle (hObject=0x48) returned 1 [0169.206] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.206] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb80) returned 0x48 [0169.206] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.207] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.207] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="3dftp.exe") returned 0x9 [0169.207] CoTaskMemFree (pv=0x48d2060) [0169.207] CloseHandle (hObject=0x48) returned 1 [0169.208] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.208] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb88) returned 0x48 [0169.208] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.208] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.208] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="absolutetelnet.exe") returned 0x12 [0169.209] CoTaskMemFree (pv=0x48d2060) [0169.209] CloseHandle (hObject=0x48) returned 1 [0169.209] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.209] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb90) returned 0x48 [0169.209] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.210] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.210] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="alftp.exe") returned 0x9 [0169.210] CoTaskMemFree (pv=0x48d2060) [0169.210] CloseHandle (hObject=0x48) returned 1 [0169.210] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.210] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb98) returned 0x48 [0169.210] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.211] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.211] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="barca.exe") returned 0x9 [0169.211] CoTaskMemFree (pv=0x48d2060) [0169.211] CloseHandle (hObject=0x48) returned 1 [0169.212] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.212] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xba0) returned 0x48 [0169.212] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.212] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.212] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="bitkinex.exe") returned 0xc [0169.213] CoTaskMemFree (pv=0x48d2060) [0169.213] CloseHandle (hObject=0x48) returned 1 [0169.213] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.213] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xba8) returned 0x48 [0169.213] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.214] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.214] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="coreftp.exe") returned 0xb [0169.214] CoTaskMemFree (pv=0x48d2060) [0169.214] CloseHandle (hObject=0x48) returned 1 [0169.214] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.214] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbb0) returned 0x48 [0169.214] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.215] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.215] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="far.exe") returned 0x7 [0169.215] CoTaskMemFree (pv=0x48d2060) [0169.215] CloseHandle (hObject=0x48) returned 1 [0169.215] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.215] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbb8) returned 0x48 [0169.215] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.216] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.216] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="filezilla.exe") returned 0xd [0169.216] CoTaskMemFree (pv=0x48d2060) [0169.217] CloseHandle (hObject=0x48) returned 1 [0169.217] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.217] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbc0) returned 0x48 [0169.217] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.217] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.217] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="flashfxp.exe") returned 0xc [0169.218] CoTaskMemFree (pv=0x48d2060) [0169.218] CloseHandle (hObject=0x48) returned 1 [0169.218] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.218] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbc8) returned 0x48 [0169.218] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.219] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.219] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="fling.exe") returned 0x9 [0169.219] CoTaskMemFree (pv=0x48d2060) [0169.219] CloseHandle (hObject=0x48) returned 1 [0169.219] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.219] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x428) returned 0x48 [0169.219] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.220] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.220] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="foxmailincmail.exe") returned 0x12 [0169.220] CoTaskMemFree (pv=0x48d2060) [0169.221] CloseHandle (hObject=0x48) returned 1 [0169.221] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.221] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x40c) returned 0x48 [0169.221] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.221] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.221] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="gmailnotifierpro.exe") returned 0x14 [0169.222] CoTaskMemFree (pv=0x48d2060) [0169.222] CloseHandle (hObject=0x48) returned 1 [0169.222] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.222] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x814) returned 0x48 [0169.222] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.223] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.223] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="icq.exe") returned 0x7 [0169.223] CoTaskMemFree (pv=0x48d2060) [0169.223] CloseHandle (hObject=0x48) returned 1 [0169.223] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.223] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x820) returned 0x48 [0169.223] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.224] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.224] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="leechftp.exe") returned 0xc [0169.224] CoTaskMemFree (pv=0x48d2060) [0169.224] CloseHandle (hObject=0x48) returned 1 [0169.224] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.225] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x570) returned 0x48 [0169.225] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.225] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.225] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="ncftp.exe") returned 0x9 [0169.226] CoTaskMemFree (pv=0x48d2060) [0169.226] CloseHandle (hObject=0x48) returned 1 [0169.226] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.226] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x83c) returned 0x48 [0169.226] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.227] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.227] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="notepad.exe") returned 0xb [0169.227] CoTaskMemFree (pv=0x48d2060) [0169.227] CloseHandle (hObject=0x48) returned 1 [0169.227] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.227] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7dc) returned 0x48 [0169.227] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.228] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.228] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="operamail.exe") returned 0xd [0169.228] CoTaskMemFree (pv=0x48d2060) [0169.228] CloseHandle (hObject=0x48) returned 1 [0169.228] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.228] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x86c) returned 0x48 [0169.228] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.229] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.229] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="outlook.exe") returned 0xb [0169.229] CoTaskMemFree (pv=0x48d2060) [0169.229] CloseHandle (hObject=0x48) returned 1 [0169.230] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.230] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x884) returned 0x48 [0169.230] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.230] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.230] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="pidgin.exe") returned 0xa [0169.231] CoTaskMemFree (pv=0x48d2060) [0169.231] CloseHandle (hObject=0x48) returned 1 [0169.231] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.231] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x388) returned 0x48 [0169.231] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.231] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.232] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="scriptftp.exe") returned 0xd [0169.232] CoTaskMemFree (pv=0x48d2060) [0169.232] CloseHandle (hObject=0x48) returned 1 [0169.232] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.232] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x430) returned 0x48 [0169.232] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.233] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.233] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="skype.exe") returned 0x9 [0169.233] CoTaskMemFree (pv=0x48d2060) [0169.233] CloseHandle (hObject=0x48) returned 1 [0169.234] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.234] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7b0) returned 0x48 [0169.234] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.234] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.234] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="smartftp.exe") returned 0xc [0169.235] CoTaskMemFree (pv=0x48d2060) [0169.235] CloseHandle (hObject=0x48) returned 1 [0169.235] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.235] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x94) returned 0x48 [0169.235] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.235] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.235] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="thunderbird.exe") returned 0xf [0169.236] CoTaskMemFree (pv=0x48d2060) [0169.236] CloseHandle (hObject=0x48) returned 1 [0169.236] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.236] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8bc) returned 0x48 [0169.236] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.237] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.237] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="trillian.exe") returned 0xc [0169.237] CoTaskMemFree (pv=0x48d2060) [0169.237] CloseHandle (hObject=0x48) returned 1 [0169.237] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.237] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x878) returned 0x48 [0169.237] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.239] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.239] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="webdrive.exe") returned 0xc [0169.239] CoTaskMemFree (pv=0x48d2060) [0169.239] CloseHandle (hObject=0x48) returned 1 [0169.240] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.240] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x930) returned 0x48 [0169.240] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.240] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.240] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="whatsapp.exe") returned 0xc [0169.241] CoTaskMemFree (pv=0x48d2060) [0169.241] CloseHandle (hObject=0x48) returned 1 [0169.241] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.241] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x938) returned 0x48 [0169.241] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.241] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.242] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="winscp.exe") returned 0xa [0169.242] CoTaskMemFree (pv=0x48d2060) [0169.242] CloseHandle (hObject=0x48) returned 1 [0169.242] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.242] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x940) returned 0x48 [0169.242] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.243] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.243] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="yahoomessenger.exe") returned 0x12 [0169.243] CoTaskMemFree (pv=0x48d2060) [0169.243] CloseHandle (hObject=0x48) returned 1 [0169.244] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.244] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x948) returned 0x48 [0169.244] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.244] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.244] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="active-charge.exe") returned 0x11 [0169.245] CoTaskMemFree (pv=0x48d2060) [0169.245] CloseHandle (hObject=0x48) returned 1 [0169.245] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.245] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x96c) returned 0x48 [0169.245] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.245] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.245] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="utg2.exe") returned 0x8 [0169.246] CoTaskMemFree (pv=0x48d2060) [0169.246] CloseHandle (hObject=0x48) returned 1 [0169.246] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.246] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa78) returned 0x48 [0169.246] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.247] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.247] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="spgagentservice.exe") returned 0x13 [0169.247] CoTaskMemFree (pv=0x48d2060) [0169.247] CloseHandle (hObject=0x48) returned 1 [0169.247] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.247] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa80) returned 0x48 [0169.247] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.248] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.248] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="spcwin.exe") returned 0xa [0169.248] CoTaskMemFree (pv=0x48d2060) [0169.248] CloseHandle (hObject=0x48) returned 1 [0169.248] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.249] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa88) returned 0x48 [0169.249] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.249] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.249] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="omnipos.exe") returned 0xb [0169.250] CoTaskMemFree (pv=0x48d2060) [0169.250] CloseHandle (hObject=0x48) returned 1 [0169.250] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.250] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa90) returned 0x48 [0169.250] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.251] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.251] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="mxslipstream.exe") returned 0x10 [0169.251] CoTaskMemFree (pv=0x48d2060) [0169.251] CloseHandle (hObject=0x48) returned 1 [0169.251] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.251] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa98) returned 0x48 [0169.251] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.252] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.252] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="isspos.exe") returned 0xa [0169.252] CoTaskMemFree (pv=0x48d2060) [0169.252] CloseHandle (hObject=0x48) returned 1 [0169.252] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.252] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8e4) returned 0x48 [0169.253] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.253] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.253] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="fpos.exe") returned 0x8 [0169.254] CoTaskMemFree (pv=0x48d2060) [0169.254] CloseHandle (hObject=0x48) returned 1 [0169.254] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.254] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x834) returned 0x48 [0169.254] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.254] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.254] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="edcsvr.exe") returned 0xa [0169.255] CoTaskMemFree (pv=0x48d2060) [0169.255] CloseHandle (hObject=0x48) returned 1 [0169.255] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.255] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc08) returned 0x48 [0169.255] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.256] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.256] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="creditservice.exe") returned 0x11 [0169.256] CoTaskMemFree (pv=0x48d2060) [0169.256] CloseHandle (hObject=0x48) returned 1 [0169.256] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.256] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc10) returned 0x48 [0169.256] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.257] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.257] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="centralcreditcard.exe") returned 0x15 [0169.257] CoTaskMemFree (pv=0x48d2060) [0169.257] CloseHandle (hObject=0x48) returned 1 [0169.257] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.258] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc18) returned 0x48 [0169.258] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.258] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.258] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="ccv_server.exe") returned 0xe [0169.259] CoTaskMemFree (pv=0x48d2060) [0169.259] CloseHandle (hObject=0x48) returned 1 [0169.259] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.259] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc20) returned 0x48 [0169.259] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.259] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.259] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="aldelo.exe") returned 0xa [0169.260] CoTaskMemFree (pv=0x48d2060) [0169.260] CloseHandle (hObject=0x48) returned 1 [0169.260] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.260] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc28) returned 0x48 [0169.260] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.261] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.261] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="afr38.exe") returned 0x9 [0169.261] CoTaskMemFree (pv=0x48d2060) [0169.261] CloseHandle (hObject=0x48) returned 1 [0169.261] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.261] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc30) returned 0x48 [0169.261] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.262] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.262] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="accupos.exe") returned 0xb [0169.262] CoTaskMemFree (pv=0x48d2060) [0169.262] CloseHandle (hObject=0x48) returned 1 [0169.262] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.262] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc54) returned 0x48 [0169.263] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.263] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.263] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="my girl stuff.exe") returned 0x11 [0169.263] CoTaskMemFree (pv=0x48d2060) [0169.263] CloseHandle (hObject=0x48) returned 1 [0169.264] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.264] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc5c) returned 0x48 [0169.264] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.264] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.264] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="decade-do-enough.exe") returned 0x14 [0169.265] CoTaskMemFree (pv=0x48d2060) [0169.265] CloseHandle (hObject=0x48) returned 1 [0169.265] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.265] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc80) returned 0x48 [0169.265] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.265] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.265] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.266] CoTaskMemFree (pv=0x48d2060) [0169.266] CloseHandle (hObject=0x48) returned 1 [0169.266] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.266] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdd4) returned 0x0 [0169.266] GetWindowTextW (in: hWnd=0x0, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.266] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe58) returned 0x48 [0169.266] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.266] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.266] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0169.267] CoTaskMemFree (pv=0x48d2060) [0169.267] CloseHandle (hObject=0x48) returned 1 [0169.267] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.267] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe60) returned 0x48 [0169.267] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.267] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.267] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.267] CoTaskMemFree (pv=0x48d2060) [0169.267] CloseHandle (hObject=0x48) returned 1 [0169.267] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.268] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x48 [0169.268] EnumProcessModules (in: hProcess=0x48, lphModule=0x0, cb=0x4, lpcbNeeded=0x3ce9dc | out: lphModule=0x0, lpcbNeeded=0x3ce9dc) returned 0 [0169.268] CoTaskMemAlloc (cb=0x108) returned 0x48d2060 [0169.268] GetModuleBaseNameA (in: hProcess=0x48, hModule=0x0, lpBaseName=0x48d2060, nSize=0x104 | out: lpBaseName="?") returned 0x0 [0169.268] CoTaskMemFree (pv=0x48d2060) [0169.268] CloseHandle (hObject=0x48) returned 1 [0169.268] GetWindowTextW (in: hWnd=0x48, lpString=0x3ce86c, nMaxCount=51 | out: lpString="") returned 0 [0169.268] ReadProcessMemory (in: hProcess=0x360, lpBaseAddress=0x7efde008, lpBuffer=0x3ce9b0, nSize=0x4, lpNumberOfBytesRead=0x3cea48 | out: lpBuffer=0x3ce9b0*, lpNumberOfBytesRead=0x3cea48*=0x4) returned 1 [0169.280] VirtualAllocEx (hProcess=0x360, lpAddress=0x400000, dwSize=0x3c000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0169.282] WriteProcessMemory (in: hProcess=0x360, lpBaseAddress=0x400000, lpBuffer=0x31ed5a0*, nSize=0x200, lpNumberOfBytesWritten=0x3cea48 | out: lpBuffer=0x31ed5a0*, lpNumberOfBytesWritten=0x3cea48*=0x200) returned 1 [0169.301] WriteProcessMemory (in: hProcess=0x360, lpBaseAddress=0x402000, lpBuffer=0x3175560*, nSize=0x35800, lpNumberOfBytesWritten=0x3cea48 | out: lpBuffer=0x3175560*, lpNumberOfBytesWritten=0x3cea48*=0x35800) returned 1 [0169.347] WriteProcessMemory (in: hProcess=0x360, lpBaseAddress=0x438000, lpBuffer=0x21aaa84*, nSize=0x600, lpNumberOfBytesWritten=0x3cea48 | out: lpBuffer=0x21aaa84*, lpNumberOfBytesWritten=0x3cea48*=0x600) returned 1 [0169.352] WriteProcessMemory (in: hProcess=0x360, lpBaseAddress=0x43a000, lpBuffer=0x21ab090*, nSize=0x200, lpNumberOfBytesWritten=0x3cea48 | out: lpBuffer=0x21ab090*, lpNumberOfBytesWritten=0x3cea48*=0x200) returned 1 [0169.398] EnumChildWindows (hWndParent=0x0, lpEnumFunc=0x7307e6, lParam=0x0) returned 1 [0169.406] WriteProcessMemory (in: hProcess=0x360, lpBaseAddress=0x7efde008, lpBuffer=0x21b1934*, nSize=0x4, lpNumberOfBytesWritten=0x3cea48 | out: lpBuffer=0x21b1934*, lpNumberOfBytesWritten=0x3cea48*=0x4) returned 1 [0169.408] SetThreadContext (hThread=0x38c, lpContext=0x21825b4*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x43764e, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0169.410] ResumeThread (hThread=0x38c) returned 0x1 [0169.490] CoGetContextToken (in: pToken=0x3ce7d0 | out: pToken=0x3ce7d0) returned 0x0 [0169.490] CObjectContext::QueryInterface () returned 0x0 [0169.490] CObjectContext::GetCurrentThreadType () returned 0x0 [0169.490] Release () returned 0x0 [0169.491] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x647c70*=0xb4, lpdwindex=0x3ce67c | out: lpdwindex=0x3ce67c) returned 0x0 Thread: id = 2 os_tid = 0xe70 Thread: id = 3 os_tid = 0xe74 [0053.316] CoGetContextToken (in: pToken=0x43ef5fc | out: pToken=0x43ef5fc) returned 0x800401f0 [0053.316] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0168.982] CloseHandle (hObject=0x390) returned 1 [0168.983] CloseHandle (hObject=0x360) returned 1 [0168.983] CloseHandle (hObject=0x38c) returned 1 [0169.532] EtwEventUnregister () returned 0x0 Thread: id = 4 os_tid = 0xe80 Thread: id = 5 os_tid = 0xe8c Thread: id = 6 os_tid = 0xe90 Thread: id = 8 os_tid = 0xe9c Thread: id = 9 os_tid = 0xeb0 Thread: id = 30 os_tid = 0xf10 Thread: id = 51 os_tid = 0xf90 Thread: id = 71 os_tid = 0xb20 Thread: id = 73 os_tid = 0xb34 Process: id = "2" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x3d269000" os_pid = "0xe94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe58" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Sleep -s 5" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e95f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 409 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 410 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 411 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 412 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 413 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 414 start_va = 0x160000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 415 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 416 start_va = 0xb40000 end_va = 0xbaafff monitored = 0 entry_point = 0xb4d330 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 417 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 418 start_va = 0x77040000 end_va = 0x771bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 419 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 420 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 421 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 422 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 423 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 424 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 425 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 429 start_va = 0x3c0000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 430 start_va = 0x748b0000 end_va = 0x748b7fff monitored = 0 entry_point = 0x748b20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 431 start_va = 0x748c0000 end_va = 0x7491bfff monitored = 0 entry_point = 0x748ff9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 432 start_va = 0x74920000 end_va = 0x7495efff monitored = 0 entry_point = 0x7494e088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 433 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 434 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 435 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 436 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076c40000" filename = "" Region: id = 437 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 438 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076d60000" filename = "" Region: id = 439 start_va = 0x440000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 440 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 441 start_va = 0x75150000 end_va = 0x75196fff monitored = 0 entry_point = 0x751574c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 442 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 443 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 444 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 453 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 454 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 455 start_va = 0x75ca0000 end_va = 0x75d3ffff monitored = 0 entry_point = 0x75cb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 456 start_va = 0x74cf0000 end_va = 0x74d9bfff monitored = 0 entry_point = 0x74cfa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 457 start_va = 0x753d0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753d4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 458 start_va = 0x75710000 end_va = 0x757fffff monitored = 0 entry_point = 0x75720569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 459 start_va = 0x74b90000 end_va = 0x74beffff monitored = 0 entry_point = 0x74baa3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 460 start_va = 0x74b80000 end_va = 0x74b8bfff monitored = 0 entry_point = 0x74b810e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 461 start_va = 0x72390000 end_va = 0x723a3fff monitored = 0 entry_point = 0x72391da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 462 start_va = 0x75b00000 end_va = 0x75bfffff monitored = 0 entry_point = 0x75b1b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 463 start_va = 0x74e80000 end_va = 0x74f0ffff monitored = 0 entry_point = 0x74e96343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 464 start_va = 0x77010000 end_va = 0x77019fff monitored = 0 entry_point = 0x770136a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 465 start_va = 0x74bf0000 end_va = 0x74c8cfff monitored = 0 entry_point = 0x74c23fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 466 start_va = 0x75270000 end_va = 0x753cbfff monitored = 0 entry_point = 0x752bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 467 start_va = 0x758a0000 end_va = 0x7592efff monitored = 0 entry_point = 0x758a3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 468 start_va = 0x74a20000 end_va = 0x74a69fff monitored = 1 entry_point = 0x74a22e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 469 start_va = 0x200000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 470 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 471 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 472 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 473 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 474 start_va = 0x75c40000 end_va = 0x75c9ffff monitored = 0 entry_point = 0x75c5158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 475 start_va = 0x751a0000 end_va = 0x7526bfff monitored = 0 entry_point = 0x751a168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 476 start_va = 0x700000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 477 start_va = 0xbb0000 end_va = 0x1faffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 478 start_va = 0x30000 end_va = 0x32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 479 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 480 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 481 start_va = 0x200000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 482 start_va = 0x310000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 483 start_va = 0x890000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 484 start_va = 0x74990000 end_va = 0x74a1cfff monitored = 1 entry_point = 0x749a2860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 485 start_va = 0x72bf0000 end_va = 0x72bf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 486 start_va = 0x74c90000 end_va = 0x74ce6fff monitored = 0 entry_point = 0x74ca9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 487 start_va = 0x73b80000 end_va = 0x73b88fff monitored = 0 entry_point = 0x73b81220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 488 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 489 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 490 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 491 start_va = 0x74970000 end_va = 0x74983fff monitored = 0 entry_point = 0x7497ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\SysWOW64\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140_clr0400.dll") Region: id = 492 start_va = 0x723b0000 end_va = 0x7245afff monitored = 0 entry_point = 0x72445f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\SysWOW64\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase_clr0400.dll") Region: id = 493 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 494 start_va = 0x110000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 495 start_va = 0x120000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 496 start_va = 0x130000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 497 start_va = 0x140000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 498 start_va = 0x150000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 499 start_va = 0x1a0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 500 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 501 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 502 start_va = 0x290000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 503 start_va = 0x1fb0000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 504 start_va = 0x2140000 end_va = 0x22affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 505 start_va = 0x920000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 506 start_va = 0x970000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 507 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 508 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 509 start_va = 0x210000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 510 start_va = 0x22b0000 end_va = 0x42affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 511 start_va = 0x210000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 512 start_va = 0x2a0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 513 start_va = 0xa80000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 514 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 515 start_va = 0x340000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 516 start_va = 0xa40000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 517 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 518 start_va = 0x42b0000 end_va = 0x457efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 519 start_va = 0x6fea0000 end_va = 0x712aafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 520 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 521 start_va = 0x890000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 522 start_va = 0x240000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 523 start_va = 0x6f440000 end_va = 0x6fe94fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 524 start_va = 0x6ec20000 end_va = 0x6f437fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 525 start_va = 0x720f0000 end_va = 0x7217efff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\731848746c032af3ce33577b793c9b9c\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\731848746c032af3ce33577b793c9b9c\\microsoft.powershell.consolehost.ni.dll") Region: id = 526 start_va = 0x73950000 end_va = 0x73966fff monitored = 0 entry_point = 0x73953573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 527 start_va = 0x250000 end_va = 0x28bfff monitored = 0 entry_point = 0x25128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 528 start_va = 0x250000 end_va = 0x28bfff monitored = 0 entry_point = 0x25128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 529 start_va = 0x250000 end_va = 0x28bfff monitored = 0 entry_point = 0x25128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 530 start_va = 0x250000 end_va = 0x28bfff monitored = 0 entry_point = 0x25128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 531 start_va = 0x250000 end_va = 0x28bfff monitored = 0 entry_point = 0x25128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 532 start_va = 0x73910000 end_va = 0x7394afff monitored = 0 entry_point = 0x7391128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 533 start_va = 0x6d130000 end_va = 0x6ec12fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\a68aa6199c81feadf8c95a4ea0254b2c\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\a68aa6199c81feadf8c95a4ea0254b2c\\system.management.automation.ni.dll") Region: id = 534 start_va = 0xac0000 end_va = 0xb21fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 535 start_va = 0x380000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 536 start_va = 0x2000000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 537 start_va = 0x2060000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 538 start_va = 0x2100000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 539 start_va = 0x21d0000 end_va = 0x220ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 540 start_va = 0x2270000 end_va = 0x22affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 541 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 542 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 543 start_va = 0x72370000 end_va = 0x72382fff monitored = 1 entry_point = 0x7237d900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 544 start_va = 0x4580000 end_va = 0x4851fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 545 start_va = 0x6ca20000 end_va = 0x6d12bfff monitored = 1 entry_point = 0x6d03f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 546 start_va = 0x4860000 end_va = 0x491ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 547 start_va = 0x6c310000 end_va = 0x6ca1bfff monitored = 1 entry_point = 0x6c92f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 548 start_va = 0x4920000 end_va = 0x49dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 549 start_va = 0x75800000 end_va = 0x75804fff monitored = 0 entry_point = 0x75801438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 550 start_va = 0x75ff0000 end_va = 0x76c39fff monitored = 0 entry_point = 0x76071601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 551 start_va = 0x250000 end_va = 0x250fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 552 start_va = 0x74f10000 end_va = 0x74f3efff monitored = 0 entry_point = 0x74f12a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 553 start_va = 0x74fc0000 end_va = 0x750e0fff monitored = 0 entry_point = 0x74fc158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 554 start_va = 0x75810000 end_va = 0x7581bfff monitored = 0 entry_point = 0x7581238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 555 start_va = 0x260000 end_va = 0x267fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 556 start_va = 0x4a00000 end_va = 0x4a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 557 start_va = 0x4a60000 end_va = 0x4a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a60000" filename = "" Region: id = 558 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 559 start_va = 0x72480000 end_va = 0x72487fff monitored = 0 entry_point = 0x72483bf5 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\SysWOW64\\msisip.dll" (normalized: "c:\\windows\\syswow64\\msisip.dll") Region: id = 560 start_va = 0x4aa0000 end_va = 0x4e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 561 start_va = 0x270000 end_va = 0x277fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 562 start_va = 0x4aa0000 end_va = 0x4e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 563 start_va = 0x1fc0000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 564 start_va = 0x20b0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 565 start_va = 0x72350000 end_va = 0x72365fff monitored = 0 entry_point = 0x723513df region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\SysWOW64\\wshext.dll" (normalized: "c:\\windows\\syswow64\\wshext.dll") Region: id = 566 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 567 start_va = 0x4ad0000 end_va = 0x4b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ad0000" filename = "" Region: id = 568 start_va = 0x4ba0000 end_va = 0x4bdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ba0000" filename = "" Region: id = 569 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 570 start_va = 0x72060000 end_va = 0x720e3fff monitored = 0 entry_point = 0x720619a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 571 start_va = 0x2e0000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 572 start_va = 0x72050000 end_va = 0x72059fff monitored = 0 entry_point = 0x72054ab0 region_type = mapped_file name = "pwrshsip.dll" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\pwrshsip.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\pwrshsip.dll") Region: id = 573 start_va = 0x4be0000 end_va = 0x4cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004be0000" filename = "" Region: id = 574 start_va = 0x260000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 575 start_va = 0x270000 end_va = 0x270fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 576 start_va = 0x280000 end_va = 0x286fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 577 start_va = 0x270000 end_va = 0x270fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 578 start_va = 0x280000 end_va = 0x286fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 579 start_va = 0x270000 end_va = 0x270fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 580 start_va = 0x270000 end_va = 0x276fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 581 start_va = 0x270000 end_va = 0x270fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 582 start_va = 0x270000 end_va = 0x276fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 583 start_va = 0x270000 end_va = 0x270fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 584 start_va = 0x270000 end_va = 0x276fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 585 start_va = 0xa00000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 586 start_va = 0x48e0000 end_va = 0x491ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048e0000" filename = "" Region: id = 587 start_va = 0x4b40000 end_va = 0x4b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b40000" filename = "" Region: id = 588 start_va = 0x4cf0000 end_va = 0x4d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004cf0000" filename = "" Region: id = 589 start_va = 0x7ef98000 end_va = 0x7ef9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 590 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 591 start_va = 0x6c910000 end_va = 0x6d129fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Data\\df2dd09ed7c341842a104e1e668f184e\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.data\\df2dd09ed7c341842a104e1e668f184e\\system.data.ni.dll") Region: id = 592 start_va = 0x71b50000 end_va = 0x71ea3fff monitored = 1 entry_point = 0x71e87a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 593 start_va = 0x74da0000 end_va = 0x74dd4fff monitored = 0 entry_point = 0x74da145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 594 start_va = 0x75c30000 end_va = 0x75c35fff monitored = 0 entry_point = 0x75c31782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 595 start_va = 0x4d30000 end_va = 0x5080fff monitored = 1 entry_point = 0x5067a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 596 start_va = 0x4d30000 end_va = 0x5080fff monitored = 1 entry_point = 0x5067a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 597 start_va = 0x4d30000 end_va = 0x5080fff monitored = 1 entry_point = 0x5067a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 598 start_va = 0x4d30000 end_va = 0x5080fff monitored = 1 entry_point = 0x5067a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 599 start_va = 0x270000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 600 start_va = 0x6c190000 end_va = 0x6c903fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\15af16d373cf0528cb74fc73d365fdbf\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\15af16d373cf0528cb74fc73d365fdbf\\system.xml.ni.dll") Region: id = 601 start_va = 0x6c060000 end_va = 0x6c18ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\e114780fd3ea5727401c06ea4f22ef35\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\e114780fd3ea5727401c06ea4f22ef35\\system.management.ni.dll") Region: id = 604 start_va = 0x6bf30000 end_va = 0x6c05bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\system.directoryservices.ni.dll") Region: id = 605 start_va = 0x74960000 end_va = 0x74962fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 606 start_va = 0x72180000 end_va = 0x72208fff monitored = 1 entry_point = 0x72181130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 607 start_va = 0x280000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 608 start_va = 0x2e0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 609 start_va = 0x300000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 610 start_va = 0x71af0000 end_va = 0x71b43fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P6f792626#\\fbf36f7901fec6a367af3bc05a96b929\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p6f792626#\\fbf36f7901fec6a367af3bc05a96b929\\microsoft.powershell.security.ni.dll") Region: id = 611 start_va = 0x2170000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 612 start_va = 0x4d40000 end_va = 0x4d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d40000" filename = "" Region: id = 613 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 614 start_va = 0x6be70000 end_va = 0x6bf27fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\3d760b4a3260a41ef84a3fd866780980\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.transactions\\3d760b4a3260a41ef84a3fd866780980\\system.transactions.ni.dll") Region: id = 615 start_va = 0x71aa0000 end_va = 0x71aebfff monitored = 1 entry_point = 0x71abfcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 616 start_va = 0x2000000 end_va = 0x204bfff monitored = 1 entry_point = 0x201fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 617 start_va = 0x2000000 end_va = 0x204bfff monitored = 1 entry_point = 0x201fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 618 start_va = 0x2000000 end_va = 0x204bfff monitored = 1 entry_point = 0x201fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 619 start_va = 0x2000000 end_va = 0x204bfff monitored = 1 entry_point = 0x201fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 620 start_va = 0x72040000 end_va = 0x72047fff monitored = 0 entry_point = 0x720410e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 621 start_va = 0x71f30000 end_va = 0x72034fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\96f7edb07b12303f0ec2595c7f3778c7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\96f7edb07b12303f0ec2595c7f3778c7\\system.configuration.ni.dll") Region: id = 622 start_va = 0x4860000 end_va = 0x48dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004860000" filename = "" Region: id = 623 start_va = 0x2020000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 624 start_va = 0x4e30000 end_va = 0x4e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e30000" filename = "" Region: id = 625 start_va = 0x7ef95000 end_va = 0x7ef97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 626 start_va = 0x71eb0000 end_va = 0x71f2ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\e3134541fd9904dc895922f5256ef8f3\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\e3134541fd9904dc895922f5256ef8f3\\microsoft.management.infrastructure.ni.dll") Region: id = 627 start_va = 0x4e70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e70000" filename = "" Region: id = 628 start_va = 0x6be20000 end_va = 0x6be66fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\e7d6ed984300c7212c6e682c4f730b1e\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\e7d6ed984300c7212c6e682c4f730b1e\\system.numerics.ni.dll") Region: id = 629 start_va = 0x2f0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 630 start_va = 0x320000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 631 start_va = 0x330000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 632 start_va = 0x380000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 633 start_va = 0x390000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 634 start_va = 0x3a0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 635 start_va = 0x3b0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 636 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 637 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 638 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 639 start_va = 0x890000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 640 start_va = 0x8c0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 641 start_va = 0x8a0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 642 start_va = 0x8b0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 643 start_va = 0x6bc80000 end_va = 0x6be17fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.csharp.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.CSharp\\f73f48afb5512225dedaee9c88ac5050\\Microsoft.CSharp.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.csharp\\f73f48afb5512225dedaee9c88ac5050\\microsoft.csharp.ni.dll") Region: id = 644 start_va = 0x900000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 645 start_va = 0x910000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 646 start_va = 0x960000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 647 start_va = 0x960000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 648 start_va = 0x9f0000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 649 start_va = 0x4d50000 end_va = 0x4d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d50000" filename = "" Region: id = 650 start_va = 0x5000000 end_va = 0x598ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 651 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 652 start_va = 0x73ab0000 end_va = 0x73b2ffff monitored = 0 entry_point = 0x73ac37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 653 start_va = 0x5990000 end_va = 0x5a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005990000" filename = "" Region: id = 654 start_va = 0x5aa0000 end_va = 0x5b7efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005aa0000" filename = "" Region: id = 655 start_va = 0x4df0000 end_va = 0x4e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004df0000" filename = "" Region: id = 656 start_va = 0x4f80000 end_va = 0x4fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f80000" filename = "" Region: id = 657 start_va = 0x73a80000 end_va = 0x73a8dfff monitored = 0 entry_point = 0x73a81235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 658 start_va = 0x7ef92000 end_va = 0x7ef94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 659 start_va = 0x2170000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 660 start_va = 0x2220000 end_va = 0x225ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 661 start_va = 0x7ef8f000 end_va = 0x7ef91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 662 start_va = 0x5b90000 end_va = 0x5bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b90000" filename = "" Region: id = 663 start_va = 0x5be0000 end_va = 0x5c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005be0000" filename = "" Region: id = 664 start_va = 0x7ef8c000 end_va = 0x7ef8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 665 start_va = 0x9f0000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 666 start_va = 0x4fc0000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004fc0000" filename = "" Region: id = 667 start_va = 0x5c30000 end_va = 0x5c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c30000" filename = "" Region: id = 668 start_va = 0x7ef89000 end_va = 0x7ef8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 669 start_va = 0x5a10000 end_va = 0x5a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a10000" filename = "" Region: id = 670 start_va = 0x5a60000 end_va = 0x5a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a60000" filename = "" Region: id = 671 start_va = 0x5d00000 end_va = 0x5d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d00000" filename = "" Region: id = 672 start_va = 0x7ef86000 end_va = 0x7ef88fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef86000" filename = "" Region: id = 673 start_va = 0x2000000 end_va = 0x2010fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002000000" filename = "" Region: id = 674 start_va = 0xb30000 end_va = 0xb31fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 675 start_va = 0x5d40000 end_va = 0x613ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005d40000" filename = "" Region: id = 676 start_va = 0x1fb0000 end_va = 0x1fb1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 677 start_va = 0x5d40000 end_va = 0x613ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005d40000" filename = "" Region: id = 678 start_va = 0xb30000 end_va = 0xb30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 679 start_va = 0x5d40000 end_va = 0x613ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005d40000" filename = "" Region: id = 680 start_va = 0x1fb0000 end_va = 0x1fb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 681 start_va = 0x5d40000 end_va = 0x613ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005d40000" filename = "" Region: id = 682 start_va = 0x5d70000 end_va = 0x5daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d70000" filename = "" Region: id = 683 start_va = 0x5dc0000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005dc0000" filename = "" Region: id = 684 start_va = 0x7ef89000 end_va = 0x7ef8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 685 start_va = 0x6b110000 end_va = 0x6bc7dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P521220ea#\\f6f5592245815a51dae8c19cd5d04783\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p521220ea#\\f6f5592245815a51dae8c19cd5d04783\\microsoft.powershell.commands.utility.ni.dll") Region: id = 686 start_va = 0x71a70000 end_va = 0x71a97fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\system.configuration.install.ni.dll") Region: id = 687 start_va = 0xb30000 end_va = 0xb37fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 688 start_va = 0x5e00000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005e00000" filename = "" Region: id = 689 start_va = 0x1fb0000 end_va = 0x1fb7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 690 start_va = 0x5e00000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005e00000" filename = "" Region: id = 691 start_va = 0xb30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 692 start_va = 0x1fb0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 693 start_va = 0x20a0000 end_va = 0x20a7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 694 start_va = 0x5e00000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005e00000" filename = "" Region: id = 695 start_va = 0x20f0000 end_va = 0x20f7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 696 start_va = 0x5e00000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005e00000" filename = "" Region: id = 697 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 698 start_va = 0x5cc0000 end_va = 0x5cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005cc0000" filename = "" Region: id = 699 start_va = 0x5e30000 end_va = 0x5e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e30000" filename = "" Region: id = 700 start_va = 0x73c40000 end_va = 0x73c4afff monitored = 0 entry_point = 0x73c41992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 701 start_va = 0x6b0f0000 end_va = 0x6b106fff monitored = 0 entry_point = 0x6b0f35fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 702 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Thread: id = 7 os_tid = 0xe98 [0093.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3fc [0093.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x410 [0093.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f8 [0093.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d0 [0093.134] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x414 [0093.134] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3f0 [0093.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0093.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x418 [0093.135] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x41c [0093.135] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x420 [0093.135] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x424 [0093.135] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x428 [0093.135] SetEvent (hEvent=0x3d0) returned 1 [0093.135] SetEvent (hEvent=0x3fc) returned 1 [0093.135] SetEvent (hEvent=0x410) returned 1 [0093.135] SetEvent (hEvent=0x3f8) returned 1 [0093.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x42c [0093.136] SetEvent (hEvent=0x36c) returned 1 [0093.164] SetEvent (hEvent=0x414) returned 1 [0093.164] SetEvent (hEvent=0x3f0) returned 1 [0093.164] SetEvent (hEvent=0x3f4) returned 1 [0093.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x19da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0093.252] CoTaskMemAlloc (cb=0x20c) returned 0x65c3e8 [0093.252] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x65c3e8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0093.252] CoTaskMemFree (pv=0x65c3e8) [0093.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0093.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0093.260] GetCurrentProcess () returned 0xffffffff [0093.260] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19dd80 | out: TokenHandle=0x19dd80*=0x438) returned 1 [0093.263] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2f [0093.263] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x2f, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0093.263] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19dd78 | out: lpFileInformation=0x19dd78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0093.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0093.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0093.266] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19dd80 | out: lpFileInformation=0x19dd80*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0093.267] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0093.267] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0093.267] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19dcb8) returned 1 [0093.267] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x43c [0093.267] GetFileType (hFile=0x43c) returned 0x1 [0093.267] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19dcb4) returned 1 [0093.267] GetFileType (hFile=0x43c) returned 0x1 [0093.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0093.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x44, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0093.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0093.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x44, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0093.298] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19d294) returned 1 [0093.298] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19d558 | out: lpFileInformation=0x19d558*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0093.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19d290) returned 1 [0093.451] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19d424 | out: pfEnabled=0x19d424) returned 0x0 [0093.463] GetFileSize (in: hFile=0x43c, lpFileSizeHigh=0x19dd74 | out: lpFileSizeHigh=0x19dd74*=0x0) returned 0x8c8e [0093.463] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19dd30, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19dd30*=0x1000, lpOverlapped=0x0) returned 1 [0093.478] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19dbe0, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19dbe0*=0x1000, lpOverlapped=0x0) returned 1 [0093.480] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19da94, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19da94*=0x1000, lpOverlapped=0x0) returned 1 [0093.481] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19da94, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19da94*=0x1000, lpOverlapped=0x0) returned 1 [0093.481] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19da94, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19da94*=0x1000, lpOverlapped=0x0) returned 1 [0093.481] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19d9cc, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19d9cc*=0x1000, lpOverlapped=0x0) returned 1 [0093.487] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19db38, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19db38*=0x1000, lpOverlapped=0x0) returned 1 [0093.489] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19da2c, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19da2c*=0x1000, lpOverlapped=0x0) returned 1 [0093.489] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19da2c, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19da2c*=0xc8e, lpOverlapped=0x0) returned 1 [0093.489] ReadFile (in: hFile=0x43c, lpBuffer=0x24e4e08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19daf0, lpOverlapped=0x0 | out: lpBuffer=0x24e4e08*, lpNumberOfBytesRead=0x19daf0*=0x0, lpOverlapped=0x0) returned 1 [0093.489] CloseHandle (hObject=0x43c) returned 1 [0093.490] CloseHandle (hObject=0x438) returned 1 [0093.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x19da44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0093.490] CoTaskMemAlloc (cb=0x20c) returned 0x65c3e8 [0093.490] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x65c3e8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0093.490] CoTaskMemFree (pv=0x65c3e8) [0093.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0093.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0093.491] GetCurrentProcess () returned 0xffffffff [0093.491] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19decc | out: TokenHandle=0x19decc*=0x438) returned 1 [0093.491] CloseHandle (hObject=0x438) returned 1 [0093.492] GetCurrentProcess () returned 0xffffffff [0093.492] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19decc | out: TokenHandle=0x19decc*=0x438) returned 1 [0093.492] CloseHandle (hObject=0x438) returned 1 [0093.493] GetCurrentProcess () returned 0xffffffff [0093.494] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19dd80 | out: TokenHandle=0x19dd80*=0x438) returned 1 [0093.494] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19dd78 | out: lpFileInformation=0x19dd78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0093.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x41, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0093.495] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19dd80 | out: lpFileInformation=0x19dd80*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.495] CloseHandle (hObject=0x438) returned 1 [0093.495] GetCurrentProcess () returned 0xffffffff [0093.495] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19decc | out: TokenHandle=0x19decc*=0x438) returned 1 [0093.496] CloseHandle (hObject=0x438) returned 1 [0093.497] GetCurrentProcess () returned 0xffffffff [0093.497] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19decc | out: TokenHandle=0x19decc*=0x438) returned 1 [0093.497] CloseHandle (hObject=0x438) returned 1 [0093.508] GetCurrentProcess () returned 0xffffffff [0093.508] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19dce4 | out: TokenHandle=0x19dce4*=0x438) returned 1 [0093.529] CloseHandle (hObject=0x438) returned 1 [0093.529] GetCurrentProcess () returned 0xffffffff [0093.529] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19dcfc | out: TokenHandle=0x19dcfc*=0x438) returned 1 [0093.531] CloseHandle (hObject=0x438) returned 1 [0093.538] CoCreateGuid (in: pguid=0x19e0e8 | out: pguid=0x19e0e8*(Data1=0x62fc10a9, Data2=0x7bda, Data3=0x4c2c, Data4=([0]=0x87, [1]=0x1c, [2]=0x74, [3]=0xf5, [4]=0x67, [5]=0x4f, [6]=0xba, [7]=0x46))) returned 0x0 [0093.540] ReportEventW (hEventLog=0x4860004, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2502320*="Stopped", lpRawData=0x2502248) returned 1 [0093.555] SetEvent (hEvent=0x36c) returned 1 [0093.587] CloseHandle (hObject=0x36c) returned 1 [0093.687] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0093.692] CoGetContextToken (in: pToken=0x19f7ac | out: pToken=0x19f7ac) returned 0x0 [0093.692] CObjectContext::QueryInterface () returned 0x0 [0093.692] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.692] Release () returned 0x0 [0093.693] CoGetContextToken (in: pToken=0x19f4bc | out: pToken=0x19f4bc) returned 0x0 [0093.693] CObjectContext::QueryInterface () returned 0x0 [0093.693] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.693] Release () returned 0x0 [0093.695] CoGetContextToken (in: pToken=0x19f4bc | out: pToken=0x19f4bc) returned 0x0 [0093.695] CObjectContext::QueryInterface () returned 0x0 [0093.695] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.695] Release () returned 0x0 [0093.714] CoGetContextToken (in: pToken=0x19f4bc | out: pToken=0x19f4bc) returned 0x0 [0093.714] CObjectContext::QueryInterface () returned 0x0 [0093.714] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.714] Release () returned 0x0 [0093.724] CoGetContextToken (in: pToken=0x19f4dc | out: pToken=0x19f4dc) returned 0x0 [0093.724] CObjectContext::QueryInterface () returned 0x0 [0093.724] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.724] Release () returned 0x0 [0093.725] CoUninitialize () Thread: id = 10 os_tid = 0xeb4 Thread: id = 11 os_tid = 0xeb8 [0086.320] RegCloseKey (hKey=0x368) returned 0x0 [0087.870] CloseHandle (hObject=0x3f4) returned 1 [0087.870] CloseHandle (hObject=0x3f0) returned 1 [0087.870] CloseHandle (hObject=0x414) returned 1 [0087.870] CloseHandle (hObject=0x3d0) returned 1 [0087.870] CloseHandle (hObject=0x3f8) returned 1 [0087.870] CloseHandle (hObject=0x3fc) returned 1 [0093.694] EtwEventUnregister () returned 0x0 [0093.694] EtwEventUnregister () returned 0x0 [0093.694] EtwEventUnregister () returned 0x0 [0093.694] EtwEventUnregister () returned 0x0 [0093.694] EtwEventUnregister () returned 0x0 [0093.694] EtwEventUnregister () returned 0x0 [0093.694] EtwEventUnregister () returned 0x0 [0093.694] EtwEventUnregister () returned 0x0 [0093.700] EtwEventUnregister () returned 0x0 [0093.702] CloseHandle (hObject=0x2c8) returned 1 [0093.705] CloseHandle (hObject=0x340) returned 1 [0093.706] CloseHandle (hObject=0x33c) returned 1 [0093.706] CloseHandle (hObject=0x2c0) returned 1 [0093.706] CloseHandle (hObject=0x30c) returned 1 [0093.706] CloseHandle (hObject=0x3f0) returned 1 [0093.707] CloseHandle (hObject=0x414) returned 1 [0093.707] CloseHandle (hObject=0x3d0) returned 1 [0093.707] CloseHandle (hObject=0x3f8) returned 1 [0093.708] CloseHandle (hObject=0x410) returned 1 [0093.708] CloseHandle (hObject=0x3fc) returned 1 [0093.708] CloseHandle (hObject=0x3d4) returned 1 [0093.709] LocalFree (hMem=0x6e9c60) returned 0x0 [0093.709] UnmapViewOfFile (lpBaseAddress=0x2000000) returned 1 [0093.711] CloseHandle (hObject=0x42c) returned 1 [0093.711] CloseHandle (hObject=0x428) returned 1 [0093.711] CloseHandle (hObject=0x424) returned 1 [0093.711] CloseHandle (hObject=0x420) returned 1 [0093.712] CloseHandle (hObject=0x408) returned 1 [0093.712] CloseHandle (hObject=0x368) returned 1 [0093.712] CloseHandle (hObject=0xf) returned 1 [0093.716] DeregisterEventSource (hEventLog=0x4860004) returned 1 [0093.718] CloseHandle (hObject=0x404) returned 1 [0093.718] CloseHandle (hObject=0x3c8) returned 1 [0093.719] CloseHandle (hObject=0x40c) returned 1 [0093.719] CloseHandle (hObject=0x230) returned 1 [0093.719] CloseHandle (hObject=0x41c) returned 1 [0093.720] CloseHandle (hObject=0x418) returned 1 [0093.720] LocalFree (hMem=0x4e9d2d8) returned 0x0 [0093.720] CloseHandle (hObject=0x3f4) returned 1 [0093.721] CloseHandle (hObject=0x364) returned 1 [0093.721] CloseHandle (hObject=0x360) returned 1 [0093.721] RegCloseKey (hKey=0x80000004) returned 0x0 [0093.722] CloseHandle (hObject=0x35c) returned 1 [0093.722] CloseHandle (hObject=0x358) returned 1 [0093.722] CloseHandle (hObject=0x354) returned 1 [0093.722] CloseHandle (hObject=0x350) returned 1 [0093.723] CloseHandle (hObject=0x34c) returned 1 [0093.723] CloseHandle (hObject=0x348) returned 1 [0093.723] CloseHandle (hObject=0x344) returned 1 Thread: id = 12 os_tid = 0xebc Thread: id = 13 os_tid = 0xec8 [0085.182] CoCreateGuid (in: pguid=0x209eaa0 | out: pguid=0x209eaa0*(Data1=0xbc17ae7d, Data2=0xd9c5, Data3=0x4e77, Data4=([0]=0x9b, [1]=0x49, [2]=0x7, [3]=0xc0, [4]=0x6f, [5]=0x82, [6]=0x90, [7]=0xca))) returned 0x0 Thread: id = 14 os_tid = 0xecc Thread: id = 15 os_tid = 0xed0 Thread: id = 16 os_tid = 0xed4 Thread: id = 17 os_tid = 0xed8 Thread: id = 18 os_tid = 0xedc [0093.713] CoGetContextToken (in: pToken=0x4b7f74c | out: pToken=0x4b7f74c) returned 0x0 [0093.713] CObjectContext::QueryInterface () returned 0x0 [0093.713] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.713] Release () returned 0x0 Thread: id = 19 os_tid = 0xee0 Thread: id = 20 os_tid = 0xee4 Thread: id = 21 os_tid = 0xee8 Thread: id = 22 os_tid = 0xeec [0085.044] SetThreadUILanguage (LangId=0x0) returned 0x409 [0085.056] EtwEventRegister () returned 0x0 [0085.114] CoCreateGuid (in: pguid=0x598f26c | out: pguid=0x598f26c*(Data1=0x24d3027, Data2=0xc335, Data3=0x418a, Data4=([0]=0xbc, [1]=0xde, [2]=0xaf, [3]=0xc2, [4]=0x2e, [5]=0xd4, [6]=0xd5, [7]=0x1d))) returned 0x0 [0085.123] QueryPerformanceCounter (in: lpPerformanceCount=0x598f24c | out: lpPerformanceCount=0x598f24c*=1802613400633) returned 1 [0085.126] GetCurrentProcessId () returned 0xe94 [0085.126] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe94) returned 0x3c8 [0085.126] EnumProcessModules (in: hProcess=0x3c8, lphModule=0x2574750, cb=0x100, lpcbNeeded=0x598f144 | out: lphModule=0x2574750, lpcbNeeded=0x598f144) returned 1 [0085.128] GetModuleInformation (in: hProcess=0x3c8, hModule=0xb40000, lpmodinfo=0x2574890, cb=0xc | out: lpmodinfo=0x2574890*(lpBaseOfDll=0xb40000, SizeOfImage=0x6b000, EntryPoint=0xb4d330)) returned 1 [0085.128] CoTaskMemAlloc (cb=0x804) returned 0x4e8d2d8 [0085.128] GetModuleBaseNameW (in: hProcess=0x3c8, hModule=0xb40000, lpBaseName=0x4e8d2d8, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0085.128] CoTaskMemFree (pv=0x4e8d2d8) [0085.128] CoTaskMemAlloc (cb=0x804) returned 0x4e8d2d8 [0085.129] GetModuleFileNameExW (in: hProcess=0x3c8, hModule=0xb40000, lpFilename=0x4e8d2d8, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0085.129] CoTaskMemFree (pv=0x4e8d2d8) [0085.129] CloseHandle (hObject=0x3c8) returned 1 [0085.130] LocalReAlloc (hMem=0x6fa2c0, uBytes=0x208, uFlags=0x2) returned 0x4e9d2d8 [0085.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x104, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0085.131] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ee7c) returned 1 [0085.131] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x598f140 | out: lpFileInformation=0x598f140*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b7f9180, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8b7f9180, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x7711b3a3, ftLastWriteTime.dwHighDateTime=0x1d251bc, nFileSizeHigh=0x0, nFileSizeLow=0x68400)) returned 1 [0085.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ee78) returned 1 [0085.131] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x598f1b4 | out: lpdwHandle=0x598f1b4) returned 0x74c [0085.131] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x74c, lpData=0x2576ac4 | out: lpData=0x2576ac4) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x598f188, puLen=0x598f184 | out: lplpBuffer=0x598f188*=0x2576e64, puLen=0x598f184) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576b7c, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576bd0, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576c18, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576c8c, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576cc8, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576d4c, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576d94, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x2576e04, puLen=0x598f104) returned 1 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x0, puLen=0x598f104) returned 0 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x0, puLen=0x598f104) returned 0 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x0, puLen=0x598f104) returned 0 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x598f108, puLen=0x598f104 | out: lplpBuffer=0x598f108*=0x0, puLen=0x598f104) returned 0 [0085.132] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x598f0fc, puLen=0x598f0f8 | out: lplpBuffer=0x598f0fc*=0x2576e64, puLen=0x598f0f8) returned 1 [0085.132] VerLanguageNameW (in: wLang=0x409, szLang=0x598ee8c, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0085.133] VerQueryValueW (in: pBlock=0x2576ac4, lpSubBlock="\\", lplpBuffer=0x598f10c, puLen=0x598f108 | out: lplpBuffer=0x598f10c*=0x2576aec, puLen=0x598f108) returned 1 [0085.411] QueryPerformanceCounter (in: lpPerformanceCount=0x598f214 | out: lpPerformanceCount=0x598f214*=1802642131774) returned 1 [0085.421] EtwEventRegister () returned 0x0 [0085.422] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x598f084, nSize=0x80 | out: lpBuffer="") returned 0x0 [0085.491] EtwEventActivityIdControl () returned 0x0 [0085.491] EtwEventActivityIdControl () returned 0x0 [0085.491] EtwEventActivityIdControl () returned 0x0 [0085.496] EtwEventActivityIdControl () returned 0x0 [0085.496] EtwEventActivityIdControl () returned 0x0 [0085.496] EtwEventActivityIdControl () returned 0x0 [0085.555] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x598e88c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0085.555] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x598e88c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0085.568] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x598e878, nSize=0x80 | out: lpBuffer="") returned 0x0 [0085.601] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x598f0f0 | out: phkResult=0x598f0f0*=0x0) returned 0x2 [0085.602] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x598f0f0 | out: phkResult=0x598f0f0*=0x0) returned 0x2 [0085.612] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x598e848, nSize=0x80 | out: lpBuffer="") returned 0x0 [0085.619] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x598ec88, nSize=0x80 | out: lpBuffer="") returned 0x0 [0085.621] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x598eba4, nSize=0x80 | out: lpBuffer="") returned 0xbe [0085.621] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x598eb28, nSize=0xbe | out: lpBuffer="") returned 0xbd [0085.623] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x598eb14, nSize=0xbe | out: lpBuffer="") returned 0x3a [0085.649] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4e9d2d8 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop") returned 0x1a [0085.651] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x598eb1c, nSize=0xbe | out: lpBuffer="") returned 0x3a [0085.653] GetFullPathNameW (in: lpFileName="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0085.653] GetFullPathNameW (in: lpFileName="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x49, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x48 [0085.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea10) returned 1 [0085.653] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\users\\keecfmwgj\\desktop\\c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x598ecd4 | out: lpFileInformation=0x598ecd4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0085.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea0c) returned 1 [0085.654] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x598e3ac, nSize=0xbe | out: lpBuffer="") returned 0x0 [0085.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0085.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0085.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea10) returned 1 [0085.654] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x598ecd4 | out: lpFileInformation=0x598ecd4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x5da08c40, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x5da08c40, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0085.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea0c) returned 1 [0085.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598eccc) returned 1 [0085.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0085.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0085.657] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Start-Sleep.*", lpFindFileData=0x598ea7c | out: lpFindFileData=0x598ea7c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0085.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea24) returned 1 [0085.657] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ec84) returned 1 [0085.658] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0085.658] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0085.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea10) returned 1 [0085.658] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x598ecd4 | out: lpFileInformation=0x598ecd4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x571be860, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x571be860, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0085.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea0c) returned 1 [0085.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598eccc) returned 1 [0085.659] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0085.659] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0085.659] FindFirstFileW (in: lpFileName="C:\\Windows\\Start-Sleep.*", lpFindFileData=0x598ea7c | out: lpFindFileData=0x598ea7c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0085.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea24) returned 1 [0085.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ec84) returned 1 [0085.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0085.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0085.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea10) returned 1 [0085.660] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\syswow64\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x598ecd4 | out: lpFileInformation=0x598ecd4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x123dcea, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x496a9b80, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496a9b80, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0085.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea0c) returned 1 [0085.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598eccc) returned 1 [0085.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0085.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0085.660] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Start-Sleep.*", lpFindFileData=0x598ea7c | out: lpFindFileData=0x598ea7c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0085.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea24) returned 1 [0085.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ec84) returned 1 [0085.661] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0085.661] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0085.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea10) returned 1 [0085.661] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x598ecd4 | out: lpFileInformation=0x598ecd4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0085.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea0c) returned 1 [0085.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598eccc) returned 1 [0085.661] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0085.661] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0085.661] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Start-Sleep.*", lpFindFileData=0x598ea7c | out: lpFindFileData=0x598ea7c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0085.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea24) returned 1 [0085.662] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ec84) returned 1 [0085.664] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x598eb80, nSize=0xbe | out: lpBuffer="") returned 0xc6 [0085.665] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x598eb70, nSize=0xc6 | out: lpBuffer="") returned 0xc5 [0085.678] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0085.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0085.682] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2b [0085.682] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x2b, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0085.682] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e6c8 [0085.682] FindNextFileW (in: hFindFile=0x68e6c8, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.683] FindNextFileW (in: hFindFile=0x68e6c8, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0085.683] FindNextFileW (in: hFindFile=0x68e6c8, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0085.683] FindNextFileW (in: hFindFile=0x68e6c8, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0085.683] FindClose (in: hFindFile=0x68e6c8 | out: hFindFile=0x68e6c8) returned 1 [0085.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0085.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0085.684] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0085.684] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0085.684] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0085.684] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0085.685] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0085.685] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0085.685] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0085.685] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0085.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0085.685] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0085.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0085.687] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0085.687] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0085.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0085.687] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0085.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0085.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0085.687] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0085.687] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0085.688] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e6c8 [0085.688] FindNextFileW (in: hFindFile=0x68e6c8, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.688] FindNextFileW (in: hFindFile=0x68e6c8, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49b46620, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49b46620, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0085.688] FindNextFileW (in: hFindFile=0x68e6c8, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0085.688] FindClose (in: hFindFile=0x68e6c8 | out: hFindFile=0x68e6c8) returned 1 [0085.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0085.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0085.688] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0085.688] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0085.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea50) returned 1 [0085.688] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598ed14 | out: lpFileInformation=0x598ed14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b46620, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea9fba0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea9fba0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0085.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea4c) returned 1 [0085.692] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0085.692] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0085.694] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0085.694] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0085.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea74) returned 1 [0085.694] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x259fb50 | out: lpFileInformation=0x259fb50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b46620, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea9fba0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea9fba0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0085.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea70) returned 1 [0085.699] GetEnvironmentVariableW (in: lpName="PSModuleAnalysisCachePath", lpBuffer=0x598dd24, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0085.699] CoTaskMemAlloc (cb=0x20c) returned 0x6fb2d8 [0085.699] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x6fb2d8 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0085.699] CoTaskMemFree (pv=0x6fb2d8) [0085.699] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x21 [0085.699] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x21, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0085.700] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0x2020 [0085.701] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0085.701] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x52, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x51 [0085.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598e4c8) returned 1 [0085.701] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3d0 [0085.701] GetFileType (hFile=0x3d0) returned 0x1 [0085.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598e4c4) returned 1 [0085.701] GetFileType (hFile=0x3d0) returned 0x1 [0085.702] ReadFile (in: hFile=0x3d0, lpBuffer=0x25a0ca0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e53c, lpOverlapped=0x0 | out: lpBuffer=0x25a0ca0*, lpNumberOfBytesRead=0x598e53c*=0x1000, lpOverlapped=0x0) returned 1 [0085.712] ReadFile (in: hFile=0x3d0, lpBuffer=0x25a087b, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x598e544, lpOverlapped=0x0 | out: lpBuffer=0x25a087b*, lpNumberOfBytesRead=0x598e544*=0x1, lpOverlapped=0x0) returned 1 [0085.712] ReadFile (in: hFile=0x3d0, lpBuffer=0x25a0ca0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e530, lpOverlapped=0x0 | out: lpBuffer=0x25a0ca0*, lpNumberOfBytesRead=0x598e530*=0x1000, lpOverlapped=0x0) returned 1 [0085.713] ReadFile (in: hFile=0x3d0, lpBuffer=0x25a0879, nNumberOfBytesToRead=0x13, lpNumberOfBytesRead=0x598e544, lpOverlapped=0x0 | out: lpBuffer=0x25a0879*, lpNumberOfBytesRead=0x598e544*=0x13, lpOverlapped=0x0) returned 1 [0085.714] ReadFile (in: hFile=0x3d0, lpBuffer=0x25a0ca0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e544, lpOverlapped=0x0 | out: lpBuffer=0x25a0ca0*, lpNumberOfBytesRead=0x598e544*=0x1000, lpOverlapped=0x0) returned 1 [0085.714] ReadFile (in: hFile=0x3d0, lpBuffer=0x25a0ca0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e544, lpOverlapped=0x0 | out: lpBuffer=0x25a0ca0*, lpNumberOfBytesRead=0x598e544*=0x4fd, lpOverlapped=0x0) returned 1 [0085.715] GetEnvironmentVariableW (in: lpName="PSDisableModuleAnalysisCacheCleanup", lpBuffer=0x598e3a4, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0085.723] CloseHandle (hObject=0x3d0) returned 1 [0085.723] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0085.724] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0085.724] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0085.725] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0085.725] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0085.725] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0085.725] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0085.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0085.725] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0085.725] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e708 [0085.726] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.726] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0085.726] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0085.726] FindClose (in: hFindFile=0x68e708 | out: hFindFile=0x68e708) returned 1 [0085.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0085.726] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0085.726] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0085.727] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0085.727] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea50) returned 1 [0085.727] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598ed14 | out: lpFileInformation=0x598ed14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0085.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea4c) returned 1 [0085.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0085.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0085.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0085.730] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0085.730] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea74) returned 1 [0085.730] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x25b2d10 | out: lpFileInformation=0x25b2d10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0085.730] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea70) returned 1 [0085.730] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0085.731] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0085.731] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0085.731] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0085.731] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0085.731] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0085.734] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\keecfmwgj\\documents\\windowspowershell\\modules")) returned 0xffffffff [0085.746] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0085.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0085.750] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x31 [0085.750] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x31, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x30 [0085.750] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e708 [0085.750] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.750] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0085.750] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0085.750] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0085.750] FindClose (in: hFindFile=0x68e708 | out: hFindFile=0x68e708) returned 1 [0085.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0085.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0085.751] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0085.751] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0085.751] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0085.751] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0085.751] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0085.751] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0085.752] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0085.752] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0085.752] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0085.752] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0085.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0085.753] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0085.753] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0085.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0085.753] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0085.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0085.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0085.753] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0085.754] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0085.754] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e708 [0085.754] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.754] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49a61de0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49a61de0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0085.754] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0085.754] FindClose (in: hFindFile=0x68e708 | out: hFindFile=0x68e708) returned 1 [0085.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0085.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0085.754] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0085.754] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0085.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea50) returned 1 [0085.755] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598ed14 | out: lpFileInformation=0x598ed14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49a3bc80, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0085.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea4c) returned 1 [0085.757] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0085.757] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0085.758] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0085.758] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0085.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea74) returned 1 [0085.758] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x25bc8b0 | out: lpFileInformation=0x25bc8b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49a3bc80, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0085.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea70) returned 1 [0085.761] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0085.761] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0085.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ebdc) returned 1 [0085.762] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3d0 [0085.762] GetFileType (hFile=0x3d0) returned 0x1 [0085.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ebd8) returned 1 [0085.762] GetFileType (hFile=0x3d0) returned 0x1 [0085.762] GetACP () returned 0x4e4 [0085.769] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x0 [0085.769] ReadFile (in: hFile=0x3d0, lpBuffer=0x25bdb88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x25bdb88*, lpNumberOfBytesRead=0x598ec44*=0x8f9, lpOverlapped=0x0) returned 1 [0085.771] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x8f9 [0085.771] ReadFile (in: hFile=0x3d0, lpBuffer=0x25bd015, nNumberOfBytesToRead=0x307, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x25bd015*, lpNumberOfBytesRead=0x598ec44*=0x0, lpOverlapped=0x0) returned 1 [0085.771] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x8f9 [0085.771] ReadFile (in: hFile=0x3d0, lpBuffer=0x25bdb88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x25bdb88*, lpNumberOfBytesRead=0x598ec44*=0x0, lpOverlapped=0x0) returned 1 [0085.772] CloseHandle (hObject=0x3d0) returned 1 [0085.791] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0085.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0085.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0085.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0085.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0085.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0085.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0085.792] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0085.792] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0085.793] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e708 [0085.793] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.793] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0085.793] FindNextFileW (in: hFindFile=0x68e708, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0085.793] FindClose (in: hFindFile=0x68e708 | out: hFindFile=0x68e708) returned 1 [0085.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0085.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0085.802] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.802] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea50) returned 1 [0085.803] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598ed14 | out: lpFileInformation=0x598ed14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0085.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea4c) returned 1 [0085.809] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.809] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.809] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.809] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea74) returned 1 [0085.809] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x25cc8bc | out: lpFileInformation=0x25cc8bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0085.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea70) returned 1 [0085.810] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.810] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ebdc) returned 1 [0085.810] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3d0 [0085.810] GetFileType (hFile=0x3d0) returned 0x1 [0085.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ebd8) returned 1 [0085.810] GetFileType (hFile=0x3d0) returned 0x1 [0085.811] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x0 [0085.811] ReadFile (in: hFile=0x3d0, lpBuffer=0x25cd694, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x25cd694*, lpNumberOfBytesRead=0x598ec44*=0x1000, lpOverlapped=0x0) returned 1 [0085.815] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x1000 [0085.815] ReadFile (in: hFile=0x3d0, lpBuffer=0x25cd694, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x25cd694*, lpNumberOfBytesRead=0x598ec44*=0xde, lpOverlapped=0x0) returned 1 [0085.815] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x10de [0085.816] ReadFile (in: hFile=0x3d0, lpBuffer=0x25cd694, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x25cd694*, lpNumberOfBytesRead=0x598ec44*=0x0, lpOverlapped=0x0) returned 1 [0085.816] CloseHandle (hObject=0x3d0) returned 1 [0085.820] CoCreateGuid (in: pguid=0x598ec84 | out: pguid=0x598ec84*(Data1=0xe72a5eb4, Data2=0x35e1, Data3=0x4c8d, Data4=([0]=0xa9, [1]=0x3a, [2]=0x93, [3]=0x55, [4]=0x7, [5]=0xb0, [6]=0x1a, [7]=0x91))) returned 0x0 [0085.827] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3d0 [0085.827] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3f0 [0085.827] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0085.827] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f8 [0085.827] SetEvent (hEvent=0x3f8) returned 1 [0085.827] SetEvent (hEvent=0x3d0) returned 1 [0085.827] SetEvent (hEvent=0x3f0) returned 1 [0085.827] SetEvent (hEvent=0x3f4) returned 1 [0085.829] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3fc [0085.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0085.879] EtwEventActivityIdControl () returned 0x0 [0085.879] EtwEventActivityIdControl () returned 0x0 [0085.879] EtwEventActivityIdControl () returned 0x0 [0085.912] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0085.914] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.914] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.914] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x598e5bc, Length=0x20, ResultLength=0x598e62c | out: SystemInformation=0x598e5bc, ResultLength=0x598e62c*=0x0) returned 0xc0000003 [0085.914] GetSystemInfo (in: lpSystemInfo=0x598e638 | out: lpSystemInfo=0x598e638*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0085.914] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e5c8 | out: phkResult=0x598e5c8*=0x404) returned 0x0 [0085.915] RegQueryValueExW (in: hKey=0x404, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x598e5e4, lpData=0x0, lpcbData=0x598e5e0*=0x0 | out: lpType=0x598e5e4*=0x0, lpData=0x0, lpcbData=0x598e5e0*=0x0) returned 0x2 [0085.915] RegCloseKey (hKey=0x404) returned 0x0 [0085.921] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.921] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598e540) returned 1 [0085.921] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x404 [0085.922] GetFileType (hFile=0x404) returned 0x1 [0085.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598e53c) returned 1 [0085.922] GetFileType (hFile=0x404) returned 0x1 [0085.922] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598e57c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598e57c*=0) returned 0x0 [0085.922] ReadFile (in: hFile=0x404, lpBuffer=0x25f0ca0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e5a8, lpOverlapped=0x0 | out: lpBuffer=0x25f0ca0*, lpNumberOfBytesRead=0x598e5a8*=0x1000, lpOverlapped=0x0) returned 1 [0085.923] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598e57c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598e57c*=0) returned 0x1000 [0085.924] ReadFile (in: hFile=0x404, lpBuffer=0x25f0ca0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e5a8, lpOverlapped=0x0 | out: lpBuffer=0x25f0ca0*, lpNumberOfBytesRead=0x598e5a8*=0xde, lpOverlapped=0x0) returned 1 [0085.924] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598e57c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598e57c*=0) returned 0x10de [0085.924] ReadFile (in: hFile=0x404, lpBuffer=0x25f0ca0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e5a8, lpOverlapped=0x0 | out: lpBuffer=0x25f0ca0*, lpNumberOfBytesRead=0x598e5a8*=0x0, lpOverlapped=0x0) returned 1 [0085.924] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x598e510, Length=0x20, ResultLength=0x598e580 | out: SystemInformation=0x598e510, ResultLength=0x598e580*=0x0) returned 0xc0000003 [0085.924] GetSystemInfo (in: lpSystemInfo=0x598e58c | out: lpSystemInfo=0x598e58c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0085.924] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e51c | out: phkResult=0x598e51c*=0x408) returned 0x0 [0085.925] RegQueryValueExW (in: hKey=0x408, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x598e538, lpData=0x0, lpcbData=0x598e534*=0x0 | out: lpType=0x598e538*=0x0, lpData=0x0, lpcbData=0x598e534*=0x0) returned 0x2 [0085.925] RegCloseKey (hKey=0x408) returned 0x0 [0085.925] CloseHandle (hObject=0x404) returned 1 [0085.927] CoCreateGuid (in: pguid=0x598e60c | out: pguid=0x598e60c*(Data1=0x4aeceadb, Data2=0xaf03, Data3=0x4a67, Data4=([0]=0x87, [1]=0xd9, [2]=0xf1, [3]=0xaf, [4]=0x38, [5]=0xda, [6]=0x69, [7]=0x9a))) returned 0x0 [0085.931] QueryPerformanceCounter (in: lpPerformanceCount=0x598e36c | out: lpPerformanceCount=0x598e36c*=1802694117552) returned 1 [0085.931] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.931] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598e058) returned 1 [0085.931] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598e31c | out: lpFileInformation=0x598e31c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0085.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598e054) returned 1 [0085.932] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.932] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.932] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0085.932] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0085.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598dfec) returned 1 [0085.932] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598e2b0 | out: lpFileInformation=0x598e2b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0085.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598dfe8) returned 1 [0085.932] CoTaskMemAlloc (cb=0x10) returned 0x4e81780 [0085.932] CoTaskMemAlloc (cb=0x10) returned 0x4e817e0 [0085.933] CoTaskMemAlloc (cb=0xb4) returned 0x6a0580 [0085.933] CoTaskMemAlloc (cb=0x30) returned 0x4e9df28 [0085.933] WinVerifyTrust () returned 0x800b0100 [0085.946] CoTaskMemFree (pv=0x4e81780) [0085.946] CoTaskMemFree (pv=0x4e9df28) [0085.946] CryptCATHandleFromStore () returned 0x6845c0 [0085.946] WTHelperGetProvSignerFromChain () returned 0x0 [0085.946] CoTaskMemAlloc (cb=0x10) returned 0x4e81780 [0085.946] CoTaskMemAlloc (cb=0x30) returned 0x4e9df28 [0085.946] WinVerifyTrust () returned 0x0 [0085.946] CoTaskMemFree (pv=0x4e9df28) [0085.946] CoTaskMemFree (pv=0x4e81780) [0085.946] CoTaskMemFree (pv=0x6a0580) [0085.946] CoTaskMemFree (pv=0x4e817e0) [0086.049] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en-US\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en-us\\powershellget.psd1")) returned 0xffffffff [0086.049] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en\\powershellget.psd1")) returned 0xffffffff [0086.088] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0086.093] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0086.096] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0086.096] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0086.096] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0086.096] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x47, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x46 [0086.151] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598dca8 | out: phkResult=0x598dca8*=0x404) returned 0x0 [0086.151] RegQueryValueExW (in: hKey=0x404, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598dcc8, lpData=0x0, lpcbData=0x598dcc4*=0x0 | out: lpType=0x598dcc8*=0x1, lpData=0x0, lpcbData=0x598dcc4*=0x56) returned 0x0 [0086.151] RegQueryValueExW (in: hKey=0x404, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598dcc8, lpData=0x261ced8, lpcbData=0x598dcc4*=0x56 | out: lpType=0x598dcc8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598dcc4*=0x56) returned 0x0 [0086.151] RegCloseKey (hKey=0x404) returned 0x0 [0086.155] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0086.160] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0086.161] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0086.161] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598dca8 | out: phkResult=0x598dca8*=0x404) returned 0x0 [0086.161] RegQueryValueExW (in: hKey=0x404, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598dcc8, lpData=0x0, lpcbData=0x598dcc4*=0x0 | out: lpType=0x598dcc8*=0x1, lpData=0x0, lpcbData=0x598dcc4*=0x56) returned 0x0 [0086.161] RegQueryValueExW (in: hKey=0x404, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598dcc8, lpData=0x262a6b8, lpcbData=0x598dcc4*=0x56 | out: lpType=0x598dcc8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598dcc4*=0x56) returned 0x0 [0086.162] RegCloseKey (hKey=0x404) returned 0x0 [0086.165] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0086.169] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0086.174] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0086.179] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0086.182] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0086.188] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0086.193] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5b [0086.193] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x5b, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x5a [0086.193] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598daa8) returned 1 [0086.193] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x598dd6c | out: lpFileInformation=0x598dd6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0086.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598daa4) returned 1 [0086.195] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0086.243] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0086.243] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0086.243] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d5d0) returned 1 [0086.244] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x2659814 | out: lpFileInformation=0x2659814*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499c9860, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0086.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d5cc) returned 1 [0086.244] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0086.244] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0086.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d774) returned 1 [0086.245] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x404 [0086.245] GetFileType (hFile=0x404) returned 0x1 [0086.245] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d770) returned 1 [0086.245] GetFileType (hFile=0x404) returned 0x1 [0086.245] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x0 [0086.245] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.249] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x1000 [0086.249] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.252] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x2000 [0086.252] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.253] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x3000 [0086.253] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.253] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x4000 [0086.253] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.253] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x5000 [0086.254] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.254] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x6000 [0086.254] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.254] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x7000 [0086.254] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.255] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x8000 [0086.255] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.255] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x9000 [0086.255] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.256] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0xa000 [0086.257] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.257] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0xb000 [0086.257] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.257] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0xc000 [0086.257] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.258] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0xd000 [0086.258] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.259] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0xe000 [0086.259] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.260] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0xf000 [0086.261] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.261] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x10000 [0086.262] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.262] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x11000 [0086.262] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.263] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x12000 [0086.263] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.263] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x13000 [0086.263] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.264] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x14000 [0086.264] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.264] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x15000 [0086.264] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.265] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x16000 [0086.265] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.265] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x17000 [0086.265] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.266] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x18000 [0086.266] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.266] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x19000 [0086.266] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.267] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x1a000 [0086.267] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.268] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x1b000 [0086.268] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.268] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x1c000 [0086.268] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.268] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x1d000 [0086.268] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.269] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x1e000 [0086.269] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.269] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x1f000 [0086.269] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.270] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x20000 [0086.270] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.270] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x21000 [0086.270] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.271] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x22000 [0086.271] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.271] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x23000 [0086.271] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.272] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x24000 [0086.272] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.272] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x25000 [0086.272] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.273] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x26000 [0086.273] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.273] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x27000 [0086.273] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.274] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x28000 [0086.274] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.274] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x29000 [0086.274] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.275] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x2a000 [0086.275] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.275] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x2b000 [0086.276] ReadFile (in: hFile=0x404, lpBuffer=0x265a618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x265a618*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.320] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x2c000 [0086.320] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.321] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x2d000 [0086.321] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.321] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x2e000 [0086.321] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.323] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x2f000 [0086.323] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.323] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x30000 [0086.323] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.324] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x31000 [0086.324] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.324] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x32000 [0086.324] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.325] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x33000 [0086.325] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.325] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x34000 [0086.325] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.326] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x35000 [0086.326] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.326] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x36000 [0086.326] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.326] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x37000 [0086.326] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.327] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x38000 [0086.327] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.327] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x39000 [0086.327] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.327] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x3a000 [0086.327] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.328] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x3b000 [0086.328] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.328] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x3c000 [0086.328] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.329] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x3d000 [0086.329] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.329] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x3e000 [0086.329] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.329] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x3f000 [0086.329] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.330] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x40000 [0086.330] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.330] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x41000 [0086.330] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.331] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x42000 [0086.331] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.331] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x43000 [0086.331] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.331] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x44000 [0086.331] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.332] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x45000 [0086.332] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.332] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x46000 [0086.332] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.332] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x47000 [0086.333] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.333] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x48000 [0086.333] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.333] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x49000 [0086.333] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.333] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x4a000 [0086.334] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.334] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x4b000 [0086.334] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.334] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x4c000 [0086.334] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.335] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x4d000 [0086.335] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.335] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x4e000 [0086.335] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.337] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x4f000 [0086.337] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.338] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x50000 [0086.338] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.338] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x51000 [0086.338] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.338] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x52000 [0086.338] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.339] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x53000 [0086.339] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.339] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x54000 [0086.339] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.339] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x55000 [0086.340] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.340] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x56000 [0086.340] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.340] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x57000 [0086.340] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.341] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x58000 [0086.341] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.341] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x59000 [0086.341] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.341] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x5a000 [0086.342] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.342] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x5b000 [0086.342] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.342] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x5c000 [0086.342] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x5d000 [0086.343] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x5e000 [0086.343] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.343] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x5f000 [0086.343] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.344] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x60000 [0086.344] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.344] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x61000 [0086.344] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.344] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x62000 [0086.344] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x63000 [0086.345] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x64000 [0086.345] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.345] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x65000 [0086.346] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.346] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x66000 [0086.346] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.346] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x67000 [0086.346] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x68000 [0086.347] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x69000 [0086.347] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.347] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x6a000 [0086.347] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.348] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x6b000 [0086.348] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.348] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x6c000 [0086.348] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.348] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x6d000 [0086.348] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.349] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x6e000 [0086.349] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.349] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x6f000 [0086.349] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.349] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x70000 [0086.349] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x71000 [0086.350] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x72000 [0086.350] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.350] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x73000 [0086.350] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x74000 [0086.351] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x75000 [0086.351] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x76000 [0086.351] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.351] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x77000 [0086.352] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.352] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x78000 [0086.352] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.352] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x79000 [0086.352] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x7a000 [0086.353] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x7b000 [0086.353] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x7c000 [0086.353] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.353] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x7d000 [0086.353] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.354] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x7e000 [0086.354] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.354] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x7f000 [0086.354] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.354] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x80000 [0086.354] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.355] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x81000 [0086.355] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.355] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x82000 [0086.355] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.356] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x83000 [0086.356] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.356] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x84000 [0086.356] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x85000 [0086.357] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x86000 [0086.357] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x87000 [0086.357] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.357] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x88000 [0086.357] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.358] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x89000 [0086.358] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.358] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x8a000 [0086.358] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.358] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x8b000 [0086.358] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x1000, lpOverlapped=0x0) returned 1 [0086.359] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x8c000 [0086.359] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0xaa9, lpOverlapped=0x0) returned 1 [0086.359] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x8caa9 [0086.359] ReadFile (in: hFile=0x404, lpBuffer=0x2435541, nNumberOfBytesToRead=0x157, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x2435541*, lpNumberOfBytesRead=0x598d7dc*=0x0, lpOverlapped=0x0) returned 1 [0086.359] SetFilePointer (in: hFile=0x404, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d7b0*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d7b0*=0) returned 0x8caa9 [0086.359] ReadFile (in: hFile=0x404, lpBuffer=0x24356f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7dc, lpOverlapped=0x0 | out: lpBuffer=0x24356f8*, lpNumberOfBytesRead=0x598d7dc*=0x0, lpOverlapped=0x0) returned 1 [0086.373] CloseHandle (hObject=0x404) returned 1 [0086.773] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0086.773] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0086.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d534) returned 1 [0086.773] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x2ad4da8 | out: lpFileInformation=0x2ad4da8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499c9860, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0086.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d530) returned 1 [0086.788] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0086.788] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0086.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598e32c) returned 1 [0086.788] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2af92e0 | out: lpFileInformation=0x2af92e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0086.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598e328) returned 1 [0086.800] EtwEventActivityIdControl () returned 0x0 [0086.801] SetEvent (hEvent=0x3fc) returned 1 [0086.801] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x598eb0c*=0x3fc, lpdwindex=0x598e930 | out: lpdwindex=0x598e930) returned 0x0 [0086.803] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0086.803] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0086.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598e9ec) returned 1 [0086.803] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2afc2f0 | out: lpFileInformation=0x2afc2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0086.803] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598e9e8) returned 1 [0086.803] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0086.804] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0086.804] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0086.804] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0086.804] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0086.804] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0086.807] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules")) returned 0x10 [0086.808] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0086.808] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x33 [0086.808] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x33, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0086.808] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e748 [0086.808] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x497da680, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x497da680, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="PSDESI~1")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8100bf6e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8100bf6e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="PSDIAG~1")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="PSSCHE~1")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="TROUBL~1")) returned 1 [0086.809] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0086.809] FindClose (in: hFindFile=0x68e748 | out: hFindFile=0x68e748) returned 1 [0086.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0086.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0086.810] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.psd1")) returned 0xffffffff [0086.810] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.psm1")) returned 0xffffffff [0086.810] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.cdxml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.cdxml")) returned 0xffffffff [0086.810] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.xaml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.xaml")) returned 0xffffffff [0086.810] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.ni.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.ni.dll")) returned 0xffffffff [0086.810] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.dll")) returned 0xffffffff [0086.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0086.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0086.811] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.811] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\bitstransfer"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0086.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0086.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0086.811] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.811] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\cimcmdlets"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0086.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x37, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", lpFilePart=0x0) returned 0x36 [0086.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.812] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\ise"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.813] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0086.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x50, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", lpFilePart=0x0) returned 0x4f [0086.813] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.813] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0086.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x54, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", lpFilePart=0x0) returned 0x53 [0086.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.814] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0086.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x4d, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", lpFilePart=0x0) returned 0x4c [0086.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.815] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0086.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0086.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.815] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0086.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x53, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", lpFilePart=0x0) returned 0x52 [0086.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.816] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0086.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x51, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", lpFilePart=0x0) returned 0x50 [0086.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.816] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.817] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0086.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0086.817] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.817] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0086.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x4e, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", lpFilePart=0x0) returned 0x4d [0086.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.818] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0086.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x4f, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", lpFilePart=0x0) returned 0x4e [0086.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.818] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x497da680, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x497da680, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0086.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x41, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", lpFilePart=0x0) returned 0x40 [0086.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.819] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psdiagnostics"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8100bf6e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8100bf6e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0086.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x42, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", lpFilePart=0x0) returned 0x41 [0086.820] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.820] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psscheduledjob"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0086.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x47, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", lpFilePart=0x0) returned 0x46 [0086.820] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea4c) returned 1 [0086.821] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\troubleshootingpack"), fInfoLevelId=0x0, lpFileInformation=0x598ed10 | out: lpFileInformation=0x598ed10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0086.821] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea48) returned 1 [0086.821] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ecfc) returned 1 [0086.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0086.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0086.821] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\*", lpFindFileData=0x598eaac | out: lpFindFileData=0x598eaac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x68e748 [0086.821] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.822] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psd1", cAlternateFileName="")) returned 1 [0086.822] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 1 [0086.822] FindNextFileW (in: hFindFile=0x68e748, lpFindFileData=0x598eab4 | out: lpFindFileData=0x598eab4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 0 [0086.822] FindClose (in: hFindFile=0x68e748 | out: hFindFile=0x68e748) returned 1 [0086.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea6c) returned 1 [0086.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598eccc) returned 1 [0086.822] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0086.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ea74) returned 1 [0086.823] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2b04c70 | out: lpFileInformation=0x2b04c70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0086.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ea70) returned 1 [0086.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598ebdc) returned 1 [0086.823] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3c8 [0086.824] GetFileType (hFile=0x3c8) returned 0x1 [0086.824] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598ebd8) returned 1 [0086.824] GetFileType (hFile=0x3c8) returned 0x1 [0086.824] SetFilePointer (in: hFile=0x3c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x0 [0086.824] ReadFile (in: hFile=0x3c8, lpBuffer=0x2b05aa0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x2b05aa0*, lpNumberOfBytesRead=0x598ec44*=0x982, lpOverlapped=0x0) returned 1 [0086.826] SetFilePointer (in: hFile=0x3c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x982 [0086.826] ReadFile (in: hFile=0x3c8, lpBuffer=0x2b04fb6, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x2b04fb6*, lpNumberOfBytesRead=0x598ec44*=0x0, lpOverlapped=0x0) returned 1 [0086.826] SetFilePointer (in: hFile=0x3c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x598ec18*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598ec18*=0) returned 0x982 [0086.826] ReadFile (in: hFile=0x3c8, lpBuffer=0x2b05aa0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598ec44, lpOverlapped=0x0 | out: lpBuffer=0x2b05aa0*, lpNumberOfBytesRead=0x598ec44*=0x0, lpOverlapped=0x0) returned 1 [0086.826] CloseHandle (hObject=0x3c8) returned 1 [0086.828] CoCreateGuid (in: pguid=0x598ed44 | out: pguid=0x598ed44*(Data1=0xc9db23a9, Data2=0xd8bd, Data3=0x40e2, Data4=([0]=0x95, [1]=0xd4, [2]=0x9c, [3]=0xf7, [4]=0x18, [5]=0x2b, [6]=0xe3, [7]=0x45))) returned 0x0 [0086.828] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3c8 [0086.828] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x404 [0086.829] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x368 [0086.829] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x408 [0086.829] SetEvent (hEvent=0x408) returned 1 [0086.829] SetEvent (hEvent=0x3c8) returned 1 [0086.829] SetEvent (hEvent=0x404) returned 1 [0086.829] SetEvent (hEvent=0x368) returned 1 [0086.829] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x40c [0086.829] SetThreadUILanguage (LangId=0x0) returned 0x409 [0086.873] EtwEventActivityIdControl () returned 0x0 [0086.873] EtwEventActivityIdControl () returned 0x0 [0086.873] EtwEventActivityIdControl () returned 0x0 [0086.885] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0086.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598e570) returned 1 [0086.886] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598e834 | out: lpFileInformation=0x598e834*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0086.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598e56c) returned 1 [0086.887] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0086.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.887] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x598e478, Length=0x20, ResultLength=0x598e4e8 | out: SystemInformation=0x598e478, ResultLength=0x598e4e8*=0x0) returned 0xc0000003 [0086.887] GetSystemInfo (in: lpSystemInfo=0x598e4f4 | out: lpSystemInfo=0x598e4f4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0086.887] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e484 | out: phkResult=0x598e484*=0x410) returned 0x0 [0086.888] RegQueryValueExW (in: hKey=0x410, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x598e4a0, lpData=0x0, lpcbData=0x598e49c*=0x0 | out: lpType=0x598e4a0*=0x0, lpData=0x0, lpcbData=0x598e49c*=0x0) returned 0x2 [0086.888] RegCloseKey (hKey=0x410) returned 0x0 [0086.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598e3fc) returned 1 [0086.888] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x410 [0086.889] GetFileType (hFile=0x410) returned 0x1 [0086.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598e3f8) returned 1 [0086.889] GetFileType (hFile=0x410) returned 0x1 [0086.889] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x598e438*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598e438*=0) returned 0x0 [0086.889] ReadFile (in: hFile=0x410, lpBuffer=0x2b395c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e464, lpOverlapped=0x0 | out: lpBuffer=0x2b395c4*, lpNumberOfBytesRead=0x598e464*=0x982, lpOverlapped=0x0) returned 1 [0086.889] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x598e438*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598e438*=0) returned 0x982 [0086.889] ReadFile (in: hFile=0x410, lpBuffer=0x2b38ada, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x598e464, lpOverlapped=0x0 | out: lpBuffer=0x2b38ada*, lpNumberOfBytesRead=0x598e464*=0x0, lpOverlapped=0x0) returned 1 [0086.889] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x598e438*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598e438*=0) returned 0x982 [0086.890] ReadFile (in: hFile=0x410, lpBuffer=0x2b395c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598e464, lpOverlapped=0x0 | out: lpBuffer=0x2b395c4*, lpNumberOfBytesRead=0x598e464*=0x0, lpOverlapped=0x0) returned 1 [0086.890] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x598e3cc, Length=0x20, ResultLength=0x598e43c | out: SystemInformation=0x598e3cc, ResultLength=0x598e43c*=0x0) returned 0xc0000003 [0086.890] GetSystemInfo (in: lpSystemInfo=0x598e448 | out: lpSystemInfo=0x598e448*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0086.890] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e3d8 | out: phkResult=0x598e3d8*=0x414) returned 0x0 [0086.891] RegQueryValueExW (in: hKey=0x414, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x598e3f4, lpData=0x0, lpcbData=0x598e3f0*=0x0 | out: lpType=0x598e3f4*=0x0, lpData=0x0, lpcbData=0x598e3f0*=0x0) returned 0x2 [0086.891] RegCloseKey (hKey=0x414) returned 0x0 [0086.891] CloseHandle (hObject=0x410) returned 1 [0086.892] CoCreateGuid (in: pguid=0x598e4c8 | out: pguid=0x598e4c8*(Data1=0xa5fa953b, Data2=0x75fd, Data3=0x455c, Data4=([0]=0xb5, [1]=0x30, [2]=0x5, [3]=0xfb, [4]=0x5e, [5]=0x68, [6]=0xd7, [7]=0x21))) returned 0x0 [0086.892] QueryPerformanceCounter (in: lpPerformanceCount=0x598e228 | out: lpPerformanceCount=0x598e228*=1802790197796) returned 1 [0086.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598df14) returned 1 [0086.892] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598e1d8 | out: lpFileInformation=0x598e1d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0086.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598df10) returned 1 [0086.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598dea8) returned 1 [0086.893] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x598e16c | out: lpFileInformation=0x598e16c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0086.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598dea4) returned 1 [0086.893] CoTaskMemAlloc (cb=0x10) returned 0x4e81720 [0086.893] CoTaskMemAlloc (cb=0x10) returned 0x4e81840 [0086.893] CoTaskMemAlloc (cb=0xe4) returned 0x695c58 [0086.893] CoTaskMemAlloc (cb=0x30) returned 0x4e7a1b0 [0086.893] WinVerifyTrust () returned 0x800b0100 [0086.907] CoTaskMemFree (pv=0x4e81720) [0086.907] CoTaskMemFree (pv=0x4e7a1b0) [0086.907] CryptCATHandleFromStore () returned 0x6845c0 [0086.907] WTHelperGetProvSignerFromChain () returned 0x0 [0086.907] CoTaskMemAlloc (cb=0x10) returned 0x4e81720 [0086.907] CoTaskMemAlloc (cb=0x30) returned 0x4e7a1b0 [0086.907] WinVerifyTrust () returned 0x0 [0086.907] CoTaskMemFree (pv=0x4e7a1b0) [0086.907] CoTaskMemFree (pv=0x4e81720) [0086.907] CoTaskMemFree (pv=0x695c58) [0086.907] CoTaskMemFree (pv=0x4e81840) [0086.917] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en-US\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en-us\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0086.917] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0086.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0086.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0086.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0086.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0086.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x64 [0086.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x64, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x63 [0086.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d964) returned 1 [0086.930] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x598dc28 | out: lpFileInformation=0x598dc28*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0086.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d960) returned 1 [0086.930] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0086.930] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0086.930] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x598d8e0, nSize=0xc6 | out: lpBuffer="") returned 0xc5 [0086.933] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0086.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0086.934] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x51, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x50 [0086.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d76c) returned 1 [0086.934] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x598da30 | out: lpFileInformation=0x598da30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0086.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d768) returned 1 [0086.937] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0086.940] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\keecfmwgj\\documents\\windowspowershell\\modules")) returned 0xffffffff [0086.946] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0086.947] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0086.947] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x57, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x56 [0086.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d76c) returned 1 [0086.947] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x598da30 | out: lpFileInformation=0x598da30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0086.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d768) returned 1 [0086.951] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0086.953] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules")) returned 0x10 [0086.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0086.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x59, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x58 [0086.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d76c) returned 1 [0086.954] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x598da30 | out: lpFileInformation=0x598da30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0086.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d768) returned 1 [0086.958] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0087.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0087.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0087.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0087.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0087.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0087.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0087.657] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1")) returned 0x20 [0087.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.657] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x598d790, Length=0x20, ResultLength=0x598d800 | out: SystemInformation=0x598d790, ResultLength=0x598d800*=0x0) returned 0xc0000003 [0087.657] GetSystemInfo (in: lpSystemInfo=0x598d80c | out: lpSystemInfo=0x598d80c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0087.658] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x598d79c | out: phkResult=0x598d79c*=0x414) returned 0x0 [0087.658] RegQueryValueExW (in: hKey=0x414, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x598d7b8, lpData=0x0, lpcbData=0x598d7b4*=0x0 | out: lpType=0x598d7b8*=0x0, lpData=0x0, lpcbData=0x598d7b4*=0x0) returned 0x2 [0087.658] RegCloseKey (hKey=0x414) returned 0x0 [0087.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d540) returned 1 [0087.659] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x2bdf1d0 | out: lpFileInformation=0x2bdf1d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0087.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d53c) returned 1 [0087.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d500) returned 1 [0087.659] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x598d7c4 | out: lpFileInformation=0x598d7c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0087.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d4fc) returned 1 [0087.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d494) returned 1 [0087.660] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x598d758 | out: lpFileInformation=0x598d758*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0087.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d490) returned 1 [0087.660] CoTaskMemAlloc (cb=0x10) returned 0x4ea0be8 [0087.660] CoTaskMemAlloc (cb=0x10) returned 0x4ea0bb8 [0087.660] CoTaskMemAlloc (cb=0xe4) returned 0x695c58 [0087.660] CoTaskMemAlloc (cb=0x30) returned 0x4e7a3e0 [0087.660] WinVerifyTrust () returned 0x800b0100 [0087.678] CoTaskMemFree (pv=0x4ea0be8) [0087.678] CoTaskMemFree (pv=0x4e7a3e0) [0087.678] CryptCATHandleFromStore () returned 0x6846e0 [0087.678] WTHelperGetProvSignerFromChain () returned 0x0 [0087.679] CoTaskMemAlloc (cb=0x10) returned 0x4ea0be8 [0087.679] CoTaskMemAlloc (cb=0x30) returned 0x4e7a3e0 [0087.679] WinVerifyTrust () returned 0x0 [0087.679] CoTaskMemFree (pv=0x4e7a3e0) [0087.679] CoTaskMemFree (pv=0x4ea0be8) [0087.679] CoTaskMemFree (pv=0x695c58) [0087.679] CoTaskMemFree (pv=0x4ea0bb8) [0087.679] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.679] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d74c) returned 1 [0087.680] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x414 [0087.680] GetFileType (hFile=0x414) returned 0x1 [0087.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d748) returned 1 [0087.680] GetFileType (hFile=0x414) returned 0x1 [0087.680] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x0 [0087.680] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x1000, lpOverlapped=0x0) returned 1 [0087.681] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x1000 [0087.681] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x1000, lpOverlapped=0x0) returned 1 [0087.681] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x2000 [0087.682] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x1000, lpOverlapped=0x0) returned 1 [0087.682] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x3000 [0087.682] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x1000, lpOverlapped=0x0) returned 1 [0087.682] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x4000 [0087.683] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x1000, lpOverlapped=0x0) returned 1 [0087.683] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x5000 [0087.683] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x1000, lpOverlapped=0x0) returned 1 [0087.683] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x6000 [0087.683] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x1000, lpOverlapped=0x0) returned 1 [0087.683] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x7000 [0087.684] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x778, lpOverlapped=0x0) returned 1 [0087.684] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x7778 [0087.684] ReadFile (in: hFile=0x414, lpBuffer=0x2be00fc, nNumberOfBytesToRead=0x88, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be00fc*, lpNumberOfBytesRead=0x598d7b4*=0x0, lpOverlapped=0x0) returned 1 [0087.684] SetFilePointer (in: hFile=0x414, lDistanceToMove=0, lpDistanceToMoveHigh=0x598d788*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x598d788*=0) returned 0x7778 [0087.684] ReadFile (in: hFile=0x414, lpBuffer=0x2be09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x598d7b4, lpOverlapped=0x0 | out: lpBuffer=0x2be09f0*, lpNumberOfBytesRead=0x598d7b4*=0x0, lpOverlapped=0x0) returned 1 [0087.684] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x598d71c, Length=0x20, ResultLength=0x598d78c | out: SystemInformation=0x598d71c, ResultLength=0x598d78c*=0x0) returned 0xc0000003 [0087.685] GetSystemInfo (in: lpSystemInfo=0x598d798 | out: lpSystemInfo=0x598d798*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0087.685] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x598d728 | out: phkResult=0x598d728*=0x418) returned 0x0 [0087.685] RegQueryValueExW (in: hKey=0x418, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x598d744, lpData=0x0, lpcbData=0x598d740*=0x0 | out: lpType=0x598d744*=0x0, lpData=0x0, lpcbData=0x598d740*=0x0) returned 0x2 [0087.685] RegCloseKey (hKey=0x418) returned 0x0 [0087.685] CloseHandle (hObject=0x414) returned 1 [0087.844] CoCreateGuid (in: pguid=0x598d85c | out: pguid=0x598d85c*(Data1=0xc95e31f9, Data2=0x8a8a, Data3=0x433a, Data4=([0]=0x83, [1]=0xd9, [2]=0xaf, [3]=0xe3, [4]=0xa7, [5]=0x52, [6]=0x42, [7]=0xd1))) returned 0x0 [0087.845] GetCurrentProcess () returned 0xffffffff [0087.845] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x598d828 | out: TokenHandle=0x598d828*=0x414) returned 1 [0087.846] GetTokenInformation (in: TokenHandle=0x414, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x598d828 | out: TokenInformation=0x0, ReturnLength=0x598d828) returned 0 [0087.846] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4e9dc30 [0087.846] GetTokenInformation (in: TokenHandle=0x414, TokenInformationClass=0x8, TokenInformation=0x4e9dc30, TokenInformationLength=0x4, ReturnLength=0x598d828 | out: TokenInformation=0x4e9dc30, ReturnLength=0x598d828) returned 1 [0087.846] LocalFree (hMem=0x4e9dc30) returned 0x0 [0087.846] DuplicateTokenEx (in: hExistingToken=0x414, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x598d830 | out: phNewToken=0x598d830*=0x418) returned 1 [0087.846] CheckTokenMembership (in: TokenHandle=0x418, SidToCheck=0x2c80380*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x598d840 | out: IsMember=0x598d840) returned 1 [0087.846] CloseHandle (hObject=0x418) returned 1 [0087.871] QueryPerformanceCounter (in: lpPerformanceCount=0x598d5cc | out: lpPerformanceCount=0x598d5cc*=1802888116974) returned 1 [0087.871] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.871] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d2b8) returned 1 [0087.871] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x598d57c | out: lpFileInformation=0x598d57c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0087.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d2b4) returned 1 [0087.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0087.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0087.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x598d24c) returned 1 [0087.872] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x598d510 | out: lpFileInformation=0x598d510*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0087.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x598d248) returned 1 [0087.872] CoTaskMemAlloc (cb=0x10) returned 0x4ea0be8 [0087.872] CoTaskMemAlloc (cb=0x10) returned 0x4ea0bd0 [0087.872] CoTaskMemAlloc (cb=0xe4) returned 0x695c58 [0087.872] CoTaskMemAlloc (cb=0x30) returned 0x4e9de48 [0087.872] WinVerifyTrust () returned 0x800b0100 [0087.884] CoTaskMemFree (pv=0x4ea0be8) [0087.884] CoTaskMemFree (pv=0x4e9de48) [0087.884] CryptCATHandleFromStore () returned 0x684770 [0087.885] WTHelperGetProvSignerFromChain () returned 0x0 [0087.885] CoTaskMemAlloc (cb=0x10) returned 0x4ea0be8 [0087.885] CoTaskMemAlloc (cb=0x30) returned 0x4e9de48 [0087.885] WinVerifyTrust () returned 0x0 [0087.885] CoTaskMemFree (pv=0x4e9de48) [0087.885] CoTaskMemFree (pv=0x4ea0be8) [0087.885] CoTaskMemFree (pv=0x695c58) [0087.885] CoTaskMemFree (pv=0x4ea0bd0) [0087.904] CoCreateGuid (in: pguid=0x598d4a8 | out: pguid=0x598d4a8*(Data1=0xd76f3e21, Data2=0xb773, Data3=0x4fb2, Data4=([0]=0x9e, [1]=0xf9, [2]=0xb6, [3]=0xd, [4]=0x7b, [5]=0xc8, [6]=0x30, [7]=0xdb))) returned 0x0 [0087.905] CoCreateGuid (in: pguid=0x598d4a8 | out: pguid=0x598d4a8*(Data1=0x194a2a2a, Data2=0xd304, Data3=0x4d9a, Data4=([0]=0xb2, [1]=0x9f, [2]=0x79, [3]=0x55, [4]=0x98, [5]=0x8b, [6]=0x97, [7]=0x4b))) returned 0x0 [0087.905] CoCreateGuid (in: pguid=0x598d4a8 | out: pguid=0x598d4a8*(Data1=0x209da5e6, Data2=0xe60a, Data3=0x4dc5, Data4=([0]=0xbf, [1]=0xc8, [2]=0x8c, [3]=0xab, [4]=0x9d, [5]=0xef, [6]=0x3c, [7]=0x74))) returned 0x0 [0087.905] CoCreateGuid (in: pguid=0x598d4a8 | out: pguid=0x598d4a8*(Data1=0xd1bc171e, Data2=0xae44, Data3=0x4191, Data4=([0]=0x93, [1]=0x5f, [2]=0xd5, [3]=0x2c, [4]=0xbc, [5]=0xb1, [6]=0x17, [7]=0xb2))) returned 0x0 [0087.907] CoCreateGuid (in: pguid=0x598d4a8 | out: pguid=0x598d4a8*(Data1=0x73b4379d, Data2=0xcc32, Data3=0x4800, Data4=([0]=0x99, [1]=0x4, [2]=0x38, [3]=0x74, [4]=0x14, [5]=0xc2, [6]=0xd9, [7]=0xaf))) returned 0x0 [0087.907] CoCreateGuid (in: pguid=0x598d4a8 | out: pguid=0x598d4a8*(Data1=0x3ead2f76, Data2=0x7297, Data3=0x4864, Data4=([0]=0xb0, [1]=0xd9, [2]=0xeb, [3]=0x31, [4]=0xc6, [5]=0xe9, [6]=0x82, [7]=0x58))) returned 0x0 [0087.977] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e800 | out: phkResult=0x598e800*=0x3fc) returned 0x0 [0087.977] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x0, lpcbData=0x598e81c*=0x0 | out: lpType=0x598e820*=0x1, lpData=0x0, lpcbData=0x598e81c*=0x56) returned 0x0 [0087.977] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x2665c40, lpcbData=0x598e81c*=0x56 | out: lpType=0x598e820*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e81c*=0x56) returned 0x0 [0087.977] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.977] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e800 | out: phkResult=0x598e800*=0x3fc) returned 0x0 [0087.978] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x0, lpcbData=0x598e81c*=0x0 | out: lpType=0x598e820*=0x1, lpData=0x0, lpcbData=0x598e81c*=0x56) returned 0x0 [0087.978] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x2665f54, lpcbData=0x598e81c*=0x56 | out: lpType=0x598e820*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e81c*=0x56) returned 0x0 [0087.978] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.978] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e800 | out: phkResult=0x598e800*=0x3fc) returned 0x0 [0087.978] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x0, lpcbData=0x598e81c*=0x0 | out: lpType=0x598e820*=0x1, lpData=0x0, lpcbData=0x598e81c*=0x56) returned 0x0 [0087.978] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x2666250, lpcbData=0x598e81c*=0x56 | out: lpType=0x598e820*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e81c*=0x56) returned 0x0 [0087.978] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.978] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e800 | out: phkResult=0x598e800*=0x3fc) returned 0x0 [0087.979] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x0, lpcbData=0x598e81c*=0x0 | out: lpType=0x598e820*=0x1, lpData=0x0, lpcbData=0x598e81c*=0x56) returned 0x0 [0087.979] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x2666558, lpcbData=0x598e81c*=0x56 | out: lpType=0x598e820*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e81c*=0x56) returned 0x0 [0087.979] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.979] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e800 | out: phkResult=0x598e800*=0x3fc) returned 0x0 [0087.979] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x0, lpcbData=0x598e81c*=0x0 | out: lpType=0x598e820*=0x1, lpData=0x0, lpcbData=0x598e81c*=0x56) returned 0x0 [0087.979] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x266686c, lpcbData=0x598e81c*=0x56 | out: lpType=0x598e820*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e81c*=0x56) returned 0x0 [0087.979] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.979] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e800 | out: phkResult=0x598e800*=0x3fc) returned 0x0 [0087.980] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x0, lpcbData=0x598e81c*=0x0 | out: lpType=0x598e820*=0x1, lpData=0x0, lpcbData=0x598e81c*=0x56) returned 0x0 [0087.980] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x2666b80, lpcbData=0x598e81c*=0x56 | out: lpType=0x598e820*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e81c*=0x56) returned 0x0 [0087.980] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.980] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e800 | out: phkResult=0x598e800*=0x3fc) returned 0x0 [0087.980] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x0, lpcbData=0x598e81c*=0x0 | out: lpType=0x598e820*=0x1, lpData=0x0, lpcbData=0x598e81c*=0x56) returned 0x0 [0087.980] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e820, lpData=0x2666e88, lpcbData=0x598e81c*=0x56 | out: lpType=0x598e820*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e81c*=0x56) returned 0x0 [0087.980] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.981] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x598e84c | out: phkResult=0x598e84c*=0x3fc) returned 0x0 [0087.981] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e86c, lpData=0x0, lpcbData=0x598e868*=0x0 | out: lpType=0x598e86c*=0x1, lpData=0x0, lpcbData=0x598e868*=0x56) returned 0x0 [0087.981] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x598e86c, lpData=0x26671d0, lpcbData=0x598e868*=0x56 | out: lpType=0x598e86c*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x598e868*=0x56) returned 0x0 [0087.981] RegCloseKey (hKey=0x3fc) returned 0x0 [0087.981] CoTaskMemAlloc (cb=0x20c) returned 0x65c3e8 [0087.981] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x65c3e8 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0087.981] CoTaskMemFree (pv=0x65c3e8) [0087.982] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0087.982] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x4e9d2d8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0088.072] EtwEventActivityIdControl () returned 0x0 [0088.073] SetEvent (hEvent=0x40c) returned 1 [0088.073] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x598eba8*=0x40c, lpdwindex=0x598e9cc | out: lpdwindex=0x598e9cc) returned 0x0 [0088.074] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x598eb3c, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0088.075] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0088.075] GetFileType (hFile=0xb) returned 0x2 [0088.076] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x598ece0 | out: lpMode=0x598ece0) returned 1 [0088.077] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x598eca0 | out: lpConsoleScreenBufferInfo=0x598eca0) returned 1 [0088.078] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x598eca0 | out: lpConsoleScreenBufferInfo=0x598eca0) returned 1 [0088.102] EtwEventActivityIdControl () returned 0x0 [0088.103] EtwEventActivityIdControl () returned 0x0 [0088.103] EtwEventActivityIdControl () returned 0x0 [0088.127] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3fc [0088.127] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x1388, cHandles=0x1, pHandles=0x598ee24*=0x3fc, lpdwindex=0x598ec48 | out: lpdwindex=0x598ec48) returned 0x80010115 [0093.128] EtwEventActivityIdControl () returned 0x0 [0093.129] CloseHandle (hObject=0x3fc) returned 1 [0093.130] EtwEventActivityIdControl () returned 0x0 [0093.130] EtwEventActivityIdControl () returned 0x0 [0093.130] EtwEventActivityIdControl () returned 0x0 [0093.130] EtwEventActivityIdControl () returned 0x0 [0093.132] SetEvent (hEvent=0x350) returned 1 [0093.132] SetEvent (hEvent=0x344) returned 1 [0093.132] SetEvent (hEvent=0x348) returned 1 [0093.132] SetEvent (hEvent=0x34c) returned 1 [0093.132] SetEvent (hEvent=0x360) returned 1 [0093.132] SetEvent (hEvent=0x354) returned 1 [0093.132] SetEvent (hEvent=0x358) returned 1 [0093.132] SetEvent (hEvent=0x35c) returned 1 [0093.132] SetEvent (hEvent=0x364) returned 1 [0093.137] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x598f400*=0x36c, lpdwindex=0x598f224 | out: lpdwindex=0x598f224) returned 0x0 [0093.137] SetThreadUILanguage (LangId=0x0) returned 0x409 [0093.138] CoCreateGuid (in: pguid=0x598f26c | out: pguid=0x598f26c*(Data1=0x541ef2d2, Data2=0x3c1a, Data3=0x401a, Data4=([0]=0x9b, [1]=0xa8, [2]=0x7c, [3]=0x38, [4]=0x7d, [5]=0x3e, [6]=0xf5, [7]=0x76))) returned 0x0 [0093.138] QueryPerformanceCounter (in: lpPerformanceCount=0x598f24c | out: lpPerformanceCount=0x598f24c*=1803414836632) returned 1 [0093.161] QueryPerformanceCounter (in: lpPerformanceCount=0x598f214 | out: lpPerformanceCount=0x598f214*=1803417053900) returned 1 [0093.161] EtwEventActivityIdControl () returned 0x0 [0093.161] EtwEventActivityIdControl () returned 0x0 [0093.161] EtwEventActivityIdControl () returned 0x0 [0093.162] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x2, pHandles=0x598edc0*=0x3f0, lpdwindex=0x598ec84 | out: lpdwindex=0x598ec84) returned 0x0 [0093.163] SetEvent (hEvent=0x414) returned 1 [0093.163] SetEvent (hEvent=0x3f0) returned 1 [0093.163] EtwEventActivityIdControl () returned 0x0 [0093.163] SetEvent (hEvent=0x418) returned 1 [0093.163] SetEvent (hEvent=0x414) returned 1 [0093.163] SetEvent (hEvent=0x3f0) returned 1 [0093.163] SetEvent (hEvent=0x428) returned 1 [0093.163] SetEvent (hEvent=0x41c) returned 1 [0093.163] SetEvent (hEvent=0x420) returned 1 [0093.163] SetEvent (hEvent=0x424) returned 1 [0093.163] SetEvent (hEvent=0x42c) returned 1 [0093.163] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x598f400*=0x36c, lpdwindex=0x598f224 | out: lpdwindex=0x598f224) returned 0x0 [0093.556] CoGetContextToken (in: pToken=0x598f7ec | out: pToken=0x598f7ec) returned 0x0 [0093.557] CoUninitialize () Thread: id = 23 os_tid = 0xef0 Thread: id = 24 os_tid = 0xef4 Thread: id = 25 os_tid = 0xef8 Thread: id = 26 os_tid = 0xefc Thread: id = 27 os_tid = 0xf00 [0085.722] CoGetContextToken (in: pToken=0x5d3f90c | out: pToken=0x5d3f90c) returned 0x0 [0085.722] CObjectContext::QueryInterface () returned 0x0 [0085.722] CObjectContext::GetCurrentThreadType () returned 0x0 [0085.722] Release () returned 0x0 [0085.722] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 Thread: id = 28 os_tid = 0xf04 Thread: id = 29 os_tid = 0xf08 Process: id = "3" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x389da000" os_pid = "0xf14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe58" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Sleep -s 5" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e95f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 711 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 712 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 713 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 714 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 715 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 716 start_va = 0x150000 end_va = 0x1bafff monitored = 0 entry_point = 0x15d330 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 717 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 718 start_va = 0x240000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 719 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 720 start_va = 0x77040000 end_va = 0x771bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 721 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 722 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 723 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 724 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 725 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 726 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 727 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 728 start_va = 0x340000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 729 start_va = 0x748b0000 end_va = 0x748b7fff monitored = 0 entry_point = 0x748b20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 730 start_va = 0x748c0000 end_va = 0x7491bfff monitored = 0 entry_point = 0x748ff9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 731 start_va = 0x74920000 end_va = 0x7495efff monitored = 0 entry_point = 0x7494e088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 732 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 733 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 734 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 735 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076c40000" filename = "" Region: id = 736 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 737 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076d60000" filename = "" Region: id = 738 start_va = 0x3c0000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 739 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 740 start_va = 0x75150000 end_va = 0x75196fff monitored = 0 entry_point = 0x751574c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 741 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 742 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 743 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 744 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 745 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 746 start_va = 0x75ca0000 end_va = 0x75d3ffff monitored = 0 entry_point = 0x75cb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 747 start_va = 0x74cf0000 end_va = 0x74d9bfff monitored = 0 entry_point = 0x74cfa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 748 start_va = 0x753d0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753d4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 749 start_va = 0x75710000 end_va = 0x757fffff monitored = 0 entry_point = 0x75720569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 750 start_va = 0x74b90000 end_va = 0x74beffff monitored = 0 entry_point = 0x74baa3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 751 start_va = 0x74b80000 end_va = 0x74b8bfff monitored = 0 entry_point = 0x74b810e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 752 start_va = 0x72370000 end_va = 0x72383fff monitored = 0 entry_point = 0x72371da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 753 start_va = 0x75b00000 end_va = 0x75bfffff monitored = 0 entry_point = 0x75b1b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 754 start_va = 0x74e80000 end_va = 0x74f0ffff monitored = 0 entry_point = 0x74e96343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 755 start_va = 0x77010000 end_va = 0x77019fff monitored = 0 entry_point = 0x770136a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 756 start_va = 0x74bf0000 end_va = 0x74c8cfff monitored = 0 entry_point = 0x74c23fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 757 start_va = 0x75270000 end_va = 0x753cbfff monitored = 0 entry_point = 0x752bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 758 start_va = 0x758a0000 end_va = 0x7592efff monitored = 0 entry_point = 0x758a3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 759 start_va = 0x74a20000 end_va = 0x74a69fff monitored = 1 entry_point = 0x74a22e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 760 start_va = 0x580000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 761 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 762 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 763 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 764 start_va = 0x75c40000 end_va = 0x75c9ffff monitored = 0 entry_point = 0x75c5158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 765 start_va = 0x751a0000 end_va = 0x7526bfff monitored = 0 entry_point = 0x751a168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 766 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 767 start_va = 0x9b0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 768 start_va = 0x30000 end_va = 0x32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 769 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 770 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 771 start_va = 0x280000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 772 start_va = 0x1db0000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 773 start_va = 0x74990000 end_va = 0x74a1cfff monitored = 1 entry_point = 0x749a2860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 774 start_va = 0x72bf0000 end_va = 0x72bf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 775 start_va = 0x74c90000 end_va = 0x74ce6fff monitored = 0 entry_point = 0x74ca9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 776 start_va = 0x73b80000 end_va = 0x73b88fff monitored = 0 entry_point = 0x73b81220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 777 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 778 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 779 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 780 start_va = 0x74970000 end_va = 0x74983fff monitored = 0 entry_point = 0x7497ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\SysWOW64\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140_clr0400.dll") Region: id = 781 start_va = 0x723b0000 end_va = 0x7245afff monitored = 0 entry_point = 0x72445f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\SysWOW64\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase_clr0400.dll") Region: id = 782 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 783 start_va = 0x110000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 784 start_va = 0x120000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 785 start_va = 0x130000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 786 start_va = 0x140000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 787 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 788 start_va = 0x210000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 789 start_va = 0x220000 end_va = 0x220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 790 start_va = 0x230000 end_va = 0x230fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 791 start_va = 0x280000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 792 start_va = 0x2e0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 793 start_va = 0x1f80000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 794 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 795 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 796 start_va = 0x1dc0000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 797 start_va = 0x1f40000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 798 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 799 start_va = 0x280000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 800 start_va = 0x2a0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 801 start_va = 0x2130000 end_va = 0x412ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 802 start_va = 0x280000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 803 start_va = 0x3d0000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 804 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 805 start_va = 0x1e20000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 806 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 807 start_va = 0x1ea0000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 808 start_va = 0x1f90000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 809 start_va = 0x20f0000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 810 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 811 start_va = 0x4130000 end_va = 0x43fefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 812 start_va = 0x6fea0000 end_va = 0x712aafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 813 start_va = 0x2f0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 814 start_va = 0x4400000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 815 start_va = 0x300000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 816 start_va = 0x6f440000 end_va = 0x6fe94fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 817 start_va = 0x6e400000 end_va = 0x6ec17fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 818 start_va = 0x72060000 end_va = 0x720eefff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\731848746c032af3ce33577b793c9b9c\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\731848746c032af3ce33577b793c9b9c\\microsoft.powershell.consolehost.ni.dll") Region: id = 819 start_va = 0x73950000 end_va = 0x73966fff monitored = 0 entry_point = 0x73953573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 820 start_va = 0x410000 end_va = 0x44bfff monitored = 0 entry_point = 0x41128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 821 start_va = 0x410000 end_va = 0x44bfff monitored = 0 entry_point = 0x41128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 822 start_va = 0x410000 end_va = 0x44bfff monitored = 0 entry_point = 0x41128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 823 start_va = 0x410000 end_va = 0x44bfff monitored = 0 entry_point = 0x41128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 824 start_va = 0x410000 end_va = 0x44bfff monitored = 0 entry_point = 0x41128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 825 start_va = 0x73910000 end_va = 0x7394afff monitored = 0 entry_point = 0x7391128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 826 start_va = 0x6c910000 end_va = 0x6e3f2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\a68aa6199c81feadf8c95a4ea0254b2c\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\a68aa6199c81feadf8c95a4ea0254b2c\\system.management.automation.ni.dll") Region: id = 827 start_va = 0x410000 end_va = 0x471fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 828 start_va = 0x5b0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 829 start_va = 0x2000000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 830 start_va = 0x2040000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 831 start_va = 0x20b0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 832 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 833 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 834 start_va = 0x72390000 end_va = 0x723a2fff monitored = 1 entry_point = 0x7239d900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 835 start_va = 0x45e0000 end_va = 0x48b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 836 start_va = 0x6ed30000 end_va = 0x6f43bfff monitored = 1 entry_point = 0x6f34f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 837 start_va = 0x6c200000 end_va = 0x6c90bfff monitored = 1 entry_point = 0x6c81f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 838 start_va = 0x4400000 end_va = 0x44bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 839 start_va = 0x45a0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 840 start_va = 0x6ed30000 end_va = 0x6f43bfff monitored = 1 entry_point = 0x6f34f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 841 start_va = 0x6c200000 end_va = 0x6c90bfff monitored = 1 entry_point = 0x6c81f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 842 start_va = 0x75ff0000 end_va = 0x76c39fff monitored = 0 entry_point = 0x76071601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 843 start_va = 0x310000 end_va = 0x310fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 844 start_va = 0x74f10000 end_va = 0x74f3efff monitored = 0 entry_point = 0x74f12a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 845 start_va = 0x74fc0000 end_va = 0x750e0fff monitored = 0 entry_point = 0x74fc158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 846 start_va = 0x75810000 end_va = 0x7581bfff monitored = 0 entry_point = 0x7581238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 847 start_va = 0x320000 end_va = 0x327fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 848 start_va = 0x1f00000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 849 start_va = 0x4910000 end_va = 0x494ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004910000" filename = "" Region: id = 850 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 851 start_va = 0x72360000 end_va = 0x72367fff monitored = 0 entry_point = 0x72363bf5 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\SysWOW64\\msisip.dll" (normalized: "c:\\windows\\syswow64\\msisip.dll") Region: id = 852 start_va = 0x4950000 end_va = 0x4d4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004950000" filename = "" Region: id = 853 start_va = 0x330000 end_va = 0x337fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 854 start_va = 0x4950000 end_va = 0x4d4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004950000" filename = "" Region: id = 855 start_va = 0x48d0000 end_va = 0x490ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048d0000" filename = "" Region: id = 856 start_va = 0x49c0000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049c0000" filename = "" Region: id = 857 start_va = 0x75800000 end_va = 0x75804fff monitored = 0 entry_point = 0x75801438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 858 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 859 start_va = 0x72160000 end_va = 0x72175fff monitored = 0 entry_point = 0x721613df region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\SysWOW64\\wshext.dll" (normalized: "c:\\windows\\syswow64\\wshext.dll") Region: id = 860 start_va = 0x71fd0000 end_va = 0x72053fff monitored = 0 entry_point = 0x71fd19a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 861 start_va = 0x4a00000 end_va = 0x4b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 862 start_va = 0x72480000 end_va = 0x72489fff monitored = 0 entry_point = 0x72484ab0 region_type = mapped_file name = "pwrshsip.dll" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\pwrshsip.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\pwrshsip.dll") Region: id = 863 start_va = 0x4a00000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 864 start_va = 0x4b00000 end_va = 0x4b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 865 start_va = 0x4b60000 end_va = 0x4b9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b60000" filename = "" Region: id = 866 start_va = 0x4bb0000 end_va = 0x4beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bb0000" filename = "" Region: id = 867 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 868 start_va = 0x320000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 869 start_va = 0x330000 end_va = 0x330fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 870 start_va = 0x3c0000 end_va = 0x3c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 871 start_va = 0x330000 end_va = 0x330fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 872 start_va = 0x3c0000 end_va = 0x3c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 873 start_va = 0x330000 end_va = 0x330fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 874 start_va = 0x330000 end_va = 0x336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 875 start_va = 0x330000 end_va = 0x330fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 876 start_va = 0x330000 end_va = 0x336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 877 start_va = 0x330000 end_va = 0x330fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 878 start_va = 0x330000 end_va = 0x336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 879 start_va = 0x4520000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 880 start_va = 0x4c30000 end_va = 0x4c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c30000" filename = "" Region: id = 881 start_va = 0x4ca0000 end_va = 0x4cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ca0000" filename = "" Region: id = 882 start_va = 0x4ce0000 end_va = 0x4d1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ce0000" filename = "" Region: id = 883 start_va = 0x7ef98000 end_va = 0x7ef9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 884 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 885 start_va = 0x6ec20000 end_va = 0x6f439fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Data\\df2dd09ed7c341842a104e1e668f184e\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.data\\df2dd09ed7c341842a104e1e668f184e\\system.data.ni.dll") Region: id = 886 start_va = 0x71c70000 end_va = 0x71fc3fff monitored = 1 entry_point = 0x71fa7a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 887 start_va = 0x74da0000 end_va = 0x74dd4fff monitored = 0 entry_point = 0x74da145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 888 start_va = 0x75c30000 end_va = 0x75c35fff monitored = 0 entry_point = 0x75c31782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 889 start_va = 0x4d20000 end_va = 0x5070fff monitored = 1 entry_point = 0x5057a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 890 start_va = 0x4d20000 end_va = 0x5070fff monitored = 1 entry_point = 0x5057a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 891 start_va = 0x4d20000 end_va = 0x5070fff monitored = 1 entry_point = 0x5057a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 892 start_va = 0x4d20000 end_va = 0x5070fff monitored = 1 entry_point = 0x5057a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 893 start_va = 0x330000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 894 start_va = 0x6ba10000 end_va = 0x6c183fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\15af16d373cf0528cb74fc73d365fdbf\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\15af16d373cf0528cb74fc73d365fdbf\\system.xml.ni.dll") Region: id = 895 start_va = 0x71b40000 end_va = 0x71c6ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\e114780fd3ea5727401c06ea4f22ef35\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\e114780fd3ea5727401c06ea4f22ef35\\system.management.ni.dll") Region: id = 896 start_va = 0x6c7e0000 end_va = 0x6c90bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\system.directoryservices.ni.dll") Region: id = 897 start_va = 0x74960000 end_va = 0x74962fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 898 start_va = 0x72180000 end_va = 0x72208fff monitored = 1 entry_point = 0x72181130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 899 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 900 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 901 start_va = 0x72100000 end_va = 0x72153fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P6f792626#\\fbf36f7901fec6a367af3bc05a96b929\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p6f792626#\\fbf36f7901fec6a367af3bc05a96b929\\microsoft.powershell.security.ni.dll") Region: id = 902 start_va = 0x1fd0000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 903 start_va = 0x4970000 end_va = 0x49affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004970000" filename = "" Region: id = 904 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 905 start_va = 0x71ac0000 end_va = 0x71b3ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\e3134541fd9904dc895922f5256ef8f3\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\e3134541fd9904dc895922f5256ef8f3\\microsoft.management.infrastructure.ni.dll") Region: id = 906 start_va = 0x6c720000 end_va = 0x6c7d7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\3d760b4a3260a41ef84a3fd866780980\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.transactions\\3d760b4a3260a41ef84a3fd866780980\\system.transactions.ni.dll") Region: id = 907 start_va = 0x71a70000 end_va = 0x71abbfff monitored = 1 entry_point = 0x71a8fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 908 start_va = 0x2080000 end_va = 0x20cbfff monitored = 1 entry_point = 0x209fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 909 start_va = 0x2080000 end_va = 0x20cbfff monitored = 1 entry_point = 0x209fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 910 start_va = 0x2080000 end_va = 0x20cbfff monitored = 1 entry_point = 0x209fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 911 start_va = 0x2080000 end_va = 0x20cbfff monitored = 1 entry_point = 0x209fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 912 start_va = 0x6c6d0000 end_va = 0x6c716fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\e7d6ed984300c7212c6e682c4f730b1e\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\e7d6ed984300c7212c6e682c4f730b1e\\system.numerics.ni.dll") Region: id = 913 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 914 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 915 start_va = 0x72350000 end_va = 0x72357fff monitored = 0 entry_point = 0x723510e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 916 start_va = 0x4d20000 end_va = 0x4e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d20000" filename = "" Region: id = 917 start_va = 0x6c5c0000 end_va = 0x6c6c4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\96f7edb07b12303f0ec2595c7f3778c7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\96f7edb07b12303f0ec2595c7f3778c7\\system.configuration.ni.dll") Region: id = 918 start_va = 0x44c0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 919 start_va = 0x4e90000 end_va = 0x4ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e90000" filename = "" Region: id = 920 start_va = 0x7ef95000 end_va = 0x7ef97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 921 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 922 start_va = 0x4ed0000 end_va = 0x4f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ed0000" filename = "" Region: id = 923 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 924 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 925 start_va = 0x660000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 926 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 927 start_va = 0x1db0000 end_va = 0x1dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 928 start_va = 0x1e00000 end_va = 0x1e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 929 start_va = 0x1e10000 end_va = 0x1e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 930 start_va = 0x1e60000 end_va = 0x1e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 931 start_va = 0x1e70000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 932 start_va = 0x1e80000 end_va = 0x1e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 933 start_va = 0x6b870000 end_va = 0x6ba07fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.csharp.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.CSharp\\f73f48afb5512225dedaee9c88ac5050\\Microsoft.CSharp.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.csharp\\f73f48afb5512225dedaee9c88ac5050\\microsoft.csharp.ni.dll") Region: id = 934 start_va = 0x1e90000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 935 start_va = 0x1ee0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 936 start_va = 0x1ef0000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 937 start_va = 0x1ef0000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 938 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 939 start_va = 0x4fc0000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004fc0000" filename = "" Region: id = 940 start_va = 0x50b0000 end_va = 0x5a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000050b0000" filename = "" Region: id = 941 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 942 start_va = 0x73ab0000 end_va = 0x73b2ffff monitored = 0 entry_point = 0x73ac37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 943 start_va = 0x5a40000 end_va = 0x5b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a40000" filename = "" Region: id = 944 start_va = 0x5b30000 end_va = 0x5c0efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005b30000" filename = "" Region: id = 945 start_va = 0x4950000 end_va = 0x498ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004950000" filename = "" Region: id = 946 start_va = 0x4b10000 end_va = 0x4b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b10000" filename = "" Region: id = 947 start_va = 0x73a80000 end_va = 0x73a8dfff monitored = 0 entry_point = 0x73a81235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 948 start_va = 0x7ef92000 end_va = 0x7ef94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 949 start_va = 0x1fe0000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 950 start_va = 0x5a50000 end_va = 0x5a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a50000" filename = "" Region: id = 951 start_va = 0x5af0000 end_va = 0x5b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005af0000" filename = "" Region: id = 952 start_va = 0x7ef8f000 end_va = 0x7ef91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 953 start_va = 0x20b0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 954 start_va = 0x5070000 end_va = 0x50affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005070000" filename = "" Region: id = 955 start_va = 0x7ef8c000 end_va = 0x7ef8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 956 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 957 start_va = 0x4f80000 end_va = 0x4fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f80000" filename = "" Region: id = 958 start_va = 0x5c30000 end_va = 0x5c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c30000" filename = "" Region: id = 959 start_va = 0x7ef89000 end_va = 0x7ef8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 960 start_va = 0x5010000 end_va = 0x504ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005010000" filename = "" Region: id = 961 start_va = 0x5d70000 end_va = 0x5daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d70000" filename = "" Region: id = 962 start_va = 0x7ef86000 end_va = 0x7ef88fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef86000" filename = "" Region: id = 963 start_va = 0x2020000 end_va = 0x2030fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002020000" filename = "" Region: id = 964 start_va = 0x1fd0000 end_va = 0x1fd1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 965 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 966 start_va = 0x2080000 end_va = 0x2081fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 967 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 968 start_va = 0x1fd0000 end_va = 0x1fd0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 969 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 970 start_va = 0x2080000 end_va = 0x2080fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 971 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 972 start_va = 0x6ad00000 end_va = 0x6b86dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P521220ea#\\f6f5592245815a51dae8c19cd5d04783\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p521220ea#\\f6f5592245815a51dae8c19cd5d04783\\microsoft.powershell.commands.utility.ni.dll") Region: id = 973 start_va = 0x6c280000 end_va = 0x6c2a7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\system.configuration.install.ni.dll") Region: id = 974 start_va = 0x1fd0000 end_va = 0x1fd7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 975 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 976 start_va = 0x2080000 end_va = 0x2087fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 977 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 978 start_va = 0x1fd0000 end_va = 0x1fdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 979 start_va = 0x2080000 end_va = 0x208ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 980 start_va = 0x2090000 end_va = 0x2097fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 981 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 982 start_va = 0x20a0000 end_va = 0x20a7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 983 start_va = 0x5db0000 end_va = 0x61affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005db0000" filename = "" Region: id = 984 start_va = 0x2090000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 985 start_va = 0x4e30000 end_va = 0x4e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e30000" filename = "" Region: id = 986 start_va = 0x5d10000 end_va = 0x5d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d10000" filename = "" Region: id = 987 start_va = 0x73c40000 end_va = 0x73c4afff monitored = 0 entry_point = 0x73c41992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 988 start_va = 0x6c580000 end_va = 0x6c596fff monitored = 0 entry_point = 0x6c5835fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 989 start_va = 0x2090000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Thread: id = 31 os_tid = 0xf18 [0112.141] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x414 [0112.141] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3c4 [0112.141] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x418 [0112.141] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x41c [0112.141] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x420 [0112.142] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x424 [0112.142] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x428 [0112.142] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x42c [0112.142] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x430 [0112.142] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x434 [0112.142] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x438 [0112.142] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x43c [0112.143] SetEvent (hEvent=0x41c) returned 1 [0112.143] SetEvent (hEvent=0x414) returned 1 [0112.143] SetEvent (hEvent=0x3c4) returned 1 [0112.143] SetEvent (hEvent=0x418) returned 1 [0112.143] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x440 [0112.144] SetEvent (hEvent=0x368) returned 1 [0112.191] SetEvent (hEvent=0x420) returned 1 [0112.191] SetEvent (hEvent=0x424) returned 1 [0112.191] SetEvent (hEvent=0x428) returned 1 [0112.237] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x1fd9b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0112.238] CoTaskMemAlloc (cb=0x20c) returned 0x523b88 [0112.238] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x523b88, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0112.238] CoTaskMemFree (pv=0x523b88) [0112.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0112.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0112.244] GetCurrentProcess () returned 0xffffffff [0112.245] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fdcf0 | out: TokenHandle=0x1fdcf0*=0x44c) returned 1 [0112.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2f [0112.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x2f, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0112.247] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x1fdce8 | out: lpFileInformation=0x1fdce8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0112.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0112.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0112.250] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x1fdcf0 | out: lpFileInformation=0x1fdcf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0112.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0112.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0112.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1fdc28) returned 1 [0112.250] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x450 [0112.250] GetFileType (hFile=0x450) returned 0x1 [0112.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1fdc24) returned 1 [0112.250] GetFileType (hFile=0x450) returned 0x1 [0112.267] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0112.267] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x44, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0112.268] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0112.268] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x44, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0112.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1fd204) returned 1 [0112.268] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x1fd4c8 | out: lpFileInformation=0x1fd4c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0112.268] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1fd200) returned 1 [0112.397] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x1fd394 | out: pfEnabled=0x1fd394) returned 0x0 [0112.405] GetFileSize (in: hFile=0x450, lpFileSizeHigh=0x1fdce4 | out: lpFileSizeHigh=0x1fdce4*=0x0) returned 0x8c8e [0112.405] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fdca0, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fdca0*=0x1000, lpOverlapped=0x0) returned 1 [0112.416] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fdb50, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fdb50*=0x1000, lpOverlapped=0x0) returned 1 [0112.417] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fda04, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fda04*=0x1000, lpOverlapped=0x0) returned 1 [0112.417] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fda04, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fda04*=0x1000, lpOverlapped=0x0) returned 1 [0112.418] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fda04, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fda04*=0x1000, lpOverlapped=0x0) returned 1 [0112.418] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fd93c, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fd93c*=0x1000, lpOverlapped=0x0) returned 1 [0112.422] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fdaa8, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fdaa8*=0x1000, lpOverlapped=0x0) returned 1 [0112.423] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fd99c, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fd99c*=0x1000, lpOverlapped=0x0) returned 1 [0112.423] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fd99c, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fd99c*=0xc8e, lpOverlapped=0x0) returned 1 [0112.423] ReadFile (in: hFile=0x450, lpBuffer=0x233d87c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1fda60, lpOverlapped=0x0 | out: lpBuffer=0x233d87c*, lpNumberOfBytesRead=0x1fda60*=0x0, lpOverlapped=0x0) returned 1 [0112.423] CloseHandle (hObject=0x450) returned 1 [0112.424] CloseHandle (hObject=0x44c) returned 1 [0112.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x1fd9b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0112.424] CoTaskMemAlloc (cb=0x20c) returned 0x523b88 [0112.424] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x523b88, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0112.424] CoTaskMemFree (pv=0x523b88) [0112.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0112.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0112.424] GetCurrentProcess () returned 0xffffffff [0112.425] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fde3c | out: TokenHandle=0x1fde3c*=0x44c) returned 1 [0112.425] CloseHandle (hObject=0x44c) returned 1 [0112.425] GetCurrentProcess () returned 0xffffffff [0112.425] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fde3c | out: TokenHandle=0x1fde3c*=0x44c) returned 1 [0112.426] CloseHandle (hObject=0x44c) returned 1 [0112.427] GetCurrentProcess () returned 0xffffffff [0112.427] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fdcf0 | out: TokenHandle=0x1fdcf0*=0x44c) returned 1 [0112.427] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x1fdce8 | out: lpFileInformation=0x1fdce8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0112.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0112.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x41, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0112.427] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x1fdcf0 | out: lpFileInformation=0x1fdcf0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0112.428] CloseHandle (hObject=0x44c) returned 1 [0112.428] GetCurrentProcess () returned 0xffffffff [0112.428] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fde3c | out: TokenHandle=0x1fde3c*=0x44c) returned 1 [0112.428] CloseHandle (hObject=0x44c) returned 1 [0112.429] GetCurrentProcess () returned 0xffffffff [0112.429] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fde3c | out: TokenHandle=0x1fde3c*=0x44c) returned 1 [0112.430] CloseHandle (hObject=0x44c) returned 1 [0112.437] GetCurrentProcess () returned 0xffffffff [0112.437] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fdc54 | out: TokenHandle=0x1fdc54*=0x44c) returned 1 [0112.454] CloseHandle (hObject=0x44c) returned 1 [0112.457] GetCurrentProcess () returned 0xffffffff [0112.457] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1fdc6c | out: TokenHandle=0x1fdc6c*=0x44c) returned 1 [0112.458] CloseHandle (hObject=0x44c) returned 1 [0112.464] CoCreateGuid (in: pguid=0x1fe058 | out: pguid=0x1fe058*(Data1=0xc33fb16e, Data2=0x421c, Data3=0x4e62, Data4=([0]=0xb7, [1]=0x61, [2]=0xbd, [3]=0x7, [4]=0x7d, [5]=0x4f, [6]=0x2, [7]=0x2a))) returned 0x0 [0112.466] ReportEventW (hEventLog=0x4ed0004, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x235ada0*="Stopped", lpRawData=0x235acc8) returned 1 [0112.475] SetEvent (hEvent=0x368) returned 1 [0112.499] CloseHandle (hObject=0x368) returned 1 [0112.589] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0112.592] CoGetContextToken (in: pToken=0x1ff724 | out: pToken=0x1ff724) returned 0x0 [0112.592] CObjectContext::QueryInterface () returned 0x0 [0112.592] CObjectContext::GetCurrentThreadType () returned 0x0 [0112.592] Release () returned 0x0 [0112.593] CoGetContextToken (in: pToken=0x1ff434 | out: pToken=0x1ff434) returned 0x0 [0112.593] CObjectContext::QueryInterface () returned 0x0 [0112.593] CObjectContext::GetCurrentThreadType () returned 0x0 [0112.593] Release () returned 0x0 [0112.595] CoGetContextToken (in: pToken=0x1ff434 | out: pToken=0x1ff434) returned 0x0 [0112.595] CObjectContext::QueryInterface () returned 0x0 [0112.595] CObjectContext::GetCurrentThreadType () returned 0x0 [0112.595] Release () returned 0x0 [0112.606] CoGetContextToken (in: pToken=0x1ff434 | out: pToken=0x1ff434) returned 0x0 [0112.606] CObjectContext::QueryInterface () returned 0x0 [0112.606] CObjectContext::GetCurrentThreadType () returned 0x0 [0112.606] Release () returned 0x0 [0112.616] CoGetContextToken (in: pToken=0x1ff454 | out: pToken=0x1ff454) returned 0x0 [0112.616] CObjectContext::QueryInterface () returned 0x0 [0112.616] CObjectContext::GetCurrentThreadType () returned 0x0 [0112.616] Release () returned 0x0 [0112.617] CoUninitialize () Thread: id = 32 os_tid = 0xf2c Thread: id = 33 os_tid = 0xf30 [0104.292] RegCloseKey (hKey=0x364) returned 0x0 [0112.377] CloseHandle (hObject=0x2fc) returned 1 [0112.377] CloseHandle (hObject=0x3ec) returned 1 [0112.377] CloseHandle (hObject=0x3cc) returned 1 [0112.377] CloseHandle (hObject=0x3f8) returned 1 [0112.377] CloseHandle (hObject=0x3f4) returned 1 [0112.377] CloseHandle (hObject=0x3f0) returned 1 [0112.378] CloseHandle (hObject=0x360) returned 1 [0112.378] CloseHandle (hObject=0x410) returned 1 [0112.378] CloseHandle (hObject=0x35c) returned 1 [0112.378] CloseHandle (hObject=0x358) returned 1 [0112.378] CloseHandle (hObject=0x354) returned 1 [0112.378] CloseHandle (hObject=0x40c) returned 1 [0112.378] CloseHandle (hObject=0x408) returned 1 [0112.378] CloseHandle (hObject=0x404) returned 1 [0112.378] CloseHandle (hObject=0x364) returned 1 [0112.379] CloseHandle (hObject=0x3fc) returned 1 [0112.379] CloseHandle (hObject=0x350) returned 1 [0112.379] CloseHandle (hObject=0x34c) returned 1 [0112.379] CloseHandle (hObject=0x348) returned 1 [0112.379] CloseHandle (hObject=0x344) returned 1 [0112.379] CloseHandle (hObject=0x340) returned 1 [0112.379] CloseHandle (hObject=0x33c) returned 1 [0112.379] CloseHandle (hObject=0x334) returned 1 [0112.379] CloseHandle (hObject=0x2b4) returned 1 [0112.594] EtwEventUnregister () returned 0x0 [0112.594] EtwEventUnregister () returned 0x0 [0112.594] EtwEventUnregister () returned 0x0 [0112.594] EtwEventUnregister () returned 0x0 [0112.594] EtwEventUnregister () returned 0x0 [0112.594] EtwEventUnregister () returned 0x0 [0112.594] EtwEventUnregister () returned 0x0 [0112.594] EtwEventUnregister () returned 0x0 [0112.598] EtwEventUnregister () returned 0x0 [0112.599] CloseHandle (hObject=0x2bc) returned 1 [0112.601] CloseHandle (hObject=0x440) returned 1 [0112.602] CloseHandle (hObject=0x43c) returned 1 [0112.602] CloseHandle (hObject=0x438) returned 1 [0112.602] CloseHandle (hObject=0x434) returned 1 [0112.602] CloseHandle (hObject=0x430) returned 1 [0112.602] CloseHandle (hObject=0x42c) returned 1 [0112.602] UnmapViewOfFile (lpBaseAddress=0x2020000) returned 1 [0112.603] CloseHandle (hObject=0x428) returned 1 [0112.603] CloseHandle (hObject=0x424) returned 1 [0112.604] CloseHandle (hObject=0x420) returned 1 [0112.604] CloseHandle (hObject=0x41c) returned 1 [0112.604] CloseHandle (hObject=0x418) returned 1 [0112.604] CloseHandle (hObject=0x3c4) returned 1 [0112.604] CloseHandle (hObject=0x414) returned 1 [0112.605] DeregisterEventSource (hEventLog=0x4ed0004) returned 1 [0112.612] CloseHandle (hObject=0xf) returned 1 [0112.613] CloseHandle (hObject=0x290) returned 1 [0112.614] LocalFree (hMem=0x4d3c3b8) returned 0x0 [0112.614] RegCloseKey (hKey=0x80000004) returned 0x0 [0112.615] LocalFree (hMem=0x4d26eb0) returned 0x0 [0112.615] CloseHandle (hObject=0x3d0) returned 1 Thread: id = 34 os_tid = 0xf34 Thread: id = 35 os_tid = 0xf38 [0103.446] CoCreateGuid (in: pguid=0x207edd0 | out: pguid=0x207edd0*(Data1=0x7a113e63, Data2=0xe8b9, Data3=0x4318, Data4=([0]=0xad, [1]=0x44, [2]=0x70, [3]=0x80, [4]=0x62, [5]=0xdc, [6]=0x6b, [7]=0x90))) returned 0x0 Thread: id = 36 os_tid = 0xf3c Thread: id = 37 os_tid = 0xf40 Thread: id = 38 os_tid = 0xf44 Thread: id = 39 os_tid = 0xf58 Thread: id = 40 os_tid = 0xf5c [0112.605] CoGetContextToken (in: pToken=0x455f374 | out: pToken=0x455f374) returned 0x0 [0112.605] CObjectContext::QueryInterface () returned 0x0 [0112.605] CObjectContext::GetCurrentThreadType () returned 0x0 [0112.605] Release () returned 0x0 Thread: id = 41 os_tid = 0xf60 Thread: id = 42 os_tid = 0xf68 Thread: id = 43 os_tid = 0xf6c Thread: id = 44 os_tid = 0xf70 [0103.315] SetThreadUILanguage (LangId=0x0) returned 0x409 [0103.323] EtwEventRegister () returned 0x0 [0103.371] CoCreateGuid (in: pguid=0x5a3effc | out: pguid=0x5a3effc*(Data1=0xba55e8f4, Data2=0xda6c, Data3=0x43e8, Data4=([0]=0x93, [1]=0x30, [2]=0xad, [3]=0x4, [4]=0x90, [5]=0x1a, [6]=0x99, [7]=0x70))) returned 0x0 [0103.383] QueryPerformanceCounter (in: lpPerformanceCount=0x5a3efdc | out: lpPerformanceCount=0x5a3efdc*=1804439267302) returned 1 [0103.383] GetCurrentProcessId () returned 0xf14 [0103.384] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf14) returned 0x3c4 [0103.384] EnumProcessModules (in: hProcess=0x3c4, lphModule=0x23f4374, cb=0x100, lpcbNeeded=0x5a3eed4 | out: lphModule=0x23f4374, lpcbNeeded=0x5a3eed4) returned 1 [0103.385] GetModuleInformation (in: hProcess=0x3c4, hModule=0x150000, lpmodinfo=0x23f44b4, cb=0xc | out: lpmodinfo=0x23f44b4*(lpBaseOfDll=0x150000, SizeOfImage=0x6b000, EntryPoint=0x15d330)) returned 1 [0103.385] CoTaskMemAlloc (cb=0x804) returned 0x4d3b6a0 [0103.385] GetModuleBaseNameW (in: hProcess=0x3c4, hModule=0x150000, lpBaseName=0x4d3b6a0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0103.385] CoTaskMemFree (pv=0x4d3b6a0) [0103.385] CoTaskMemAlloc (cb=0x804) returned 0x4d3b6a0 [0103.385] GetModuleFileNameExW (in: hProcess=0x3c4, hModule=0x150000, lpFilename=0x4d3b6a0, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0103.386] CoTaskMemFree (pv=0x4d3b6a0) [0103.386] CloseHandle (hObject=0x3c4) returned 1 [0103.387] LocalReAlloc (hMem=0x52f508, uBytes=0x208, uFlags=0x2) returned 0x4d3c3b8 [0103.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x104, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0103.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ec0c) returned 1 [0103.387] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x5a3eed0 | out: lpFileInformation=0x5a3eed0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b7f9180, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8b7f9180, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x7711b3a3, ftLastWriteTime.dwHighDateTime=0x1d251bc, nFileSizeHigh=0x0, nFileSizeLow=0x68400)) returned 1 [0103.387] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ec08) returned 1 [0103.387] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x5a3ef44 | out: lpdwHandle=0x5a3ef44) returned 0x74c [0103.387] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x74c, lpData=0x23f66e8 | out: lpData=0x23f66e8) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x5a3ef18, puLen=0x5a3ef14 | out: lplpBuffer=0x5a3ef18*=0x23f6a88, puLen=0x5a3ef14) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f67a0, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f67f4, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f683c, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f68b0, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f68ec, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f6970, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f69b8, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x23f6a28, puLen=0x5a3ee94) returned 1 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x0, puLen=0x5a3ee94) returned 0 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x0, puLen=0x5a3ee94) returned 0 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x0, puLen=0x5a3ee94) returned 0 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x5a3ee98, puLen=0x5a3ee94 | out: lplpBuffer=0x5a3ee98*=0x0, puLen=0x5a3ee94) returned 0 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x5a3ee8c, puLen=0x5a3ee88 | out: lplpBuffer=0x5a3ee8c*=0x23f6a88, puLen=0x5a3ee88) returned 1 [0103.388] VerLanguageNameW (in: wLang=0x409, szLang=0x5a3ec1c, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0103.388] VerQueryValueW (in: pBlock=0x23f66e8, lpSubBlock="\\", lplpBuffer=0x5a3ee9c, puLen=0x5a3ee98 | out: lplpBuffer=0x5a3ee9c*=0x23f6710, puLen=0x5a3ee98) returned 1 [0103.582] QueryPerformanceCounter (in: lpPerformanceCount=0x5a3efa4 | out: lpPerformanceCount=0x5a3efa4*=1804459171691) returned 1 [0103.588] EtwEventRegister () returned 0x0 [0103.588] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x5a3ee14, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.650] EtwEventActivityIdControl () returned 0x0 [0103.650] EtwEventActivityIdControl () returned 0x0 [0103.650] EtwEventActivityIdControl () returned 0x0 [0103.654] EtwEventActivityIdControl () returned 0x0 [0103.655] EtwEventActivityIdControl () returned 0x0 [0103.655] EtwEventActivityIdControl () returned 0x0 [0103.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5a3e61c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5a3e61c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.718] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5a3e608, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.733] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3ee80 | out: phkResult=0x5a3ee80*=0x0) returned 0x2 [0103.733] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3ee80 | out: phkResult=0x5a3ee80*=0x0) returned 0x2 [0103.735] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5a3e5d8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.742] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x5a3ea18, nSize=0x80 | out: lpBuffer="") returned 0x0 [0103.743] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x5a3e934, nSize=0x80 | out: lpBuffer="") returned 0xbe [0103.744] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x5a3e8b8, nSize=0xbe | out: lpBuffer="") returned 0xbd [0103.745] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x5a3e8a4, nSize=0xbe | out: lpBuffer="") returned 0x3a [0103.765] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4d3c3b8 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop") returned 0x1a [0103.767] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x5a3e8ac, nSize=0xbe | out: lpBuffer="") returned 0x3a [0103.768] GetFullPathNameW (in: lpFileName="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0103.768] GetFullPathNameW (in: lpFileName="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x49, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x48 [0103.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7a0) returned 1 [0103.768] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\users\\keecfmwgj\\desktop\\c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x5a3ea64 | out: lpFileInformation=0x5a3ea64*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0103.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e79c) returned 1 [0103.769] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5a3e13c, nSize=0xbe | out: lpBuffer="") returned 0x0 [0103.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0103.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7a0) returned 1 [0103.770] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x5a3ea64 | out: lpFileInformation=0x5a3ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x5da08c40, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x5da08c40, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0103.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e79c) returned 1 [0103.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea5c) returned 1 [0103.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0103.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0103.772] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Start-Sleep.*", lpFindFileData=0x5a3e80c | out: lpFindFileData=0x5a3e80c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0103.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7b4) returned 1 [0103.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea14) returned 1 [0103.773] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0103.773] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0103.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7a0) returned 1 [0103.773] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x5a3ea64 | out: lpFileInformation=0x5a3ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x571be860, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x571be860, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0103.773] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e79c) returned 1 [0103.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea5c) returned 1 [0103.773] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0103.774] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0103.774] FindFirstFileW (in: lpFileName="C:\\Windows\\Start-Sleep.*", lpFindFileData=0x5a3e80c | out: lpFindFileData=0x5a3e80c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0103.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7b4) returned 1 [0103.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea14) returned 1 [0103.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0103.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0103.774] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7a0) returned 1 [0103.774] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\syswow64\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x5a3ea64 | out: lpFileInformation=0x5a3ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x123dcea, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x496a9b80, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496a9b80, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0103.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e79c) returned 1 [0103.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea5c) returned 1 [0103.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0103.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0103.775] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Start-Sleep.*", lpFindFileData=0x5a3e80c | out: lpFindFileData=0x5a3e80c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0103.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7b4) returned 1 [0103.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea14) returned 1 [0103.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0103.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0103.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7a0) returned 1 [0103.775] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x5a3ea64 | out: lpFileInformation=0x5a3ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0103.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e79c) returned 1 [0103.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea5c) returned 1 [0103.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0103.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0103.776] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Start-Sleep.*", lpFindFileData=0x5a3e80c | out: lpFindFileData=0x5a3e80c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0103.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7b4) returned 1 [0103.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea14) returned 1 [0103.779] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x5a3e910, nSize=0xbe | out: lpBuffer="") returned 0xc6 [0103.779] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x5a3e900, nSize=0xc6 | out: lpBuffer="") returned 0xc5 [0103.790] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0103.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0103.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2b [0103.793] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x2b, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0103.793] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520db8 [0103.794] FindNextFileW (in: hFindFile=0x520db8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.794] FindNextFileW (in: hFindFile=0x520db8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0103.794] FindNextFileW (in: hFindFile=0x520db8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0103.794] FindNextFileW (in: hFindFile=0x520db8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.794] FindClose (in: hFindFile=0x520db8 | out: hFindFile=0x520db8) returned 1 [0103.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0103.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0103.795] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0103.795] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0103.795] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0103.795] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0103.795] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0103.796] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0103.796] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0103.796] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0103.796] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0103.796] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0103.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0103.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0103.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0103.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0103.797] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0103.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0103.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0103.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0103.797] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0103.797] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520db8 [0103.798] FindNextFileW (in: hFindFile=0x520db8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.798] FindNextFileW (in: hFindFile=0x520db8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49b46620, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49b46620, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0103.798] FindNextFileW (in: hFindFile=0x520db8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.798] FindClose (in: hFindFile=0x520db8 | out: hFindFile=0x520db8) returned 1 [0103.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0103.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0103.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0103.798] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0103.798] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7e0) returned 1 [0103.798] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa4 | out: lpFileInformation=0x5a3eaa4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b46620, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea9fba0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea9fba0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0103.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7dc) returned 1 [0103.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0103.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0103.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0103.799] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0103.800] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e804) returned 1 [0103.800] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x241f9b4 | out: lpFileInformation=0x241f9b4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b46620, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea9fba0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea9fba0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0103.800] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e800) returned 1 [0103.815] GetEnvironmentVariableW (in: lpName="PSModuleAnalysisCachePath", lpBuffer=0x5a3dab4, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0103.816] CoTaskMemAlloc (cb=0x20c) returned 0x523960 [0103.816] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x523960 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0103.816] CoTaskMemFree (pv=0x523960) [0103.816] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x21 [0103.816] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x21, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0103.817] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0x2020 [0103.819] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0103.819] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x52, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x51 [0103.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e258) returned 1 [0103.820] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3cc [0103.820] GetFileType (hFile=0x3cc) returned 0x1 [0103.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e254) returned 1 [0103.820] GetFileType (hFile=0x3cc) returned 0x1 [0103.820] ReadFile (in: hFile=0x3cc, lpBuffer=0x2420b04, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e2cc, lpOverlapped=0x0 | out: lpBuffer=0x2420b04*, lpNumberOfBytesRead=0x5a3e2cc*=0x1000, lpOverlapped=0x0) returned 1 [0103.859] ReadFile (in: hFile=0x3cc, lpBuffer=0x24206df, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x5a3e2d4, lpOverlapped=0x0 | out: lpBuffer=0x24206df*, lpNumberOfBytesRead=0x5a3e2d4*=0x1, lpOverlapped=0x0) returned 1 [0103.859] ReadFile (in: hFile=0x3cc, lpBuffer=0x2420b04, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e2c0, lpOverlapped=0x0 | out: lpBuffer=0x2420b04*, lpNumberOfBytesRead=0x5a3e2c0*=0x1000, lpOverlapped=0x0) returned 1 [0103.860] ReadFile (in: hFile=0x3cc, lpBuffer=0x24206dd, nNumberOfBytesToRead=0x13, lpNumberOfBytesRead=0x5a3e2d4, lpOverlapped=0x0 | out: lpBuffer=0x24206dd*, lpNumberOfBytesRead=0x5a3e2d4*=0x13, lpOverlapped=0x0) returned 1 [0103.860] ReadFile (in: hFile=0x3cc, lpBuffer=0x2420b04, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e2d4, lpOverlapped=0x0 | out: lpBuffer=0x2420b04*, lpNumberOfBytesRead=0x5a3e2d4*=0x1000, lpOverlapped=0x0) returned 1 [0103.861] ReadFile (in: hFile=0x3cc, lpBuffer=0x2420b04, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e2d4, lpOverlapped=0x0 | out: lpBuffer=0x2420b04*, lpNumberOfBytesRead=0x5a3e2d4*=0x4fd, lpOverlapped=0x0) returned 1 [0103.861] GetEnvironmentVariableW (in: lpName="PSDisableModuleAnalysisCacheCleanup", lpBuffer=0x5a3e134, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0103.879] CloseHandle (hObject=0x3cc) returned 1 [0103.879] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0103.879] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0103.880] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0103.880] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0103.881] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0103.881] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0103.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0103.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0103.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0103.881] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520df8 [0103.881] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.882] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0103.882] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.882] FindClose (in: hFindFile=0x520df8 | out: hFindFile=0x520df8) returned 1 [0103.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0103.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0103.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0103.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0103.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7e0) returned 1 [0103.882] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa4 | out: lpFileInformation=0x5a3eaa4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0103.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7dc) returned 1 [0103.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0103.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0103.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0103.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0103.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e804) returned 1 [0103.883] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2432b74 | out: lpFileInformation=0x2432b74*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0103.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e800) returned 1 [0103.883] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0103.883] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0103.883] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0103.884] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0103.884] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0103.884] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0103.887] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\keecfmwgj\\documents\\windowspowershell\\modules")) returned 0xffffffff [0103.896] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0103.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0103.897] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x31 [0103.897] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x31, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x30 [0103.897] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520df8 [0103.897] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.897] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0103.897] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0103.897] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.897] FindClose (in: hFindFile=0x520df8 | out: hFindFile=0x520df8) returned 1 [0103.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0103.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0103.898] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0103.898] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0103.898] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0103.898] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0103.898] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0103.898] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0103.898] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0103.898] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0103.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0103.898] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0103.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0103.899] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0103.899] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0103.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0103.899] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0103.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0103.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0103.899] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0103.899] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0103.900] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520df8 [0103.900] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.900] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49a61de0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49a61de0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0103.900] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.900] FindClose (in: hFindFile=0x520df8 | out: hFindFile=0x520df8) returned 1 [0103.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0103.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0103.900] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0103.900] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0103.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7e0) returned 1 [0103.901] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa4 | out: lpFileInformation=0x5a3eaa4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49a3bc80, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0103.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7dc) returned 1 [0103.901] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0103.901] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0103.901] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0103.901] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0103.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e804) returned 1 [0103.901] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x243c714 | out: lpFileInformation=0x243c714*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49a3bc80, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0103.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e800) returned 1 [0103.903] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0103.903] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0103.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e96c) returned 1 [0103.903] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3cc [0103.904] GetFileType (hFile=0x3cc) returned 0x1 [0103.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e968) returned 1 [0103.904] GetFileType (hFile=0x3cc) returned 0x1 [0103.904] GetACP () returned 0x4e4 [0103.934] SetFilePointer (in: hFile=0x3cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x0 [0103.934] ReadFile (in: hFile=0x3cc, lpBuffer=0x243d9ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x243d9ec*, lpNumberOfBytesRead=0x5a3e9d4*=0x8f9, lpOverlapped=0x0) returned 1 [0103.936] SetFilePointer (in: hFile=0x3cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x8f9 [0103.936] ReadFile (in: hFile=0x3cc, lpBuffer=0x243ce79, nNumberOfBytesToRead=0x307, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x243ce79*, lpNumberOfBytesRead=0x5a3e9d4*=0x0, lpOverlapped=0x0) returned 1 [0103.936] SetFilePointer (in: hFile=0x3cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x8f9 [0103.936] ReadFile (in: hFile=0x3cc, lpBuffer=0x243d9ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x243d9ec*, lpNumberOfBytesRead=0x5a3e9d4*=0x0, lpOverlapped=0x0) returned 1 [0103.937] CloseHandle (hObject=0x3cc) returned 1 [0103.953] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0103.953] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0103.953] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0103.953] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0103.953] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0103.953] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0103.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0103.954] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0103.954] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0103.954] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520df8 [0103.954] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.954] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0103.954] FindNextFileW (in: hFindFile=0x520df8, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0103.955] FindClose (in: hFindFile=0x520df8 | out: hFindFile=0x520df8) returned 1 [0103.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0103.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0103.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0103.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0103.955] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7e0) returned 1 [0103.955] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa4 | out: lpFileInformation=0x5a3eaa4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0103.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7dc) returned 1 [0103.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0103.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0103.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0103.955] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0103.955] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e804) returned 1 [0103.955] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x244c430 | out: lpFileInformation=0x244c430*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0103.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e800) returned 1 [0103.956] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0103.956] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0103.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e96c) returned 1 [0103.956] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3cc [0103.956] GetFileType (hFile=0x3cc) returned 0x1 [0103.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e968) returned 1 [0103.956] GetFileType (hFile=0x3cc) returned 0x1 [0103.957] SetFilePointer (in: hFile=0x3cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x0 [0103.957] ReadFile (in: hFile=0x3cc, lpBuffer=0x244d208, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x244d208*, lpNumberOfBytesRead=0x5a3e9d4*=0x1000, lpOverlapped=0x0) returned 1 [0103.959] SetFilePointer (in: hFile=0x3cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x1000 [0103.959] ReadFile (in: hFile=0x3cc, lpBuffer=0x244d208, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x244d208*, lpNumberOfBytesRead=0x5a3e9d4*=0xde, lpOverlapped=0x0) returned 1 [0103.959] SetFilePointer (in: hFile=0x3cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x10de [0103.959] ReadFile (in: hFile=0x3cc, lpBuffer=0x244d208, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x244d208*, lpNumberOfBytesRead=0x5a3e9d4*=0x0, lpOverlapped=0x0) returned 1 [0103.959] CloseHandle (hObject=0x3cc) returned 1 [0103.963] CoCreateGuid (in: pguid=0x5a3ea14 | out: pguid=0x5a3ea14*(Data1=0xd0b356c9, Data2=0x5659, Data3=0x4dc8, Data4=([0]=0x9e, [1]=0x78, [2]=0xc, [3]=0xb3, [4]=0x9b, [5]=0x6, [6]=0xec, [7]=0x19))) returned 0x0 [0103.979] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3cc [0103.979] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3ec [0103.979] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f0 [0103.979] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0103.979] SetEvent (hEvent=0x3f4) returned 1 [0103.979] SetEvent (hEvent=0x3cc) returned 1 [0103.980] SetEvent (hEvent=0x3ec) returned 1 [0103.980] SetEvent (hEvent=0x3f0) returned 1 [0103.981] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f8 [0103.981] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.028] EtwEventActivityIdControl () returned 0x0 [0104.028] EtwEventActivityIdControl () returned 0x0 [0104.028] EtwEventActivityIdControl () returned 0x0 [0104.054] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0104.055] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.055] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.055] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x5a3e34c, Length=0x20, ResultLength=0x5a3e3bc | out: SystemInformation=0x5a3e34c, ResultLength=0x5a3e3bc*=0x0) returned 0xc0000003 [0104.055] GetSystemInfo (in: lpSystemInfo=0x5a3e3c8 | out: lpSystemInfo=0x5a3e3c8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0104.056] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e358 | out: phkResult=0x5a3e358*=0x3fc) returned 0x0 [0104.056] RegQueryValueExW (in: hKey=0x3fc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x5a3e374, lpData=0x0, lpcbData=0x5a3e370*=0x0 | out: lpType=0x5a3e374*=0x0, lpData=0x0, lpcbData=0x5a3e370*=0x0) returned 0x2 [0104.056] RegCloseKey (hKey=0x3fc) returned 0x0 [0104.067] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.067] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e2d0) returned 1 [0104.067] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3fc [0104.068] GetFileType (hFile=0x3fc) returned 0x1 [0104.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e2cc) returned 1 [0104.068] GetFileType (hFile=0x3fc) returned 0x1 [0104.068] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e30c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e30c*=0) returned 0x0 [0104.068] ReadFile (in: hFile=0x3fc, lpBuffer=0x2470b38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e338, lpOverlapped=0x0 | out: lpBuffer=0x2470b38*, lpNumberOfBytesRead=0x5a3e338*=0x1000, lpOverlapped=0x0) returned 1 [0104.070] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e30c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e30c*=0) returned 0x1000 [0104.070] ReadFile (in: hFile=0x3fc, lpBuffer=0x2470b38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e338, lpOverlapped=0x0 | out: lpBuffer=0x2470b38*, lpNumberOfBytesRead=0x5a3e338*=0xde, lpOverlapped=0x0) returned 1 [0104.070] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e30c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e30c*=0) returned 0x10de [0104.070] ReadFile (in: hFile=0x3fc, lpBuffer=0x2470b38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e338, lpOverlapped=0x0 | out: lpBuffer=0x2470b38*, lpNumberOfBytesRead=0x5a3e338*=0x0, lpOverlapped=0x0) returned 1 [0104.070] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x5a3e2a0, Length=0x20, ResultLength=0x5a3e310 | out: SystemInformation=0x5a3e2a0, ResultLength=0x5a3e310*=0x0) returned 0xc0000003 [0104.071] GetSystemInfo (in: lpSystemInfo=0x5a3e31c | out: lpSystemInfo=0x5a3e31c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0104.071] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e2ac | out: phkResult=0x5a3e2ac*=0x404) returned 0x0 [0104.071] RegQueryValueExW (in: hKey=0x404, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x5a3e2c8, lpData=0x0, lpcbData=0x5a3e2c4*=0x0 | out: lpType=0x5a3e2c8*=0x0, lpData=0x0, lpcbData=0x5a3e2c4*=0x0) returned 0x2 [0104.071] RegCloseKey (hKey=0x404) returned 0x0 [0104.071] CloseHandle (hObject=0x3fc) returned 1 [0104.074] CoCreateGuid (in: pguid=0x5a3e39c | out: pguid=0x5a3e39c*(Data1=0x8b1f6538, Data2=0x3375, Data3=0x4d8f, Data4=([0]=0xaf, [1]=0xbf, [2]=0x96, [3]=0x84, [4]=0x26, [5]=0x91, [6]=0xc2, [7]=0xa0))) returned 0x0 [0104.079] QueryPerformanceCounter (in: lpPerformanceCount=0x5a3e0fc | out: lpPerformanceCount=0x5a3e0fc*=1804508881508) returned 1 [0104.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3dde8) returned 1 [0104.079] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3e0ac | out: lpFileInformation=0x5a3e0ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0104.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3dde4) returned 1 [0104.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.079] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.080] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.080] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.080] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3dd7c) returned 1 [0104.080] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3e040 | out: lpFileInformation=0x5a3e040*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0104.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3dd78) returned 1 [0104.080] CoTaskMemAlloc (cb=0x10) returned 0x4d2d058 [0104.080] CoTaskMemAlloc (cb=0x10) returned 0x4d2d0b8 [0104.080] CoTaskMemAlloc (cb=0xb4) returned 0x51cf70 [0104.080] CoTaskMemAlloc (cb=0x30) returned 0x4d39318 [0104.080] WinVerifyTrust () returned 0x800b0100 [0104.090] CoTaskMemFree (pv=0x4d2d058) [0104.090] CoTaskMemFree (pv=0x4d39318) [0104.090] CryptCATHandleFromStore () returned 0x504548 [0104.090] WTHelperGetProvSignerFromChain () returned 0x0 [0104.091] CoTaskMemAlloc (cb=0x10) returned 0x4d2d058 [0104.091] CoTaskMemAlloc (cb=0x30) returned 0x4d39318 [0104.091] WinVerifyTrust () returned 0x0 [0104.091] CoTaskMemFree (pv=0x4d39318) [0104.091] CoTaskMemFree (pv=0x4d2d058) [0104.091] CoTaskMemFree (pv=0x51cf70) [0104.091] CoTaskMemFree (pv=0x4d2d0b8) [0104.145] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en-US\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en-us\\powershellget.psd1")) returned 0xffffffff [0104.145] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en\\powershellget.psd1")) returned 0xffffffff [0104.152] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0104.156] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0104.158] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.158] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.158] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0104.158] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x47, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x46 [0104.179] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3da38 | out: phkResult=0x5a3da38*=0x3fc) returned 0x0 [0104.179] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3da58, lpData=0x0, lpcbData=0x5a3da54*=0x0 | out: lpType=0x5a3da58*=0x1, lpData=0x0, lpcbData=0x5a3da54*=0x56) returned 0x0 [0104.179] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3da58, lpData=0x249ce30, lpcbData=0x5a3da54*=0x56 | out: lpType=0x5a3da58*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3da54*=0x56) returned 0x0 [0104.179] RegCloseKey (hKey=0x3fc) returned 0x0 [0104.182] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0104.185] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0104.186] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0104.187] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3da38 | out: phkResult=0x5a3da38*=0x3fc) returned 0x0 [0104.187] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3da58, lpData=0x0, lpcbData=0x5a3da54*=0x0 | out: lpType=0x5a3da58*=0x1, lpData=0x0, lpcbData=0x5a3da54*=0x56) returned 0x0 [0104.187] RegQueryValueExW (in: hKey=0x3fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3da58, lpData=0x24aa610, lpcbData=0x5a3da54*=0x56 | out: lpType=0x5a3da58*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3da54*=0x56) returned 0x0 [0104.187] RegCloseKey (hKey=0x3fc) returned 0x0 [0104.189] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0104.195] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0104.200] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0104.204] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0104.208] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0104.211] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0104.215] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5b [0104.215] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x5b, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x5a [0104.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d838) returned 1 [0104.216] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x5a3dafc | out: lpFileInformation=0x5a3dafc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0104.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d834) returned 1 [0104.217] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0104.249] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0104.249] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0104.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d360) returned 1 [0104.250] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x24d976c | out: lpFileInformation=0x24d976c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499c9860, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0104.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d35c) returned 1 [0104.250] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0104.250] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0104.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d504) returned 1 [0104.251] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3fc [0104.251] GetFileType (hFile=0x3fc) returned 0x1 [0104.251] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d500) returned 1 [0104.251] GetFileType (hFile=0x3fc) returned 0x1 [0104.251] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x0 [0104.251] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.253] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x1000 [0104.253] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.254] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x2000 [0104.254] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.254] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x3000 [0104.254] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.255] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x4000 [0104.255] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.255] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x5000 [0104.255] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.256] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x6000 [0104.256] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.256] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x7000 [0104.256] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.257] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x8000 [0104.257] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.257] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x9000 [0104.257] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.258] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0xa000 [0104.258] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.258] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0xb000 [0104.258] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.259] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0xc000 [0104.259] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.259] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0xd000 [0104.259] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.260] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0xe000 [0104.260] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.261] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0xf000 [0104.261] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.261] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x10000 [0104.261] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.261] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x11000 [0104.262] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.263] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x12000 [0104.263] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.263] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x13000 [0104.263] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.264] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x14000 [0104.264] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.264] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x15000 [0104.264] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.264] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x16000 [0104.264] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.265] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x17000 [0104.265] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.265] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x18000 [0104.265] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.265] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x19000 [0104.266] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.267] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x1a000 [0104.267] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.267] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x1b000 [0104.267] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.267] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x1c000 [0104.267] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.268] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x1d000 [0104.268] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.268] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x1e000 [0104.268] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.269] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x1f000 [0104.269] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.269] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x20000 [0104.269] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.269] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x21000 [0104.269] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.271] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x22000 [0104.271] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.271] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x23000 [0104.271] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.271] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x24000 [0104.272] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.272] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x25000 [0104.272] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.272] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x26000 [0104.272] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.273] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x27000 [0104.273] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.273] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x28000 [0104.273] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.274] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x29000 [0104.274] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.275] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x2a000 [0104.275] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.275] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x2b000 [0104.275] ReadFile (in: hFile=0x3fc, lpBuffer=0x24da570, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x24da570*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.293] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x2c000 [0104.293] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.293] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x2d000 [0104.293] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.294] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x2e000 [0104.294] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.294] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x2f000 [0104.294] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.294] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x30000 [0104.294] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.295] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x31000 [0104.295] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.295] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x32000 [0104.295] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.296] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x33000 [0104.296] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.296] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x34000 [0104.296] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.296] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x35000 [0104.297] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.297] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x36000 [0104.297] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.297] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x37000 [0104.297] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.298] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x38000 [0104.298] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.298] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x39000 [0104.298] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.298] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x3a000 [0104.298] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.299] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x3b000 [0104.299] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.299] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x3c000 [0104.299] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.299] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x3d000 [0104.300] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.300] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x3e000 [0104.300] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.300] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x3f000 [0104.300] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.300] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x40000 [0104.301] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.301] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x41000 [0104.302] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.302] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x42000 [0104.302] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.302] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x43000 [0104.302] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.302] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x44000 [0104.303] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.303] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x45000 [0104.303] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.303] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x46000 [0104.303] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.304] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x47000 [0104.304] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.304] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x48000 [0104.304] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.304] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x49000 [0104.304] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.305] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x4a000 [0104.305] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.305] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x4b000 [0104.305] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.306] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x4c000 [0104.306] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.306] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x4d000 [0104.306] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.306] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x4e000 [0104.306] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.307] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x4f000 [0104.307] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.307] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x50000 [0104.307] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.308] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x51000 [0104.308] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.308] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x52000 [0104.308] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.308] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x53000 [0104.308] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.309] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x54000 [0104.309] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.309] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x55000 [0104.309] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.309] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x56000 [0104.309] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.310] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x57000 [0104.310] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.310] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x58000 [0104.310] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.310] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x59000 [0104.310] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.311] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x5a000 [0104.311] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.311] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x5b000 [0104.311] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.312] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x5c000 [0104.312] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.312] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x5d000 [0104.312] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.312] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x5e000 [0104.312] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.313] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x5f000 [0104.313] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.313] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x60000 [0104.313] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.313] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x61000 [0104.313] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.314] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x62000 [0104.314] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.314] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x63000 [0104.314] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.314] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x64000 [0104.314] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.315] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x65000 [0104.315] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.315] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x66000 [0104.315] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.315] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x67000 [0104.315] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.316] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x68000 [0104.316] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.316] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x69000 [0104.316] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.317] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x6a000 [0104.317] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.317] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x6b000 [0104.317] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.317] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x6c000 [0104.317] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.317] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x6d000 [0104.317] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.318] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x6e000 [0104.318] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.318] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x6f000 [0104.318] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.318] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x70000 [0104.318] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.319] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x71000 [0104.319] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.319] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x72000 [0104.319] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.319] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x73000 [0104.319] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.320] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x74000 [0104.320] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.320] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x75000 [0104.320] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.320] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x76000 [0104.320] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.320] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x77000 [0104.321] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.321] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x78000 [0104.321] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.321] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x79000 [0104.321] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.321] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x7a000 [0104.322] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.322] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x7b000 [0104.322] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.322] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x7c000 [0104.322] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.322] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x7d000 [0104.322] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.323] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x7e000 [0104.323] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.323] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x7f000 [0104.323] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.323] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x80000 [0104.323] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.324] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x81000 [0104.324] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.324] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x82000 [0104.325] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.325] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x83000 [0104.325] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.325] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x84000 [0104.325] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.325] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x85000 [0104.326] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.326] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x86000 [0104.326] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.326] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x87000 [0104.326] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.326] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x88000 [0104.327] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.327] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x89000 [0104.327] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.327] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x8a000 [0104.327] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.328] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x8b000 [0104.328] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x1000, lpOverlapped=0x0) returned 1 [0104.328] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x8c000 [0104.328] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0xaa9, lpOverlapped=0x0) returned 1 [0104.328] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x8caa9 [0104.328] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b6039, nNumberOfBytesToRead=0x157, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b6039*, lpNumberOfBytesRead=0x5a3d56c*=0x0, lpOverlapped=0x0) returned 1 [0104.328] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d540*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d540*=0) returned 0x8caa9 [0104.328] ReadFile (in: hFile=0x3fc, lpBuffer=0x22b61f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d56c, lpOverlapped=0x0 | out: lpBuffer=0x22b61f0*, lpNumberOfBytesRead=0x5a3d56c*=0x0, lpOverlapped=0x0) returned 1 [0104.343] CloseHandle (hObject=0x3fc) returned 1 [0104.662] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0104.663] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0104.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d2c4) returned 1 [0104.663] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x29558ac | out: lpFileInformation=0x29558ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499c9860, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0104.663] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d2c0) returned 1 [0104.677] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.677] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e0bc) returned 1 [0104.677] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2979de4 | out: lpFileInformation=0x2979de4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0104.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e0b8) returned 1 [0104.687] EtwEventActivityIdControl () returned 0x0 [0104.688] SetEvent (hEvent=0x3f8) returned 1 [0104.688] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x5a3e89c*=0x3f8, lpdwindex=0x5a3e6c0 | out: lpdwindex=0x5a3e6c0) returned 0x0 [0104.690] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0104.690] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0104.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e77c) returned 1 [0104.690] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x297cdf4 | out: lpFileInformation=0x297cdf4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0104.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e778) returned 1 [0104.690] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0104.690] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0104.690] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0104.691] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0104.691] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0104.691] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0104.694] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules")) returned 0x10 [0104.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0104.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x33 [0104.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x33, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0104.695] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520e38 [0104.695] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.695] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0104.695] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0104.695] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0104.695] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0104.695] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x497da680, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x497da680, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="PSDESI~1")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8100bf6e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8100bf6e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="PSDIAG~1")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="PSSCHE~1")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="TROUBL~1")) returned 1 [0104.696] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0104.696] FindClose (in: hFindFile=0x520e38 | out: hFindFile=0x520e38) returned 1 [0104.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0104.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0104.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.psd1")) returned 0xffffffff [0104.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.psm1")) returned 0xffffffff [0104.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.cdxml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.cdxml")) returned 0xffffffff [0104.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.xaml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.xaml")) returned 0xffffffff [0104.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.ni.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.ni.dll")) returned 0xffffffff [0104.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.dll")) returned 0xffffffff [0104.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0104.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0104.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.698] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\bitstransfer"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0104.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.698] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0104.698] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0104.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.698] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\cimcmdlets"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.698] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.698] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0104.698] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x37, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", lpFilePart=0x0) returned 0x36 [0104.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.699] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\ise"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.699] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0104.699] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x50, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", lpFilePart=0x0) returned 0x4f [0104.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.699] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.699] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0104.699] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x54, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", lpFilePart=0x0) returned 0x53 [0104.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.700] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0104.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x4d, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", lpFilePart=0x0) returned 0x4c [0104.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.700] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.700] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0104.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0104.700] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.700] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0104.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x53, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", lpFilePart=0x0) returned 0x52 [0104.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.701] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.701] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0104.701] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x51, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", lpFilePart=0x0) returned 0x50 [0104.701] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.701] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0104.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0104.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.702] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0104.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x4e, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", lpFilePart=0x0) returned 0x4d [0104.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.702] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.702] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0104.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x4f, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", lpFilePart=0x0) returned 0x4e [0104.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.703] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x497da680, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x497da680, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0104.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x41, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", lpFilePart=0x0) returned 0x40 [0104.703] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.703] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psdiagnostics"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8100bf6e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8100bf6e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0104.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x42, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", lpFilePart=0x0) returned 0x41 [0104.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.704] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psscheduledjob"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.704] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0104.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x47, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", lpFilePart=0x0) returned 0x46 [0104.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e7dc) returned 1 [0104.704] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\troubleshootingpack"), fInfoLevelId=0x0, lpFileInformation=0x5a3eaa0 | out: lpFileInformation=0x5a3eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0104.704] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7d8) returned 1 [0104.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3ea8c) returned 1 [0104.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0104.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0104.705] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\*", lpFindFileData=0x5a3e83c | out: lpFindFileData=0x5a3e83c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x520e38 [0104.705] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.705] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psd1", cAlternateFileName="")) returned 1 [0104.705] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 1 [0104.705] FindNextFileW (in: hFindFile=0x520e38, lpFindFileData=0x5a3e844 | out: lpFindFileData=0x5a3e844*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 0 [0104.705] FindClose (in: hFindFile=0x520e38 | out: hFindFile=0x520e38) returned 1 [0104.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e7fc) returned 1 [0104.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3ea5c) returned 1 [0104.705] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0104.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e804) returned 1 [0104.706] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2985774 | out: lpFileInformation=0x2985774*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0104.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e800) returned 1 [0104.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e96c) returned 1 [0104.706] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3fc [0104.706] GetFileType (hFile=0x3fc) returned 0x1 [0104.706] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e968) returned 1 [0104.706] GetFileType (hFile=0x3fc) returned 0x1 [0104.707] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x0 [0104.707] ReadFile (in: hFile=0x3fc, lpBuffer=0x29865a4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x29865a4*, lpNumberOfBytesRead=0x5a3e9d4*=0x982, lpOverlapped=0x0) returned 1 [0104.708] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x982 [0104.708] ReadFile (in: hFile=0x3fc, lpBuffer=0x2985aba, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x2985aba*, lpNumberOfBytesRead=0x5a3e9d4*=0x0, lpOverlapped=0x0) returned 1 [0104.708] SetFilePointer (in: hFile=0x3fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e9a8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e9a8*=0) returned 0x982 [0104.708] ReadFile (in: hFile=0x3fc, lpBuffer=0x29865a4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e9d4, lpOverlapped=0x0 | out: lpBuffer=0x29865a4*, lpNumberOfBytesRead=0x5a3e9d4*=0x0, lpOverlapped=0x0) returned 1 [0104.708] CloseHandle (hObject=0x3fc) returned 1 [0104.709] CoCreateGuid (in: pguid=0x5a3ead4 | out: pguid=0x5a3ead4*(Data1=0xfbe69ce8, Data2=0xc190, Data3=0x46d0, Data4=([0]=0xbf, [1]=0x7c, [2]=0x86, [3]=0xf8, [4]=0x73, [5]=0x33, [6]=0x8, [7]=0x41))) returned 0x0 [0104.710] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3fc [0104.710] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x364 [0104.710] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x404 [0104.710] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x408 [0104.710] SetEvent (hEvent=0x408) returned 1 [0104.710] SetEvent (hEvent=0x3fc) returned 1 [0104.710] SetEvent (hEvent=0x364) returned 1 [0104.710] SetEvent (hEvent=0x404) returned 1 [0104.711] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x40c [0104.711] SetThreadUILanguage (LangId=0x0) returned 0x409 [0104.749] EtwEventActivityIdControl () returned 0x0 [0104.749] EtwEventActivityIdControl () returned 0x0 [0104.749] EtwEventActivityIdControl () returned 0x0 [0104.760] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0104.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e300) returned 1 [0104.761] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3e5c4 | out: lpFileInformation=0x5a3e5c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0104.761] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e2fc) returned 1 [0104.761] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0104.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.761] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x5a3e208, Length=0x20, ResultLength=0x5a3e278 | out: SystemInformation=0x5a3e208, ResultLength=0x5a3e278*=0x0) returned 0xc0000003 [0104.762] GetSystemInfo (in: lpSystemInfo=0x5a3e284 | out: lpSystemInfo=0x5a3e284*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0104.762] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e214 | out: phkResult=0x5a3e214*=0x410) returned 0x0 [0104.762] RegQueryValueExW (in: hKey=0x410, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x5a3e230, lpData=0x0, lpcbData=0x5a3e22c*=0x0 | out: lpType=0x5a3e230*=0x0, lpData=0x0, lpcbData=0x5a3e22c*=0x0) returned 0x2 [0104.762] RegCloseKey (hKey=0x410) returned 0x0 [0104.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3e18c) returned 1 [0104.763] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x410 [0104.763] GetFileType (hFile=0x410) returned 0x1 [0104.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3e188) returned 1 [0104.763] GetFileType (hFile=0x410) returned 0x1 [0104.763] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e1c8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e1c8*=0) returned 0x0 [0104.763] ReadFile (in: hFile=0x410, lpBuffer=0x29ba0c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e1f4, lpOverlapped=0x0 | out: lpBuffer=0x29ba0c8*, lpNumberOfBytesRead=0x5a3e1f4*=0x982, lpOverlapped=0x0) returned 1 [0104.764] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e1c8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e1c8*=0) returned 0x982 [0104.764] ReadFile (in: hFile=0x410, lpBuffer=0x29b95de, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x5a3e1f4, lpOverlapped=0x0 | out: lpBuffer=0x29b95de*, lpNumberOfBytesRead=0x5a3e1f4*=0x0, lpOverlapped=0x0) returned 1 [0104.764] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3e1c8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3e1c8*=0) returned 0x982 [0104.764] ReadFile (in: hFile=0x410, lpBuffer=0x29ba0c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3e1f4, lpOverlapped=0x0 | out: lpBuffer=0x29ba0c8*, lpNumberOfBytesRead=0x5a3e1f4*=0x0, lpOverlapped=0x0) returned 1 [0104.764] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x5a3e15c, Length=0x20, ResultLength=0x5a3e1cc | out: SystemInformation=0x5a3e15c, ResultLength=0x5a3e1cc*=0x0) returned 0xc0000003 [0104.764] GetSystemInfo (in: lpSystemInfo=0x5a3e1d8 | out: lpSystemInfo=0x5a3e1d8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0104.765] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e168 | out: phkResult=0x5a3e168*=0x414) returned 0x0 [0104.765] RegQueryValueExW (in: hKey=0x414, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x5a3e184, lpData=0x0, lpcbData=0x5a3e180*=0x0 | out: lpType=0x5a3e184*=0x0, lpData=0x0, lpcbData=0x5a3e180*=0x0) returned 0x2 [0104.765] RegCloseKey (hKey=0x414) returned 0x0 [0104.765] CloseHandle (hObject=0x410) returned 1 [0104.766] CoCreateGuid (in: pguid=0x5a3e258 | out: pguid=0x5a3e258*(Data1=0x3a3e18ad, Data2=0xf18c, Data3=0x4901, Data4=([0]=0xbf, [1]=0xb7, [2]=0x74, [3]=0x63, [4]=0x23, [5]=0xe2, [6]=0x33, [7]=0x5e))) returned 0x0 [0104.766] QueryPerformanceCounter (in: lpPerformanceCount=0x5a3dfb8 | out: lpPerformanceCount=0x5a3dfb8*=1804577613183) returned 1 [0104.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3dca4) returned 1 [0104.775] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3df68 | out: lpFileInformation=0x5a3df68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0104.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3dca0) returned 1 [0104.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3dc38) returned 1 [0104.776] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x5a3defc | out: lpFileInformation=0x5a3defc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0104.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3dc34) returned 1 [0104.776] CoTaskMemAlloc (cb=0x10) returned 0x4d2d118 [0104.776] CoTaskMemAlloc (cb=0x10) returned 0x4d2d058 [0104.776] CoTaskMemAlloc (cb=0xe4) returned 0x544de8 [0104.776] CoTaskMemAlloc (cb=0x30) returned 0x4d203a8 [0104.776] WinVerifyTrust () returned 0x800b0100 [0104.791] CoTaskMemFree (pv=0x4d2d118) [0104.791] CoTaskMemFree (pv=0x4d203a8) [0104.791] CryptCATHandleFromStore () returned 0x504548 [0104.791] WTHelperGetProvSignerFromChain () returned 0x0 [0104.791] CoTaskMemAlloc (cb=0x10) returned 0x4d2d118 [0104.792] CoTaskMemAlloc (cb=0x30) returned 0x4d203a8 [0104.792] WinVerifyTrust () returned 0x0 [0104.792] CoTaskMemFree (pv=0x4d203a8) [0104.792] CoTaskMemFree (pv=0x4d2d118) [0104.792] CoTaskMemFree (pv=0x544de8) [0104.792] CoTaskMemFree (pv=0x4d2d058) [0104.795] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en-US\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en-us\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0104.795] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0104.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0104.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0104.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0104.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0104.805] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x64 [0104.805] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x64, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x63 [0104.805] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d6f4) returned 1 [0104.805] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x5a3d9b8 | out: lpFileInformation=0x5a3d9b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0104.806] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d6f0) returned 1 [0104.806] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0104.806] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0104.806] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x5a3d670, nSize=0xc6 | out: lpBuffer="") returned 0xc5 [0104.809] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0104.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0104.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x51, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x50 [0104.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d4fc) returned 1 [0104.810] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x5a3d7c0 | out: lpFileInformation=0x5a3d7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0104.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d4f8) returned 1 [0104.813] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0104.816] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\keecfmwgj\\documents\\windowspowershell\\modules")) returned 0xffffffff [0104.822] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0104.823] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0104.823] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x57, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x56 [0104.823] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d4fc) returned 1 [0104.823] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x5a3d7c0 | out: lpFileInformation=0x5a3d7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0104.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d4f8) returned 1 [0104.828] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0104.830] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules")) returned 0x10 [0104.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0104.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x59, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x58 [0104.831] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d4fc) returned 1 [0104.831] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x5a3d7c0 | out: lpFileInformation=0x5a3d7c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0104.831] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d4f8) returned 1 [0104.834] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0104.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0104.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0104.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0104.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0104.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0104.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0105.253] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1")) returned 0x20 [0105.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.254] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x5a3d520, Length=0x20, ResultLength=0x5a3d590 | out: SystemInformation=0x5a3d520, ResultLength=0x5a3d590*=0x0) returned 0xc0000003 [0105.254] GetSystemInfo (in: lpSystemInfo=0x5a3d59c | out: lpSystemInfo=0x5a3d59c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0105.255] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3d52c | out: phkResult=0x5a3d52c*=0x410) returned 0x0 [0105.255] RegQueryValueExW (in: hKey=0x410, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x5a3d548, lpData=0x0, lpcbData=0x5a3d544*=0x0 | out: lpType=0x5a3d548*=0x0, lpData=0x0, lpcbData=0x5a3d544*=0x0) returned 0x2 [0105.255] RegCloseKey (hKey=0x410) returned 0x0 [0105.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d2d0) returned 1 [0105.256] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x2a5eb98 | out: lpFileInformation=0x2a5eb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0105.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d2cc) returned 1 [0105.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d290) returned 1 [0105.256] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x5a3d554 | out: lpFileInformation=0x5a3d554*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0105.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d28c) returned 1 [0105.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d224) returned 1 [0105.257] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x5a3d4e8 | out: lpFileInformation=0x5a3d4e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0105.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d220) returned 1 [0105.257] CoTaskMemAlloc (cb=0x10) returned 0x4d42800 [0105.257] CoTaskMemAlloc (cb=0x10) returned 0x4d427d0 [0105.257] CoTaskMemAlloc (cb=0xe4) returned 0x544de8 [0105.257] CoTaskMemAlloc (cb=0x30) returned 0x4d20220 [0105.257] WinVerifyTrust () returned 0x800b0100 [0105.272] CoTaskMemFree (pv=0x4d42800) [0105.272] CoTaskMemFree (pv=0x4d20220) [0105.272] CryptCATHandleFromStore () returned 0x504668 [0105.272] WTHelperGetProvSignerFromChain () returned 0x0 [0105.272] CoTaskMemAlloc (cb=0x10) returned 0x4d42800 [0105.272] CoTaskMemAlloc (cb=0x30) returned 0x4d20220 [0105.272] WinVerifyTrust () returned 0x0 [0105.272] CoTaskMemFree (pv=0x4d20220) [0105.272] CoTaskMemFree (pv=0x4d42800) [0105.272] CoTaskMemFree (pv=0x544de8) [0105.272] CoTaskMemFree (pv=0x4d427d0) [0105.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d4dc) returned 1 [0105.273] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x410 [0105.273] GetFileType (hFile=0x410) returned 0x1 [0105.273] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d4d8) returned 1 [0105.273] GetFileType (hFile=0x410) returned 0x1 [0105.273] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x0 [0105.273] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x1000, lpOverlapped=0x0) returned 1 [0105.274] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x1000 [0105.274] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x1000, lpOverlapped=0x0) returned 1 [0105.274] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x2000 [0105.274] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x1000, lpOverlapped=0x0) returned 1 [0105.275] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x3000 [0105.275] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x1000, lpOverlapped=0x0) returned 1 [0105.275] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x4000 [0105.275] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x1000, lpOverlapped=0x0) returned 1 [0105.275] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x5000 [0105.275] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x1000, lpOverlapped=0x0) returned 1 [0105.276] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x6000 [0105.276] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x1000, lpOverlapped=0x0) returned 1 [0105.276] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x7000 [0105.276] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x778, lpOverlapped=0x0) returned 1 [0105.276] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x7778 [0105.276] ReadFile (in: hFile=0x410, lpBuffer=0x2a5fab8, nNumberOfBytesToRead=0x88, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a5fab8*, lpNumberOfBytesRead=0x5a3d544*=0x0, lpOverlapped=0x0) returned 1 [0105.276] SetFilePointer (in: hFile=0x410, lDistanceToMove=0, lpDistanceToMoveHigh=0x5a3d518*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x5a3d518*=0) returned 0x7778 [0105.276] ReadFile (in: hFile=0x410, lpBuffer=0x2a603ac, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x5a3d544, lpOverlapped=0x0 | out: lpBuffer=0x2a603ac*, lpNumberOfBytesRead=0x5a3d544*=0x0, lpOverlapped=0x0) returned 1 [0105.277] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x5a3d4ac, Length=0x20, ResultLength=0x5a3d51c | out: SystemInformation=0x5a3d4ac, ResultLength=0x5a3d51c*=0x0) returned 0xc0000003 [0105.277] GetSystemInfo (in: lpSystemInfo=0x5a3d528 | out: lpSystemInfo=0x5a3d528*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0105.277] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3d4b8 | out: phkResult=0x5a3d4b8*=0x414) returned 0x0 [0105.278] RegQueryValueExW (in: hKey=0x414, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x5a3d4d4, lpData=0x0, lpcbData=0x5a3d4d0*=0x0 | out: lpType=0x5a3d4d4*=0x0, lpData=0x0, lpcbData=0x5a3d4d0*=0x0) returned 0x2 [0105.278] RegCloseKey (hKey=0x414) returned 0x0 [0105.278] CloseHandle (hObject=0x410) returned 1 [0105.411] CoCreateGuid (in: pguid=0x5a3d5ec | out: pguid=0x5a3d5ec*(Data1=0xe2165144, Data2=0x89d, Data3=0x4d39, Data4=([0]=0x8c, [1]=0xa1, [2]=0x3b, [3]=0x39, [4]=0xda, [5]=0x2, [6]=0x56, [7]=0x8d))) returned 0x0 [0105.411] GetCurrentProcess () returned 0xffffffff [0105.411] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x5a3d5b8 | out: TokenHandle=0x5a3d5b8*=0x410) returned 1 [0105.412] GetTokenInformation (in: TokenHandle=0x410, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x5a3d5b8 | out: TokenInformation=0x0, ReturnLength=0x5a3d5b8) returned 0 [0105.412] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x4d3da28 [0105.412] GetTokenInformation (in: TokenHandle=0x410, TokenInformationClass=0x8, TokenInformation=0x4d3da28, TokenInformationLength=0x4, ReturnLength=0x5a3d5b8 | out: TokenInformation=0x4d3da28, ReturnLength=0x5a3d5b8) returned 1 [0105.412] LocalFree (hMem=0x4d3da28) returned 0x0 [0105.412] DuplicateTokenEx (in: hExistingToken=0x410, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x5a3d5c0 | out: phNewToken=0x5a3d5c0*=0x414) returned 1 [0105.412] CheckTokenMembership (in: TokenHandle=0x414, SidToCheck=0x2affd3c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x5a3d5d0 | out: IsMember=0x5a3d5d0) returned 1 [0105.413] CloseHandle (hObject=0x414) returned 1 [0105.416] QueryPerformanceCounter (in: lpPerformanceCount=0x5a3d35c | out: lpPerformanceCount=0x5a3d35c*=1804642640130) returned 1 [0105.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3d048) returned 1 [0105.417] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x5a3d30c | out: lpFileInformation=0x5a3d30c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0105.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3d044) returned 1 [0105.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0105.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0105.417] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x5a3cfdc) returned 1 [0105.417] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x5a3d2a0 | out: lpFileInformation=0x5a3d2a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0105.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x5a3cfd8) returned 1 [0105.418] CoTaskMemAlloc (cb=0x10) returned 0x4d42800 [0105.418] CoTaskMemAlloc (cb=0x10) returned 0x4d427e8 [0105.418] CoTaskMemAlloc (cb=0xe4) returned 0x544de8 [0105.418] CoTaskMemAlloc (cb=0x30) returned 0x4d20760 [0105.418] WinVerifyTrust () returned 0x800b0100 [0105.452] CoTaskMemFree (pv=0x4d42800) [0105.452] CoTaskMemFree (pv=0x4d20760) [0105.452] CryptCATHandleFromStore () returned 0x5046f8 [0105.452] WTHelperGetProvSignerFromChain () returned 0x0 [0105.452] CoTaskMemAlloc (cb=0x10) returned 0x4d42800 [0105.452] CoTaskMemAlloc (cb=0x30) returned 0x4d20760 [0105.452] WinVerifyTrust () returned 0x0 [0105.452] CoTaskMemFree (pv=0x4d20760) [0105.452] CoTaskMemFree (pv=0x4d42800) [0105.452] CoTaskMemFree (pv=0x544de8) [0105.452] CoTaskMemFree (pv=0x4d427e8) [0105.468] CoCreateGuid (in: pguid=0x5a3d238 | out: pguid=0x5a3d238*(Data1=0xecada23a, Data2=0xf6fb, Data3=0x42b8, Data4=([0]=0xa9, [1]=0xc7, [2]=0x8f, [3]=0x42, [4]=0x46, [5]=0x8f, [6]=0xdb, [7]=0xe4))) returned 0x0 [0105.468] CoCreateGuid (in: pguid=0x5a3d238 | out: pguid=0x5a3d238*(Data1=0xc5384bf1, Data2=0x1d45, Data3=0x4f95, Data4=([0]=0xa8, [1]=0xf, [2]=0xbd, [3]=0xb4, [4]=0x93, [5]=0xb2, [6]=0x40, [7]=0x29))) returned 0x0 [0105.468] CoCreateGuid (in: pguid=0x5a3d238 | out: pguid=0x5a3d238*(Data1=0xddf1fcea, Data2=0xeaf2, Data3=0x40f8, Data4=([0]=0xbf, [1]=0x5c, [2]=0xaf, [3]=0xa8, [4]=0xd6, [5]=0x99, [6]=0x2, [7]=0x80))) returned 0x0 [0105.468] CoCreateGuid (in: pguid=0x5a3d238 | out: pguid=0x5a3d238*(Data1=0x61c05d94, Data2=0x740c, Data3=0x4487, Data4=([0]=0xbb, [1]=0xbd, [2]=0xd5, [3]=0xe9, [4]=0x70, [5]=0xe9, [6]=0xaf, [7]=0xce))) returned 0x0 [0105.470] CoCreateGuid (in: pguid=0x5a3d238 | out: pguid=0x5a3d238*(Data1=0x303f88f9, Data2=0xa9d2, Data3=0x4126, Data4=([0]=0xba, [1]=0x6a, [2]=0xc0, [3]=0x6c, [4]=0x3c, [5]=0x83, [6]=0x66, [7]=0xf))) returned 0x0 [0105.470] CoCreateGuid (in: pguid=0x5a3d238 | out: pguid=0x5a3d238*(Data1=0x3689f366, Data2=0x7cd0, Data3=0x45bb, Data4=([0]=0xb7, [1]=0xaa, [2]=0x1c, [3]=0x86, [4]=0x6b, [5]=0xb0, [6]=0x1e, [7]=0x59))) returned 0x0 [0105.591] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e590 | out: phkResult=0x5a3e590*=0x414) returned 0x0 [0105.592] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x0, lpcbData=0x5a3e5ac*=0x0 | out: lpType=0x5a3e5b0*=0x1, lpData=0x0, lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.592] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x2cc869c, lpcbData=0x5a3e5ac*=0x56 | out: lpType=0x5a3e5b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.592] RegCloseKey (hKey=0x414) returned 0x0 [0105.592] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e590 | out: phkResult=0x5a3e590*=0x414) returned 0x0 [0105.592] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x0, lpcbData=0x5a3e5ac*=0x0 | out: lpType=0x5a3e5b0*=0x1, lpData=0x0, lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.592] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x2cc89b0, lpcbData=0x5a3e5ac*=0x56 | out: lpType=0x5a3e5b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.592] RegCloseKey (hKey=0x414) returned 0x0 [0105.593] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e590 | out: phkResult=0x5a3e590*=0x414) returned 0x0 [0105.593] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x0, lpcbData=0x5a3e5ac*=0x0 | out: lpType=0x5a3e5b0*=0x1, lpData=0x0, lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.593] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x2cc8cac, lpcbData=0x5a3e5ac*=0x56 | out: lpType=0x5a3e5b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.593] RegCloseKey (hKey=0x414) returned 0x0 [0105.593] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e590 | out: phkResult=0x5a3e590*=0x414) returned 0x0 [0105.593] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x0, lpcbData=0x5a3e5ac*=0x0 | out: lpType=0x5a3e5b0*=0x1, lpData=0x0, lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.593] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x2cc8fb4, lpcbData=0x5a3e5ac*=0x56 | out: lpType=0x5a3e5b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.593] RegCloseKey (hKey=0x414) returned 0x0 [0105.594] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e590 | out: phkResult=0x5a3e590*=0x414) returned 0x0 [0105.594] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x0, lpcbData=0x5a3e5ac*=0x0 | out: lpType=0x5a3e5b0*=0x1, lpData=0x0, lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.594] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x2cc92c8, lpcbData=0x5a3e5ac*=0x56 | out: lpType=0x5a3e5b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.594] RegCloseKey (hKey=0x414) returned 0x0 [0105.594] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e590 | out: phkResult=0x5a3e590*=0x414) returned 0x0 [0105.594] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x0, lpcbData=0x5a3e5ac*=0x0 | out: lpType=0x5a3e5b0*=0x1, lpData=0x0, lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.594] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x2cc95dc, lpcbData=0x5a3e5ac*=0x56 | out: lpType=0x5a3e5b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.594] RegCloseKey (hKey=0x414) returned 0x0 [0105.595] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e590 | out: phkResult=0x5a3e590*=0x414) returned 0x0 [0105.595] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x0, lpcbData=0x5a3e5ac*=0x0 | out: lpType=0x5a3e5b0*=0x1, lpData=0x0, lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.595] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5b0, lpData=0x2cc98d8, lpcbData=0x5a3e5ac*=0x56 | out: lpType=0x5a3e5b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5ac*=0x56) returned 0x0 [0105.595] RegCloseKey (hKey=0x414) returned 0x0 [0105.596] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x5a3e5dc | out: phkResult=0x5a3e5dc*=0x414) returned 0x0 [0105.596] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5fc, lpData=0x0, lpcbData=0x5a3e5f8*=0x0 | out: lpType=0x5a3e5fc*=0x1, lpData=0x0, lpcbData=0x5a3e5f8*=0x56) returned 0x0 [0105.596] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x5a3e5fc, lpData=0x2cc9c20, lpcbData=0x5a3e5f8*=0x56 | out: lpType=0x5a3e5fc*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x5a3e5f8*=0x56) returned 0x0 [0105.596] RegCloseKey (hKey=0x414) returned 0x0 [0105.597] CoTaskMemAlloc (cb=0x20c) returned 0x523b88 [0105.597] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x523b88 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0105.597] CoTaskMemFree (pv=0x523b88) [0105.597] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0105.597] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x4d3c3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0105.693] EtwEventActivityIdControl () returned 0x0 [0105.694] SetEvent (hEvent=0x40c) returned 1 [0105.695] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x5a3e938*=0x40c, lpdwindex=0x5a3e75c | out: lpdwindex=0x5a3e75c) returned 0x0 [0105.696] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x5a3e8cc, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0105.698] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0105.698] GetFileType (hFile=0xb) returned 0x2 [0105.700] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x5a3ea70 | out: lpMode=0x5a3ea70) returned 1 [0105.701] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x5a3ea30 | out: lpConsoleScreenBufferInfo=0x5a3ea30) returned 1 [0105.701] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x5a3ea30 | out: lpConsoleScreenBufferInfo=0x5a3ea30) returned 1 [0105.723] EtwEventActivityIdControl () returned 0x0 [0105.723] EtwEventActivityIdControl () returned 0x0 [0105.723] EtwEventActivityIdControl () returned 0x0 [0105.743] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x414 [0105.743] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x1388, cHandles=0x1, pHandles=0x5a3ebb4*=0x414, lpdwindex=0x5a3e9d8 | out: lpdwindex=0x5a3e9d8) returned 0x80010115 [0112.131] EtwEventActivityIdControl () returned 0x0 [0112.134] CloseHandle (hObject=0x414) returned 1 [0112.135] EtwEventActivityIdControl () returned 0x0 [0112.135] EtwEventActivityIdControl () returned 0x0 [0112.136] EtwEventActivityIdControl () returned 0x0 [0112.136] EtwEventActivityIdControl () returned 0x0 [0112.137] SetEvent (hEvent=0x34c) returned 1 [0112.137] SetEvent (hEvent=0x340) returned 1 [0112.138] SetEvent (hEvent=0x344) returned 1 [0112.138] SetEvent (hEvent=0x348) returned 1 [0112.138] SetEvent (hEvent=0x35c) returned 1 [0112.138] SetEvent (hEvent=0x350) returned 1 [0112.138] SetEvent (hEvent=0x354) returned 1 [0112.138] SetEvent (hEvent=0x358) returned 1 [0112.138] SetEvent (hEvent=0x360) returned 1 [0112.144] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x5a3f190*=0x368, lpdwindex=0x5a3efb4 | out: lpdwindex=0x5a3efb4) returned 0x0 [0112.144] SetThreadUILanguage (LangId=0x0) returned 0x409 [0112.148] CoCreateGuid (in: pguid=0x5a3effc | out: pguid=0x5a3effc*(Data1=0x6036e878, Data2=0xdd8a, Data3=0x4a06, Data4=([0]=0xb6, [1]=0x8d, [2]=0xe6, [3]=0x77, [4]=0x23, [5]=0xdb, [6]=0xad, [7]=0xf5))) returned 0x0 [0112.148] QueryPerformanceCounter (in: lpPerformanceCount=0x5a3efdc | out: lpPerformanceCount=0x5a3efdc*=1805315829820) returned 1 [0112.187] QueryPerformanceCounter (in: lpPerformanceCount=0x5a3efa4 | out: lpPerformanceCount=0x5a3efa4*=1805319684399) returned 1 [0112.187] EtwEventActivityIdControl () returned 0x0 [0112.187] EtwEventActivityIdControl () returned 0x0 [0112.187] EtwEventActivityIdControl () returned 0x0 [0112.189] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x2, pHandles=0x5a3eb50*=0x424, lpdwindex=0x5a3ea14 | out: lpdwindex=0x5a3ea14) returned 0x0 [0112.190] SetEvent (hEvent=0x420) returned 1 [0112.190] SetEvent (hEvent=0x424) returned 1 [0112.190] EtwEventActivityIdControl () returned 0x0 [0112.190] SetEvent (hEvent=0x42c) returned 1 [0112.190] SetEvent (hEvent=0x420) returned 1 [0112.190] SetEvent (hEvent=0x424) returned 1 [0112.190] SetEvent (hEvent=0x43c) returned 1 [0112.190] SetEvent (hEvent=0x430) returned 1 [0112.190] SetEvent (hEvent=0x434) returned 1 [0112.190] SetEvent (hEvent=0x438) returned 1 [0112.190] SetEvent (hEvent=0x440) returned 1 [0112.193] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x5a3f190*=0x368, lpdwindex=0x5a3efb4 | out: lpdwindex=0x5a3efb4) returned 0x0 [0112.476] CoGetContextToken (in: pToken=0x5a3f57c | out: pToken=0x5a3f57c) returned 0x0 [0112.476] CoUninitialize () Thread: id = 45 os_tid = 0xf74 Thread: id = 46 os_tid = 0xf78 Thread: id = 47 os_tid = 0xf7c Thread: id = 48 os_tid = 0xf80 Thread: id = 49 os_tid = 0xf84 [0103.877] CoGetContextToken (in: pToken=0x5dafaec | out: pToken=0x5dafaec) returned 0x0 [0103.878] CObjectContext::QueryInterface () returned 0x0 [0103.878] CObjectContext::GetCurrentThreadType () returned 0x0 [0103.878] Release () returned 0x0 [0103.878] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 Thread: id = 50 os_tid = 0xf88 Process: id = "4" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x325eb000" os_pid = "0xf94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe58" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Sleep -s 5" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e95f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 990 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 991 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 992 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 993 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 994 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 995 start_va = 0xe0000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 996 start_va = 0x230000 end_va = 0x29afff monitored = 0 entry_point = 0x23d330 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 997 start_va = 0x2a0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 998 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 999 start_va = 0x77040000 end_va = 0x771bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1000 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1001 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1002 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1003 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1004 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1005 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1006 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1007 start_va = 0x180000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1008 start_va = 0x748b0000 end_va = 0x748b7fff monitored = 0 entry_point = 0x748b20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1009 start_va = 0x748c0000 end_va = 0x7491bfff monitored = 0 entry_point = 0x748ff9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1010 start_va = 0x74920000 end_va = 0x7495efff monitored = 0 entry_point = 0x7494e088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1011 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1012 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1013 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1014 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076c40000" filename = "" Region: id = 1015 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1016 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076d60000" filename = "" Region: id = 1017 start_va = 0x2e0000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1018 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1019 start_va = 0x75150000 end_va = 0x75196fff monitored = 0 entry_point = 0x751574c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1020 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1021 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1022 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1023 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1024 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1025 start_va = 0x75ca0000 end_va = 0x75d3ffff monitored = 0 entry_point = 0x75cb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1026 start_va = 0x74cf0000 end_va = 0x74d9bfff monitored = 0 entry_point = 0x74cfa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1027 start_va = 0x753d0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753d4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1028 start_va = 0x75710000 end_va = 0x757fffff monitored = 0 entry_point = 0x75720569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1029 start_va = 0x74b90000 end_va = 0x74beffff monitored = 0 entry_point = 0x74baa3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1030 start_va = 0x74b80000 end_va = 0x74b8bfff monitored = 0 entry_point = 0x74b810e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1031 start_va = 0x72370000 end_va = 0x72383fff monitored = 0 entry_point = 0x72371da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 1032 start_va = 0x75b00000 end_va = 0x75bfffff monitored = 0 entry_point = 0x75b1b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1033 start_va = 0x74e80000 end_va = 0x74f0ffff monitored = 0 entry_point = 0x74e96343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1034 start_va = 0x77010000 end_va = 0x77019fff monitored = 0 entry_point = 0x770136a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1035 start_va = 0x74bf0000 end_va = 0x74c8cfff monitored = 0 entry_point = 0x74c23fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1036 start_va = 0x75270000 end_va = 0x753cbfff monitored = 0 entry_point = 0x752bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1037 start_va = 0x758a0000 end_va = 0x7592efff monitored = 0 entry_point = 0x758a3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1038 start_va = 0x74a20000 end_va = 0x74a69fff monitored = 1 entry_point = 0x74a22e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 1039 start_va = 0x440000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1040 start_va = 0x120000 end_va = 0x13dfff monitored = 0 entry_point = 0x13158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1041 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1042 start_va = 0x120000 end_va = 0x13dfff monitored = 0 entry_point = 0x13158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1043 start_va = 0x75c40000 end_va = 0x75c9ffff monitored = 0 entry_point = 0x75c5158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1044 start_va = 0x751a0000 end_va = 0x7526bfff monitored = 0 entry_point = 0x751a168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1045 start_va = 0x760000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 1046 start_va = 0x8f0000 end_va = 0x1ceffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 1047 start_va = 0x30000 end_va = 0x32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 1048 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1049 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1050 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1051 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1052 start_va = 0x440000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1053 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1054 start_va = 0x74990000 end_va = 0x74a1cfff monitored = 1 entry_point = 0x749a2860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 1055 start_va = 0x72bf0000 end_va = 0x72bf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1056 start_va = 0x74c90000 end_va = 0x74ce6fff monitored = 0 entry_point = 0x74ca9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1057 start_va = 0x73b80000 end_va = 0x73b88fff monitored = 0 entry_point = 0x73b81220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1058 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1059 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1060 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1061 start_va = 0x74970000 end_va = 0x74983fff monitored = 0 entry_point = 0x7497ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\SysWOW64\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140_clr0400.dll") Region: id = 1062 start_va = 0x723b0000 end_va = 0x7245afff monitored = 0 entry_point = 0x72445f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\SysWOW64\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase_clr0400.dll") Region: id = 1063 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1064 start_va = 0x150000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1065 start_va = 0x160000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1066 start_va = 0x170000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1067 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1068 start_va = 0x210000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1069 start_va = 0x220000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1070 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1071 start_va = 0x340000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1072 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1073 start_va = 0x1cf0000 end_va = 0x1d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 1074 start_va = 0x1da0000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 1075 start_va = 0x570000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1076 start_va = 0x1f40000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 1077 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1078 start_va = 0x300000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1079 start_va = 0x1f80000 end_va = 0x3f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1080 start_va = 0x300000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1081 start_va = 0x4e0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 1082 start_va = 0x4020000 end_va = 0x405ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004020000" filename = "" Region: id = 1083 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1084 start_va = 0x1d10000 end_va = 0x1d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 1085 start_va = 0x1d60000 end_va = 0x1d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 1086 start_va = 0x4070000 end_va = 0x40affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004070000" filename = "" Region: id = 1087 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1088 start_va = 0x40b0000 end_va = 0x437efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1089 start_va = 0x6fea0000 end_va = 0x712aafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 1090 start_va = 0x320000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 1091 start_va = 0x4380000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 1092 start_va = 0x330000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1093 start_va = 0x6f440000 end_va = 0x6fe94fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 1094 start_va = 0x6e400000 end_va = 0x6ec17fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 1095 start_va = 0x72060000 end_va = 0x720eefff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\731848746c032af3ce33577b793c9b9c\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\731848746c032af3ce33577b793c9b9c\\microsoft.powershell.consolehost.ni.dll") Region: id = 1096 start_va = 0x73950000 end_va = 0x73966fff monitored = 0 entry_point = 0x73953573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1097 start_va = 0x440000 end_va = 0x47bfff monitored = 0 entry_point = 0x44128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1098 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1099 start_va = 0x440000 end_va = 0x47bfff monitored = 0 entry_point = 0x44128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1100 start_va = 0x440000 end_va = 0x47bfff monitored = 0 entry_point = 0x44128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1101 start_va = 0x440000 end_va = 0x47bfff monitored = 0 entry_point = 0x44128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1102 start_va = 0x440000 end_va = 0x47bfff monitored = 0 entry_point = 0x44128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1103 start_va = 0x73910000 end_va = 0x7394afff monitored = 0 entry_point = 0x7391128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1104 start_va = 0x6c910000 end_va = 0x6e3f2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\a68aa6199c81feadf8c95a4ea0254b2c\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\a68aa6199c81feadf8c95a4ea0254b2c\\system.management.automation.ni.dll") Region: id = 1105 start_va = 0x1da0000 end_va = 0x1e01fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 1106 start_va = 0x1e10000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 1107 start_va = 0x1eb0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 1108 start_va = 0x3f80000 end_va = 0x3fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 1109 start_va = 0x3fe0000 end_va = 0x401ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fe0000" filename = "" Region: id = 1110 start_va = 0x43f0000 end_va = 0x442ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 1111 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 1112 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 1113 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1114 start_va = 0x72390000 end_va = 0x723a2fff monitored = 1 entry_point = 0x7239d900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 1115 start_va = 0x4570000 end_va = 0x4841fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 1116 start_va = 0x6ed30000 end_va = 0x6f43bfff monitored = 1 entry_point = 0x6f34f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1117 start_va = 0x6c200000 end_va = 0x6c90bfff monitored = 1 entry_point = 0x6c81f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1118 start_va = 0x4430000 end_va = 0x44effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1119 start_va = 0x75ff0000 end_va = 0x76c39fff monitored = 0 entry_point = 0x76071601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1120 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1121 start_va = 0x74f10000 end_va = 0x74f3efff monitored = 0 entry_point = 0x74f12a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 1122 start_va = 0x74fc0000 end_va = 0x750e0fff monitored = 0 entry_point = 0x74fc158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1123 start_va = 0x75810000 end_va = 0x7581bfff monitored = 0 entry_point = 0x7581238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1124 start_va = 0x6ed30000 end_va = 0x6f43bfff monitored = 1 entry_point = 0x6f34f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1125 start_va = 0x6c200000 end_va = 0x6c90bfff monitored = 1 entry_point = 0x6c81f392 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1126 start_va = 0x75800000 end_va = 0x75804fff monitored = 0 entry_point = 0x75801438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1127 start_va = 0x450000 end_va = 0x457fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 1128 start_va = 0x1e60000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1129 start_va = 0x48d0000 end_va = 0x490ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048d0000" filename = "" Region: id = 1130 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 1131 start_va = 0x72360000 end_va = 0x72367fff monitored = 0 entry_point = 0x72363bf5 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\SysWOW64\\msisip.dll" (normalized: "c:\\windows\\syswow64\\msisip.dll") Region: id = 1132 start_va = 0x4910000 end_va = 0x4d0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004910000" filename = "" Region: id = 1133 start_va = 0x460000 end_va = 0x467fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 1134 start_va = 0x4910000 end_va = 0x4d0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004910000" filename = "" Region: id = 1135 start_va = 0x4890000 end_va = 0x48cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 1136 start_va = 0x4960000 end_va = 0x499ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004960000" filename = "" Region: id = 1137 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 1138 start_va = 0x72160000 end_va = 0x72175fff monitored = 0 entry_point = 0x721613df region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\SysWOW64\\wshext.dll" (normalized: "c:\\windows\\syswow64\\wshext.dll") Region: id = 1139 start_va = 0x71fd0000 end_va = 0x72053fff monitored = 0 entry_point = 0x71fd19a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 1140 start_va = 0x49a0000 end_va = 0x4b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 1141 start_va = 0x72480000 end_va = 0x72489fff monitored = 0 entry_point = 0x72484ab0 region_type = mapped_file name = "pwrshsip.dll" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\pwrshsip.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\pwrshsip.dll") Region: id = 1142 start_va = 0x49a0000 end_va = 0x4a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 1143 start_va = 0x4b40000 end_va = 0x4b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b40000" filename = "" Region: id = 1144 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 1145 start_va = 0x460000 end_va = 0x460fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1146 start_va = 0x470000 end_va = 0x476fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1147 start_va = 0x460000 end_va = 0x460fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1148 start_va = 0x470000 end_va = 0x476fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1149 start_va = 0x460000 end_va = 0x460fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1150 start_va = 0x460000 end_va = 0x466fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1151 start_va = 0x460000 end_va = 0x460fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1152 start_va = 0x460000 end_va = 0x466fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1153 start_va = 0x460000 end_va = 0x460fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1154 start_va = 0x460000 end_va = 0x466fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1155 start_va = 0x1f00000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1156 start_va = 0x43b0000 end_va = 0x43effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043b0000" filename = "" Region: id = 1157 start_va = 0x4850000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 1158 start_va = 0x4b00000 end_va = 0x4b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 1159 start_va = 0x4c30000 end_va = 0x4c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c30000" filename = "" Region: id = 1160 start_va = 0x4c90000 end_va = 0x4ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c90000" filename = "" Region: id = 1161 start_va = 0x7ef98000 end_va = 0x7ef9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 1162 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 1163 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 1164 start_va = 0x6ec20000 end_va = 0x6f439fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Data\\df2dd09ed7c341842a104e1e668f184e\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.data\\df2dd09ed7c341842a104e1e668f184e\\system.data.ni.dll") Region: id = 1165 start_va = 0x71c70000 end_va = 0x71fc3fff monitored = 1 entry_point = 0x71fa7a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 1166 start_va = 0x74da0000 end_va = 0x74dd4fff monitored = 0 entry_point = 0x74da145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1167 start_va = 0x75c30000 end_va = 0x75c35fff monitored = 0 entry_point = 0x75c31782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1168 start_va = 0x4cd0000 end_va = 0x5020fff monitored = 1 entry_point = 0x5007a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 1169 start_va = 0x4cd0000 end_va = 0x5020fff monitored = 1 entry_point = 0x5007a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 1170 start_va = 0x4cd0000 end_va = 0x5020fff monitored = 1 entry_point = 0x5007a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 1171 start_va = 0x4cd0000 end_va = 0x5020fff monitored = 1 entry_point = 0x5007a72 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 1172 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 1173 start_va = 0x6c190000 end_va = 0x6c903fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\15af16d373cf0528cb74fc73d365fdbf\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\15af16d373cf0528cb74fc73d365fdbf\\system.xml.ni.dll") Region: id = 1174 start_va = 0x71b40000 end_va = 0x71c6ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\e114780fd3ea5727401c06ea4f22ef35\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\e114780fd3ea5727401c06ea4f22ef35\\system.management.ni.dll") Region: id = 1175 start_va = 0x6c060000 end_va = 0x6c18bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\2e76676fbd265f70be92c82bbf76b8e5\\system.directoryservices.ni.dll") Region: id = 1176 start_va = 0x74960000 end_va = 0x74962fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 1177 start_va = 0x72180000 end_va = 0x72208fff monitored = 1 entry_point = 0x72181130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 1178 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1179 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1180 start_va = 0x72100000 end_va = 0x72153fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P6f792626#\\fbf36f7901fec6a367af3bc05a96b929\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p6f792626#\\fbf36f7901fec6a367af3bc05a96b929\\microsoft.powershell.security.ni.dll") Region: id = 1181 start_va = 0x1eb0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 1182 start_va = 0x4b90000 end_va = 0x4bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b90000" filename = "" Region: id = 1183 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 1184 start_va = 0x71a80000 end_va = 0x71b37fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\3d760b4a3260a41ef84a3fd866780980\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.transactions\\3d760b4a3260a41ef84a3fd866780980\\system.transactions.ni.dll") Region: id = 1185 start_va = 0x6c010000 end_va = 0x6c05bfff monitored = 1 entry_point = 0x6c02fcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 1186 start_va = 0x3fc0000 end_va = 0x400bfff monitored = 1 entry_point = 0x3fdfcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 1187 start_va = 0x3fc0000 end_va = 0x400bfff monitored = 1 entry_point = 0x3fdfcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 1188 start_va = 0x3fc0000 end_va = 0x400bfff monitored = 1 entry_point = 0x3fdfcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 1189 start_va = 0x3fc0000 end_va = 0x400bfff monitored = 1 entry_point = 0x3fdfcc6 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 1190 start_va = 0x72350000 end_va = 0x72357fff monitored = 0 entry_point = 0x723510e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1191 start_va = 0x6bf90000 end_va = 0x6c00ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\e3134541fd9904dc895922f5256ef8f3\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\e3134541fd9904dc895922f5256ef8f3\\microsoft.management.infrastructure.ni.dll") Region: id = 1192 start_va = 0x6bf40000 end_va = 0x6bf86fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\e7d6ed984300c7212c6e682c4f730b1e\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\e7d6ed984300c7212c6e682c4f730b1e\\system.numerics.ni.dll") Region: id = 1193 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1194 start_va = 0x6be30000 end_va = 0x6bf34fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\96f7edb07b12303f0ec2595c7f3778c7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\96f7edb07b12303f0ec2595c7f3778c7\\system.configuration.ni.dll") Region: id = 1195 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1196 start_va = 0x4cd0000 end_va = 0x4d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004cd0000" filename = "" Region: id = 1197 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1198 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1199 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1200 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1201 start_va = 0x1cf0000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 1202 start_va = 0x1d00000 end_va = 0x1d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 1203 start_va = 0x1d50000 end_va = 0x1d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 1204 start_va = 0x1e50000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 1205 start_va = 0x1ea0000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 1206 start_va = 0x1eb0000 end_va = 0x1ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 1207 start_va = 0x1ec0000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 1208 start_va = 0x6bc90000 end_va = 0x6be27fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.csharp.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.CSharp\\f73f48afb5512225dedaee9c88ac5050\\Microsoft.CSharp.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.csharp\\f73f48afb5512225dedaee9c88ac5050\\microsoft.csharp.ni.dll") Region: id = 1209 start_va = 0x1ed0000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 1210 start_va = 0x1ee0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 1211 start_va = 0x1ef0000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1212 start_va = 0x1ef0000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1213 start_va = 0x3fc0000 end_va = 0x3fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fc0000" filename = "" Region: id = 1214 start_va = 0x4bb0000 end_va = 0x4beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bb0000" filename = "" Region: id = 1215 start_va = 0x4e80000 end_va = 0x580ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e80000" filename = "" Region: id = 1216 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 1217 start_va = 0x73ab0000 end_va = 0x73b2ffff monitored = 0 entry_point = 0x73ac37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1218 start_va = 0x5810000 end_va = 0x597ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005810000" filename = "" Region: id = 1219 start_va = 0x4d50000 end_va = 0x4e2efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d50000" filename = "" Region: id = 1220 start_va = 0x3fd0000 end_va = 0x400ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fd0000" filename = "" Region: id = 1221 start_va = 0x4920000 end_va = 0x495ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004920000" filename = "" Region: id = 1222 start_va = 0x73a80000 end_va = 0x73a8dfff monitored = 0 entry_point = 0x73a81235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 1223 start_va = 0x7ef95000 end_va = 0x7ef97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 1224 start_va = 0x4ac0000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ac0000" filename = "" Region: id = 1225 start_va = 0x5840000 end_va = 0x587ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005840000" filename = "" Region: id = 1226 start_va = 0x5940000 end_va = 0x597ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005940000" filename = "" Region: id = 1227 start_va = 0x7ef92000 end_va = 0x7ef94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 1228 start_va = 0x58c0000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000058c0000" filename = "" Region: id = 1229 start_va = 0x59a0000 end_va = 0x59dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059a0000" filename = "" Region: id = 1230 start_va = 0x7ef8f000 end_va = 0x7ef91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 1231 start_va = 0x3fc0000 end_va = 0x3fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fc0000" filename = "" Region: id = 1232 start_va = 0x4b50000 end_va = 0x4b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b50000" filename = "" Region: id = 1233 start_va = 0x5b10000 end_va = 0x5b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b10000" filename = "" Region: id = 1234 start_va = 0x7ef8c000 end_va = 0x7ef8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 1235 start_va = 0x5a90000 end_va = 0x5acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a90000" filename = "" Region: id = 1236 start_va = 0x5b50000 end_va = 0x5b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b50000" filename = "" Region: id = 1237 start_va = 0x7ef89000 end_va = 0x7ef8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 1238 start_va = 0x4380000 end_va = 0x4390fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004380000" filename = "" Region: id = 1239 start_va = 0x4010000 end_va = 0x4011fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 1240 start_va = 0x5b90000 end_va = 0x5f8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005b90000" filename = "" Region: id = 1241 start_va = 0x4060000 end_va = 0x4061fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellget.psd1" filename = "\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1") Region: id = 1242 start_va = 0x5b90000 end_va = 0x5f8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005b90000" filename = "" Region: id = 1243 start_va = 0x5b90000 end_va = 0x5c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b90000" filename = "" Region: id = 1244 start_va = 0x4010000 end_va = 0x4010fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 1245 start_va = 0x5c90000 end_va = 0x608ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c90000" filename = "" Region: id = 1246 start_va = 0x4060000 end_va = 0x4060fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 1247 start_va = 0x5c90000 end_va = 0x608ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c90000" filename = "" Region: id = 1248 start_va = 0x6b120000 end_va = 0x6bc8dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P521220ea#\\f6f5592245815a51dae8c19cd5d04783\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p521220ea#\\f6f5592245815a51dae8c19cd5d04783\\microsoft.powershell.commands.utility.ni.dll") Region: id = 1249 start_va = 0x6b0f0000 end_va = 0x6b117fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.confe64a9051#\\1561b93d6d25c4a9c3e2659ab29a5e73\\system.configuration.install.ni.dll") Region: id = 1250 start_va = 0x4010000 end_va = 0x4017fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 1251 start_va = 0x5c90000 end_va = 0x608ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c90000" filename = "" Region: id = 1252 start_va = 0x4060000 end_va = 0x4067fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 1253 start_va = 0x5c90000 end_va = 0x608ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c90000" filename = "" Region: id = 1254 start_va = 0x4010000 end_va = 0x401ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004010000" filename = "" Region: id = 1255 start_va = 0x4060000 end_va = 0x406ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004060000" filename = "" Region: id = 1256 start_va = 0x43a0000 end_va = 0x43a7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 1257 start_va = 0x5c90000 end_va = 0x608ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c90000" filename = "" Region: id = 1258 start_va = 0x44f0000 end_va = 0x44f7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 1259 start_va = 0x5c90000 end_va = 0x608ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c90000" filename = "" Region: id = 1260 start_va = 0x43a0000 end_va = 0x43affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 1261 start_va = 0x5d00000 end_va = 0x5d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d00000" filename = "" Region: id = 1262 start_va = 0x73c40000 end_va = 0x73c4afff monitored = 0 entry_point = 0x73c41992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1263 start_va = 0x71a60000 end_va = 0x71a76fff monitored = 0 entry_point = 0x71a635fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1264 start_va = 0x43a0000 end_va = 0x43affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Thread: id = 52 os_tid = 0xf98 [0129.192] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3f8 [0129.192] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3ac [0129.192] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3fc [0129.193] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x404 [0129.193] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x408 [0129.193] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x40c [0129.193] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x410 [0129.193] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x414 [0129.193] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x418 [0129.194] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x41c [0129.194] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x420 [0129.194] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x424 [0129.194] SetEvent (hEvent=0x404) returned 1 [0129.194] SetEvent (hEvent=0x3f8) returned 1 [0129.194] SetEvent (hEvent=0x3ac) returned 1 [0129.194] SetEvent (hEvent=0x3fc) returned 1 [0129.194] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x428 [0129.195] SetEvent (hEvent=0x350) returned 1 [0129.255] SetEvent (hEvent=0x408) returned 1 [0129.255] SetEvent (hEvent=0x40c) returned 1 [0129.255] SetEvent (hEvent=0x410) returned 1 [0129.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x11db38, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0129.323] CoTaskMemAlloc (cb=0x20c) returned 0x5b95b08 [0129.323] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b95b08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0129.323] CoTaskMemFree (pv=0x5b95b08) [0129.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0129.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0129.334] GetCurrentProcess () returned 0xffffffff [0129.334] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11de70 | out: TokenHandle=0x11de70*=0x434) returned 1 [0129.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2f [0129.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x2f, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0129.338] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x11de68 | out: lpFileInformation=0x11de68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0129.340] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0129.340] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0129.340] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x11de70 | out: lpFileInformation=0x11de70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0129.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0129.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0129.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x11dda8) returned 1 [0129.341] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x438 [0129.341] GetFileType (hFile=0x438) returned 0x1 [0129.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x11dda4) returned 1 [0129.341] GetFileType (hFile=0x438) returned 0x1 [0129.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0129.360] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x44, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0129.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0129.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x44, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0129.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x11d384) returned 1 [0129.361] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x11d648 | out: lpFileInformation=0x11d648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0129.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x11d380) returned 1 [0129.500] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x11d514 | out: pfEnabled=0x11d514) returned 0x0 [0129.509] GetFileSize (in: hFile=0x438, lpFileSizeHigh=0x11de64 | out: lpFileSizeHigh=0x11de64*=0x0) returned 0x8c8e [0129.509] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11de20, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11de20*=0x1000, lpOverlapped=0x0) returned 1 [0129.520] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11dcd0, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11dcd0*=0x1000, lpOverlapped=0x0) returned 1 [0129.521] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11db84, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11db84*=0x1000, lpOverlapped=0x0) returned 1 [0129.521] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11db84, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11db84*=0x1000, lpOverlapped=0x0) returned 1 [0129.522] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11db84, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11db84*=0x1000, lpOverlapped=0x0) returned 1 [0129.522] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11dabc, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11dabc*=0x1000, lpOverlapped=0x0) returned 1 [0129.526] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11dc28, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11dc28*=0x1000, lpOverlapped=0x0) returned 1 [0129.528] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11db1c, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11db1c*=0x1000, lpOverlapped=0x0) returned 1 [0129.528] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11db1c, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11db1c*=0xc8e, lpOverlapped=0x0) returned 1 [0129.528] ReadFile (in: hFile=0x438, lpBuffer=0x21a6df0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x11dbe0, lpOverlapped=0x0 | out: lpBuffer=0x21a6df0*, lpNumberOfBytesRead=0x11dbe0*=0x0, lpOverlapped=0x0) returned 1 [0129.528] CloseHandle (hObject=0x438) returned 1 [0129.528] CloseHandle (hObject=0x434) returned 1 [0129.529] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x11db34, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0129.529] CoTaskMemAlloc (cb=0x20c) returned 0x5b95b08 [0129.529] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b95b08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0129.529] CoTaskMemFree (pv=0x5b95b08) [0129.529] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0129.529] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0129.529] GetCurrentProcess () returned 0xffffffff [0129.529] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11dfbc | out: TokenHandle=0x11dfbc*=0x434) returned 1 [0129.530] CloseHandle (hObject=0x434) returned 1 [0129.530] GetCurrentProcess () returned 0xffffffff [0129.530] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11dfbc | out: TokenHandle=0x11dfbc*=0x434) returned 1 [0129.531] CloseHandle (hObject=0x434) returned 1 [0129.531] GetCurrentProcess () returned 0xffffffff [0129.532] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11de70 | out: TokenHandle=0x11de70*=0x434) returned 1 [0129.532] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x11de68 | out: lpFileInformation=0x11de68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0129.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0129.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x41, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0129.532] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x11de70 | out: lpFileInformation=0x11de70*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0129.533] CloseHandle (hObject=0x434) returned 1 [0129.533] GetCurrentProcess () returned 0xffffffff [0129.533] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11dfbc | out: TokenHandle=0x11dfbc*=0x434) returned 1 [0129.533] CloseHandle (hObject=0x434) returned 1 [0129.534] GetCurrentProcess () returned 0xffffffff [0129.534] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11dfbc | out: TokenHandle=0x11dfbc*=0x434) returned 1 [0129.534] CloseHandle (hObject=0x434) returned 1 [0129.543] GetCurrentProcess () returned 0xffffffff [0129.543] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11ddd4 | out: TokenHandle=0x11ddd4*=0x434) returned 1 [0129.559] CloseHandle (hObject=0x434) returned 1 [0129.559] GetCurrentProcess () returned 0xffffffff [0129.559] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x11ddec | out: TokenHandle=0x11ddec*=0x434) returned 1 [0129.560] CloseHandle (hObject=0x434) returned 1 [0129.566] CoCreateGuid (in: pguid=0x11e1d8 | out: pguid=0x11e1d8*(Data1=0xa9e33cd, Data2=0x7415, Data3=0x4872, Data4=([0]=0x84, [1]=0x18, [2]=0x69, [3]=0x34, [4]=0xb1, [5]=0x72, [6]=0x70, [7]=0xd))) returned 0x0 [0129.569] ReportEventW (hEventLog=0x4cd0004, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x21c4308*="Stopped", lpRawData=0x21c4230) returned 1 [0129.579] SetEvent (hEvent=0x350) returned 1 [0129.603] CloseHandle (hObject=0x350) returned 1 [0129.699] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0129.702] CoGetContextToken (in: pToken=0x11f8a4 | out: pToken=0x11f8a4) returned 0x0 [0129.703] CObjectContext::QueryInterface () returned 0x0 [0129.703] CObjectContext::GetCurrentThreadType () returned 0x0 [0129.703] Release () returned 0x0 [0129.703] CoGetContextToken (in: pToken=0x11f5b4 | out: pToken=0x11f5b4) returned 0x0 [0129.703] CObjectContext::QueryInterface () returned 0x0 [0129.704] CObjectContext::GetCurrentThreadType () returned 0x0 [0129.704] Release () returned 0x0 [0129.707] CoGetContextToken (in: pToken=0x11f5b4 | out: pToken=0x11f5b4) returned 0x0 [0129.707] CObjectContext::QueryInterface () returned 0x0 [0129.707] CObjectContext::GetCurrentThreadType () returned 0x0 [0129.707] Release () returned 0x0 [0129.719] CoGetContextToken (in: pToken=0x11f5b4 | out: pToken=0x11f5b4) returned 0x0 [0129.719] CObjectContext::QueryInterface () returned 0x0 [0129.719] CObjectContext::GetCurrentThreadType () returned 0x0 [0129.719] Release () returned 0x0 [0129.728] CoGetContextToken (in: pToken=0x11f5d4 | out: pToken=0x11f5d4) returned 0x0 [0129.728] CObjectContext::QueryInterface () returned 0x0 [0129.728] CObjectContext::GetCurrentThreadType () returned 0x0 [0129.729] Release () returned 0x0 [0129.729] CoUninitialize () Thread: id = 53 os_tid = 0xfb0 Thread: id = 54 os_tid = 0xfb4 [0122.702] RegCloseKey (hKey=0x34c) returned 0x0 [0129.490] CloseHandle (hObject=0x3b4) returned 1 [0129.490] CloseHandle (hObject=0x3d8) returned 1 [0129.490] CloseHandle (hObject=0x3e0) returned 1 [0129.490] CloseHandle (hObject=0x3dc) returned 1 [0129.490] CloseHandle (hObject=0x348) returned 1 [0129.490] CloseHandle (hObject=0x344) returned 1 [0129.491] CloseHandle (hObject=0x340) returned 1 [0129.491] CloseHandle (hObject=0x3f4) returned 1 [0129.491] CloseHandle (hObject=0x33c) returned 1 [0129.491] CloseHandle (hObject=0x338) returned 1 [0129.491] CloseHandle (hObject=0x334) returned 1 [0129.491] CloseHandle (hObject=0x3f0) returned 1 [0129.492] CloseHandle (hObject=0x3ec) returned 1 [0129.492] CloseHandle (hObject=0x3e8) returned 1 [0129.492] CloseHandle (hObject=0x34c) returned 1 [0129.492] CloseHandle (hObject=0x3e4) returned 1 [0129.492] CloseHandle (hObject=0x330) returned 1 [0129.492] CloseHandle (hObject=0x32c) returned 1 [0129.492] CloseHandle (hObject=0x328) returned 1 [0129.492] CloseHandle (hObject=0x31c) returned 1 [0129.492] CloseHandle (hObject=0x320) returned 1 [0129.492] CloseHandle (hObject=0x2a4) returned 1 [0129.493] CloseHandle (hObject=0x304) returned 1 [0129.493] CloseHandle (hObject=0x3d4) returned 1 [0129.705] EtwEventUnregister () returned 0x0 [0129.705] EtwEventUnregister () returned 0x0 [0129.705] EtwEventUnregister () returned 0x0 [0129.705] EtwEventUnregister () returned 0x0 [0129.705] EtwEventUnregister () returned 0x0 [0129.705] EtwEventUnregister () returned 0x0 [0129.705] EtwEventUnregister () returned 0x0 [0129.705] EtwEventUnregister () returned 0x0 [0129.711] EtwEventUnregister () returned 0x0 [0129.713] CloseHandle (hObject=0x2ac) returned 1 [0129.716] CloseHandle (hObject=0x428) returned 1 [0129.716] CloseHandle (hObject=0x424) returned 1 [0129.716] CloseHandle (hObject=0x420) returned 1 [0129.716] CloseHandle (hObject=0x41c) returned 1 [0129.717] CloseHandle (hObject=0x418) returned 1 [0129.717] CloseHandle (hObject=0x414) returned 1 [0129.717] CloseHandle (hObject=0x410) returned 1 [0129.717] CloseHandle (hObject=0x40c) returned 1 [0129.718] DeregisterEventSource (hEventLog=0x4cd0004) returned 1 [0129.721] CloseHandle (hObject=0x408) returned 1 [0129.721] CloseHandle (hObject=0x404) returned 1 [0129.721] CloseHandle (hObject=0x3fc) returned 1 [0129.721] CloseHandle (hObject=0x3ac) returned 1 [0129.722] CloseHandle (hObject=0x3f8) returned 1 [0129.722] CloseHandle (hObject=0xf) returned 1 [0129.723] CloseHandle (hObject=0x270) returned 1 [0129.724] LocalFree (hMem=0x4386b8) returned 0x0 [0129.725] RegCloseKey (hKey=0x80000004) returned 0x0 [0129.725] CloseHandle (hObject=0x3b8) returned 1 [0129.726] LocalFree (hMem=0x409dc0) returned 0x0 [0129.726] UnmapViewOfFile (lpBaseAddress=0x4380000) returned 1 Thread: id = 55 os_tid = 0xfb8 Thread: id = 56 os_tid = 0xfbc Thread: id = 57 os_tid = 0xfc0 Thread: id = 58 os_tid = 0xfc4 Thread: id = 59 os_tid = 0xfc8 Thread: id = 60 os_tid = 0xfcc [0122.007] CoCreateGuid (in: pguid=0x4c6ea90 | out: pguid=0x4c6ea90*(Data1=0x5457dced, Data2=0x31c3, Data3=0x4297, Data4=([0]=0xb7, [1]=0xc0, [2]=0xae, [3]=0x9b, [4]=0x56, [5]=0x32, [6]=0x97, [7]=0x9b))) returned 0x0 Thread: id = 61 os_tid = 0xfd0 [0129.719] CoGetContextToken (in: pToken=0x4b3f6bc | out: pToken=0x4b3f6bc) returned 0x0 [0129.719] CObjectContext::QueryInterface () returned 0x0 [0129.719] CObjectContext::GetCurrentThreadType () returned 0x0 [0129.719] Release () returned 0x0 Thread: id = 62 os_tid = 0xfd4 Thread: id = 63 os_tid = 0xfd8 Thread: id = 64 os_tid = 0xfdc [0121.886] SetThreadUILanguage (LangId=0x0) returned 0x409 [0121.906] EtwEventRegister () returned 0x0 [0121.954] CoCreateGuid (in: pguid=0x580f30c | out: pguid=0x580f30c*(Data1=0xb13f4f75, Data2=0xd197, Data3=0x4ec1, Data4=([0]=0x94, [1]=0xdb, [2]=0x90, [3]=0x82, [4]=0x9e, [5]=0x87, [6]=0xcf, [7]=0x58))) returned 0x0 [0121.962] QueryPerformanceCounter (in: lpPerformanceCount=0x580f2ec | out: lpPerformanceCount=0x580f2ec*=1806297158056) returned 1 [0121.963] GetCurrentProcessId () returned 0xf94 [0121.963] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf94) returned 0x3ac [0121.963] EnumProcessModules (in: hProcess=0x3ac, lphModule=0x22440e0, cb=0x100, lpcbNeeded=0x580f1e4 | out: lphModule=0x22440e0, lpcbNeeded=0x580f1e4) returned 1 [0121.964] GetModuleInformation (in: hProcess=0x3ac, hModule=0x230000, lpmodinfo=0x2244220, cb=0xc | out: lpmodinfo=0x2244220*(lpBaseOfDll=0x230000, SizeOfImage=0x6b000, EntryPoint=0x23d330)) returned 1 [0121.964] CoTaskMemAlloc (cb=0x804) returned 0x4379a0 [0121.965] GetModuleBaseNameW (in: hProcess=0x3ac, hModule=0x230000, lpBaseName=0x4379a0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0121.965] CoTaskMemFree (pv=0x4379a0) [0121.965] CoTaskMemAlloc (cb=0x804) returned 0x4379a0 [0121.965] GetModuleFileNameExW (in: hProcess=0x3ac, hModule=0x230000, lpFilename=0x4379a0, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0121.965] CoTaskMemFree (pv=0x4379a0) [0121.965] CloseHandle (hObject=0x3ac) returned 1 [0121.966] LocalReAlloc (hMem=0x3b34e0, uBytes=0x208, uFlags=0x2) returned 0x4386b8 [0121.966] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x104, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0121.966] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ef1c) returned 1 [0121.966] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x580f1e0 | out: lpFileInformation=0x580f1e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b7f9180, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8b7f9180, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x7711b3a3, ftLastWriteTime.dwHighDateTime=0x1d251bc, nFileSizeHigh=0x0, nFileSizeLow=0x68400)) returned 1 [0121.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ef18) returned 1 [0121.967] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x580f254 | out: lpdwHandle=0x580f254) returned 0x74c [0121.967] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x74c, lpData=0x2246454 | out: lpData=0x2246454) returned 1 [0121.967] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x580f228, puLen=0x580f224 | out: lplpBuffer=0x580f228*=0x22467f4, puLen=0x580f224) returned 1 [0121.967] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x224650c, puLen=0x580f1a4) returned 1 [0121.967] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x2246560, puLen=0x580f1a4) returned 1 [0121.967] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x22465a8, puLen=0x580f1a4) returned 1 [0121.967] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x224661c, puLen=0x580f1a4) returned 1 [0121.967] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x2246658, puLen=0x580f1a4) returned 1 [0121.967] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x22466dc, puLen=0x580f1a4) returned 1 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x2246724, puLen=0x580f1a4) returned 1 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x2246794, puLen=0x580f1a4) returned 1 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x0, puLen=0x580f1a4) returned 0 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x0, puLen=0x580f1a4) returned 0 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x0, puLen=0x580f1a4) returned 0 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x580f1a8, puLen=0x580f1a4 | out: lplpBuffer=0x580f1a8*=0x0, puLen=0x580f1a4) returned 0 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x580f19c, puLen=0x580f198 | out: lplpBuffer=0x580f19c*=0x22467f4, puLen=0x580f198) returned 1 [0121.968] VerLanguageNameW (in: wLang=0x409, szLang=0x580ef2c, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0121.968] VerQueryValueW (in: pBlock=0x2246454, lpSubBlock="\\", lplpBuffer=0x580f1ac, puLen=0x580f1a8 | out: lplpBuffer=0x580f1ac*=0x224647c, puLen=0x580f1a8) returned 1 [0122.107] QueryPerformanceCounter (in: lpPerformanceCount=0x580f2b4 | out: lpPerformanceCount=0x580f2b4*=1806311684969) returned 1 [0122.112] EtwEventRegister () returned 0x0 [0122.112] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x580f124, nSize=0x80 | out: lpBuffer="") returned 0x0 [0122.163] EtwEventActivityIdControl () returned 0x0 [0122.163] EtwEventActivityIdControl () returned 0x0 [0122.163] EtwEventActivityIdControl () returned 0x0 [0122.166] EtwEventActivityIdControl () returned 0x0 [0122.166] EtwEventActivityIdControl () returned 0x0 [0122.166] EtwEventActivityIdControl () returned 0x0 [0122.216] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x580e92c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0122.216] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x580e92c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0122.223] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x580e918, nSize=0x80 | out: lpBuffer="") returned 0x0 [0122.239] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x580f190 | out: phkResult=0x580f190*=0x0) returned 0x2 [0122.239] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x580f190 | out: phkResult=0x580f190*=0x0) returned 0x2 [0122.240] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x580e8e8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0122.246] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x580ed28, nSize=0x80 | out: lpBuffer="") returned 0x0 [0122.248] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x580ec44, nSize=0x80 | out: lpBuffer="") returned 0xbe [0122.248] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x580ebc8, nSize=0xbe | out: lpBuffer="") returned 0xbd [0122.249] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x580ebb4, nSize=0xbe | out: lpBuffer="") returned 0x3a [0122.255] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4386b8 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop") returned 0x1a [0122.257] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x580ebbc, nSize=0xbe | out: lpBuffer="") returned 0x3a [0122.258] GetFullPathNameW (in: lpFileName="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0122.258] GetFullPathNameW (in: lpFileName="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x49, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x48 [0122.258] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eab0) returned 1 [0122.258] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\users\\keecfmwgj\\desktop\\c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x580ed74 | out: lpFileInformation=0x580ed74*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0122.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaac) returned 1 [0122.259] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x580e44c, nSize=0xbe | out: lpBuffer="") returned 0x0 [0122.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0122.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0122.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eab0) returned 1 [0122.259] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x580ed74 | out: lpFileInformation=0x580ed74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x5da08c40, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x5da08c40, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0122.260] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaac) returned 1 [0122.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed6c) returned 1 [0122.260] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0122.260] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0122.261] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Start-Sleep.*", lpFindFileData=0x580eb1c | out: lpFindFileData=0x580eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0122.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eac4) returned 1 [0122.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed24) returned 1 [0122.262] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0122.263] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0122.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eab0) returned 1 [0122.263] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x580ed74 | out: lpFileInformation=0x580ed74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x571be860, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x571be860, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0122.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaac) returned 1 [0122.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed6c) returned 1 [0122.263] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0122.263] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0122.263] FindFirstFileW (in: lpFileName="C:\\Windows\\Start-Sleep.*", lpFindFileData=0x580eb1c | out: lpFindFileData=0x580eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0122.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eac4) returned 1 [0122.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed24) returned 1 [0122.263] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0122.263] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0122.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eab0) returned 1 [0122.264] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\syswow64\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x580ed74 | out: lpFileInformation=0x580ed74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x123dcea, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0x496a9b80, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496a9b80, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0122.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaac) returned 1 [0122.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed6c) returned 1 [0122.264] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0122.264] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0122.264] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Start-Sleep.*", lpFindFileData=0x580eb1c | out: lpFindFileData=0x580eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0122.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eac4) returned 1 [0122.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed24) returned 1 [0122.264] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0122.264] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0122.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eab0) returned 1 [0122.264] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x580ed74 | out: lpFileInformation=0x580ed74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0122.264] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaac) returned 1 [0122.264] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed6c) returned 1 [0122.264] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0122.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0122.265] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Start-Sleep.*", lpFindFileData=0x580eb1c | out: lpFindFileData=0x580eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0122.265] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eac4) returned 1 [0122.265] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed24) returned 1 [0122.268] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x580ec20, nSize=0xbe | out: lpBuffer="") returned 0xc6 [0122.268] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x580ec10, nSize=0xc6 | out: lpBuffer="") returned 0xc5 [0122.277] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0122.279] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0122.279] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2b [0122.279] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x2b, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0122.280] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428600 [0122.280] FindNextFileW (in: hFindFile=0x428600, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.280] FindNextFileW (in: hFindFile=0x428600, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0122.280] FindNextFileW (in: hFindFile=0x428600, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0122.280] FindNextFileW (in: hFindFile=0x428600, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0122.280] FindClose (in: hFindFile=0x428600 | out: hFindFile=0x428600) returned 1 [0122.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0122.280] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0122.281] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0122.281] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0122.281] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0122.282] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0122.282] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0122.282] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0122.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0122.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0122.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0122.282] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0122.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0122.282] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0122.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0122.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0122.283] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0122.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0122.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0122.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0122.283] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0122.283] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428600 [0122.283] FindNextFileW (in: hFindFile=0x428600, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.283] FindNextFileW (in: hFindFile=0x428600, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ad4200, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49b46620, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49b46620, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0122.283] FindNextFileW (in: hFindFile=0x428600, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0122.283] FindClose (in: hFindFile=0x428600 | out: hFindFile=0x428600) returned 1 [0122.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0122.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0122.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0122.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0122.284] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaf0) returned 1 [0122.284] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580edb4 | out: lpFileInformation=0x580edb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b46620, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea9fba0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea9fba0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0122.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaec) returned 1 [0122.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0122.284] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0122.285] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0122.285] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0122.285] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eb14) returned 1 [0122.285] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x226f2e8 | out: lpFileInformation=0x226f2e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49b46620, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea9fba0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea9fba0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0122.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb10) returned 1 [0122.289] GetEnvironmentVariableW (in: lpName="PSModuleAnalysisCachePath", lpBuffer=0x580ddc4, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0122.289] CoTaskMemAlloc (cb=0x20c) returned 0x43a968 [0122.289] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x43a968 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0122.289] CoTaskMemFree (pv=0x43a968) [0122.289] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x21 [0122.289] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x21, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0122.289] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0x2020 [0122.290] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0122.290] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x52, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x51 [0122.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580e568) returned 1 [0122.290] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b4 [0122.290] GetFileType (hFile=0x3b4) returned 0x1 [0122.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580e564) returned 1 [0122.290] GetFileType (hFile=0x3b4) returned 0x1 [0122.291] ReadFile (in: hFile=0x3b4, lpBuffer=0x2270438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2270438*, lpNumberOfBytesRead=0x580e5dc*=0x1000, lpOverlapped=0x0) returned 1 [0122.305] ReadFile (in: hFile=0x3b4, lpBuffer=0x2270013, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x580e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2270013*, lpNumberOfBytesRead=0x580e5e4*=0x1, lpOverlapped=0x0) returned 1 [0122.305] ReadFile (in: hFile=0x3b4, lpBuffer=0x2270438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e5d0, lpOverlapped=0x0 | out: lpBuffer=0x2270438*, lpNumberOfBytesRead=0x580e5d0*=0x1000, lpOverlapped=0x0) returned 1 [0122.306] ReadFile (in: hFile=0x3b4, lpBuffer=0x2270011, nNumberOfBytesToRead=0x13, lpNumberOfBytesRead=0x580e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2270011*, lpNumberOfBytesRead=0x580e5e4*=0x13, lpOverlapped=0x0) returned 1 [0122.306] ReadFile (in: hFile=0x3b4, lpBuffer=0x2270438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2270438*, lpNumberOfBytesRead=0x580e5e4*=0x1000, lpOverlapped=0x0) returned 1 [0122.306] ReadFile (in: hFile=0x3b4, lpBuffer=0x2270438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2270438*, lpNumberOfBytesRead=0x580e5e4*=0x4fd, lpOverlapped=0x0) returned 1 [0122.306] GetEnvironmentVariableW (in: lpName="PSDisableModuleAnalysisCacheCleanup", lpBuffer=0x580e444, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0122.314] CloseHandle (hObject=0x3b4) returned 1 [0122.314] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0122.314] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0122.315] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0122.315] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0122.315] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0122.315] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0122.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0122.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0122.315] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0122.316] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428640 [0122.316] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49aae0a0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49aae0a0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.316] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49ad4200, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49ad4200, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0122.316] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0122.316] FindClose (in: hFindFile=0x428640 | out: hFindFile=0x428640) returned 1 [0122.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0122.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0122.316] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0122.316] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0122.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaf0) returned 1 [0122.317] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580edb4 | out: lpFileInformation=0x580edb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0122.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaec) returned 1 [0122.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0122.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0122.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0122.317] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0122.317] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eb14) returned 1 [0122.317] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x22824a8 | out: lpFileInformation=0x22824a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49aae0a0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0122.317] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb10) returned 1 [0122.317] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0122.317] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0122.317] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0122.318] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0122.318] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0122.318] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0122.320] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\keecfmwgj\\documents\\windowspowershell\\modules")) returned 0xffffffff [0122.326] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0122.327] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0122.327] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x31 [0122.327] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x31, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x30 [0122.327] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428640 [0122.327] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.327] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0122.327] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0122.327] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0122.327] FindClose (in: hFindFile=0x428640 | out: hFindFile=0x428640) returned 1 [0122.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0122.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0122.328] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0122.328] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0122.328] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0122.328] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0122.328] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0122.328] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0122.328] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0122.328] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0122.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0122.328] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0122.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0122.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0122.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0122.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0122.329] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0122.329] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0122.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0122.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0122.329] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0122.329] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428640 [0122.329] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.329] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499ef9c0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x49a61de0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x49a61de0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0122.329] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0122.329] FindClose (in: hFindFile=0x428640 | out: hFindFile=0x428640) returned 1 [0122.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0122.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0122.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0122.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0122.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaf0) returned 1 [0122.330] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580edb4 | out: lpFileInformation=0x580edb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49a3bc80, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0122.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaec) returned 1 [0122.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0122.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0122.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0122.330] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0122.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eb14) returned 1 [0122.330] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x228c048 | out: lpFileInformation=0x228c048*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49a3bc80, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea79a40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea79a40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8f9)) returned 1 [0122.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb10) returned 1 [0122.333] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0122.333] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0122.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ec7c) returned 1 [0122.333] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b4 [0122.333] GetFileType (hFile=0x3b4) returned 0x1 [0122.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ec78) returned 1 [0122.333] GetFileType (hFile=0x3b4) returned 0x1 [0122.333] GetACP () returned 0x4e4 [0122.337] SetFilePointer (in: hFile=0x3b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x0 [0122.337] ReadFile (in: hFile=0x3b4, lpBuffer=0x228d320, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x228d320*, lpNumberOfBytesRead=0x580ece4*=0x8f9, lpOverlapped=0x0) returned 1 [0122.338] SetFilePointer (in: hFile=0x3b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x8f9 [0122.338] ReadFile (in: hFile=0x3b4, lpBuffer=0x228c7ad, nNumberOfBytesToRead=0x307, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x228c7ad*, lpNumberOfBytesRead=0x580ece4*=0x0, lpOverlapped=0x0) returned 1 [0122.338] SetFilePointer (in: hFile=0x3b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x8f9 [0122.338] ReadFile (in: hFile=0x3b4, lpBuffer=0x228d320, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x228d320*, lpNumberOfBytesRead=0x580ece4*=0x0, lpOverlapped=0x0) returned 1 [0122.338] CloseHandle (hObject=0x3b4) returned 1 [0122.352] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0122.352] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0122.352] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0122.352] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0122.352] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0122.352] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0122.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0122.352] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0122.352] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0122.353] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428640 [0122.353] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499a3700, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499a3700, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.353] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x499ef9c0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x499ef9c0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0122.353] FindNextFileW (in: hFindFile=0x428640, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0122.353] FindClose (in: hFindFile=0x428640 | out: hFindFile=0x428640) returned 1 [0122.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0122.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0122.353] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.353] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaf0) returned 1 [0122.353] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580edb4 | out: lpFileInformation=0x580edb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0122.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eaec) returned 1 [0122.353] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eb14) returned 1 [0122.354] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x229bd58 | out: lpFileInformation=0x229bd58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0122.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb10) returned 1 [0122.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.354] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ec7c) returned 1 [0122.354] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b4 [0122.354] GetFileType (hFile=0x3b4) returned 0x1 [0122.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ec78) returned 1 [0122.354] GetFileType (hFile=0x3b4) returned 0x1 [0122.355] SetFilePointer (in: hFile=0x3b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x0 [0122.355] ReadFile (in: hFile=0x3b4, lpBuffer=0x229cb30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x229cb30*, lpNumberOfBytesRead=0x580ece4*=0x1000, lpOverlapped=0x0) returned 1 [0122.356] SetFilePointer (in: hFile=0x3b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x1000 [0122.356] ReadFile (in: hFile=0x3b4, lpBuffer=0x229cb30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x229cb30*, lpNumberOfBytesRead=0x580ece4*=0xde, lpOverlapped=0x0) returned 1 [0122.356] SetFilePointer (in: hFile=0x3b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x10de [0122.357] ReadFile (in: hFile=0x3b4, lpBuffer=0x229cb30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x229cb30*, lpNumberOfBytesRead=0x580ece4*=0x0, lpOverlapped=0x0) returned 1 [0122.357] CloseHandle (hObject=0x3b4) returned 1 [0122.360] CoCreateGuid (in: pguid=0x580ed24 | out: pguid=0x580ed24*(Data1=0x609d355f, Data2=0xf2a9, Data3=0x4148, Data4=([0]=0xa9, [1]=0xe5, [2]=0xdb, [3]=0x2d, [4]=0x6f, [5]=0xef, [6]=0xfb, [7]=0x49))) returned 0x0 [0122.367] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b4 [0122.367] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3d4 [0122.368] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d8 [0122.368] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3dc [0122.368] SetEvent (hEvent=0x3dc) returned 1 [0122.368] SetEvent (hEvent=0x3b4) returned 1 [0122.368] SetEvent (hEvent=0x3d4) returned 1 [0122.368] SetEvent (hEvent=0x3d8) returned 1 [0122.369] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e0 [0122.369] SetThreadUILanguage (LangId=0x0) returned 0x409 [0122.404] EtwEventActivityIdControl () returned 0x0 [0122.404] EtwEventActivityIdControl () returned 0x0 [0122.404] EtwEventActivityIdControl () returned 0x0 [0122.429] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0122.430] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.430] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.430] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x580e65c, Length=0x20, ResultLength=0x580e6cc | out: SystemInformation=0x580e65c, ResultLength=0x580e6cc*=0x0) returned 0xc0000003 [0122.430] GetSystemInfo (in: lpSystemInfo=0x580e6d8 | out: lpSystemInfo=0x580e6d8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0122.431] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e668 | out: phkResult=0x580e668*=0x3e4) returned 0x0 [0122.431] RegQueryValueExW (in: hKey=0x3e4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x580e684, lpData=0x0, lpcbData=0x580e680*=0x0 | out: lpType=0x580e684*=0x0, lpData=0x0, lpcbData=0x580e680*=0x0) returned 0x2 [0122.431] RegCloseKey (hKey=0x3e4) returned 0x0 [0122.436] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.436] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580e5e0) returned 1 [0122.436] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3e4 [0122.436] GetFileType (hFile=0x3e4) returned 0x1 [0122.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580e5dc) returned 1 [0122.436] GetFileType (hFile=0x3e4) returned 0x1 [0122.437] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580e61c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580e61c*=0) returned 0x0 [0122.437] ReadFile (in: hFile=0x3e4, lpBuffer=0x22c0438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e648, lpOverlapped=0x0 | out: lpBuffer=0x22c0438*, lpNumberOfBytesRead=0x580e648*=0x1000, lpOverlapped=0x0) returned 1 [0122.438] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580e61c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580e61c*=0) returned 0x1000 [0122.438] ReadFile (in: hFile=0x3e4, lpBuffer=0x22c0438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e648, lpOverlapped=0x0 | out: lpBuffer=0x22c0438*, lpNumberOfBytesRead=0x580e648*=0xde, lpOverlapped=0x0) returned 1 [0122.438] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580e61c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580e61c*=0) returned 0x10de [0122.438] ReadFile (in: hFile=0x3e4, lpBuffer=0x22c0438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e648, lpOverlapped=0x0 | out: lpBuffer=0x22c0438*, lpNumberOfBytesRead=0x580e648*=0x0, lpOverlapped=0x0) returned 1 [0122.438] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x580e5b0, Length=0x20, ResultLength=0x580e620 | out: SystemInformation=0x580e5b0, ResultLength=0x580e620*=0x0) returned 0xc0000003 [0122.439] GetSystemInfo (in: lpSystemInfo=0x580e62c | out: lpSystemInfo=0x580e62c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0122.439] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e5bc | out: phkResult=0x580e5bc*=0x3e8) returned 0x0 [0122.439] RegQueryValueExW (in: hKey=0x3e8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x580e5d8, lpData=0x0, lpcbData=0x580e5d4*=0x0 | out: lpType=0x580e5d8*=0x0, lpData=0x0, lpcbData=0x580e5d4*=0x0) returned 0x2 [0122.439] RegCloseKey (hKey=0x3e8) returned 0x0 [0122.439] CloseHandle (hObject=0x3e4) returned 1 [0122.441] CoCreateGuid (in: pguid=0x580e6ac | out: pguid=0x580e6ac*(Data1=0x5c4a1d10, Data2=0x268, Data3=0x4011, Data4=([0]=0xbb, [1]=0x80, [2]=0x9f, [3]=0xe1, [4]=0x8c, [5]=0xf0, [6]=0xb8, [7]=0x92))) returned 0x0 [0122.445] QueryPerformanceCounter (in: lpPerformanceCount=0x580e40c | out: lpPerformanceCount=0x580e40c*=1806345466991) returned 1 [0122.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580e0f8) returned 1 [0122.445] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580e3bc | out: lpFileInformation=0x580e3bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0122.445] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580e0f4) returned 1 [0122.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.445] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.445] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580e08c) returned 1 [0122.445] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580e350 | out: lpFileInformation=0x580e350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0122.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580e088) returned 1 [0122.446] CoTaskMemAlloc (cb=0x10) returned 0x42b878 [0122.446] CoTaskMemAlloc (cb=0x10) returned 0x42b8d8 [0122.446] CoTaskMemAlloc (cb=0xb4) returned 0x40b1b8 [0122.446] CoTaskMemAlloc (cb=0x30) returned 0x4240d8 [0122.446] WinVerifyTrust () returned 0x800b0100 [0122.458] CoTaskMemFree (pv=0x42b878) [0122.458] CoTaskMemFree (pv=0x4240d8) [0122.458] CryptCATHandleFromStore () returned 0x3a9980 [0122.459] WTHelperGetProvSignerFromChain () returned 0x0 [0122.459] CoTaskMemAlloc (cb=0x10) returned 0x42b878 [0122.459] CoTaskMemAlloc (cb=0x30) returned 0x4240d8 [0122.459] WinVerifyTrust () returned 0x0 [0122.459] CoTaskMemFree (pv=0x4240d8) [0122.459] CoTaskMemFree (pv=0x42b878) [0122.459] CoTaskMemFree (pv=0x40b1b8) [0122.459] CoTaskMemFree (pv=0x42b8d8) [0122.527] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en-US\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en-us\\powershellget.psd1")) returned 0xffffffff [0122.528] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\en\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\en\\powershellget.psd1")) returned 0xffffffff [0122.536] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0122.541] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0122.543] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0122.543] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0122.544] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0122.544] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x47, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x46 [0122.572] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580dd48 | out: phkResult=0x580dd48*=0x3e4) returned 0x0 [0122.572] RegQueryValueExW (in: hKey=0x3e4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580dd68, lpData=0x0, lpcbData=0x580dd64*=0x0 | out: lpType=0x580dd68*=0x1, lpData=0x0, lpcbData=0x580dd64*=0x56) returned 0x0 [0122.572] RegQueryValueExW (in: hKey=0x3e4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580dd68, lpData=0x22ec670, lpcbData=0x580dd64*=0x56 | out: lpType=0x580dd68*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580dd64*=0x56) returned 0x0 [0122.572] RegCloseKey (hKey=0x3e4) returned 0x0 [0122.575] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0122.580] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0122.581] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0122.581] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580dd48 | out: phkResult=0x580dd48*=0x3e4) returned 0x0 [0122.581] RegQueryValueExW (in: hKey=0x3e4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580dd68, lpData=0x0, lpcbData=0x580dd64*=0x0 | out: lpType=0x580dd68*=0x1, lpData=0x0, lpcbData=0x580dd64*=0x56) returned 0x0 [0122.581] RegQueryValueExW (in: hKey=0x3e4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580dd68, lpData=0x22f9e44, lpcbData=0x580dd64*=0x56 | out: lpType=0x580dd68*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580dd64*=0x56) returned 0x0 [0122.581] RegCloseKey (hKey=0x3e4) returned 0x0 [0122.585] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0122.589] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0122.593] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0122.599] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Format.ps1xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.format.ps1xml")) returned 0x20 [0122.603] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0122.606] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGet.Resource.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psget.resource.psd1")) returned 0x20 [0122.615] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5b [0122.615] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", nBufferLength=0x5b, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x5a [0122.615] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580db48) returned 1 [0122.616] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSGetModuleInfo.xml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x580de0c | out: lpFileInformation=0x580de0c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0122.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580db44) returned 1 [0122.617] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0122.649] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0122.649] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0122.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d670) returned 1 [0122.649] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x2328fac | out: lpFileInformation=0x2328fac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499c9860, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0122.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d66c) returned 1 [0122.649] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0122.649] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0122.650] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d814) returned 1 [0122.650] CreateFileW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3e4 [0122.650] GetFileType (hFile=0x3e4) returned 0x1 [0122.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d810) returned 1 [0122.650] GetFileType (hFile=0x3e4) returned 0x1 [0122.650] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x0 [0122.650] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.652] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x1000 [0122.652] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.653] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x2000 [0122.653] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.653] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x3000 [0122.654] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.654] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x4000 [0122.654] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.654] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x5000 [0122.654] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.655] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x6000 [0122.655] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.655] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x7000 [0122.655] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.656] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x8000 [0122.656] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.656] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x9000 [0122.656] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.657] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0xa000 [0122.657] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.658] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0xb000 [0122.658] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.658] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0xc000 [0122.658] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.659] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0xd000 [0122.659] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.659] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0xe000 [0122.659] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.660] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0xf000 [0122.660] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.660] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x10000 [0122.660] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.660] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x11000 [0122.661] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.662] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x12000 [0122.662] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.662] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x13000 [0122.662] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.663] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x14000 [0122.663] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.663] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x15000 [0122.663] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.664] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x16000 [0122.664] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.664] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x17000 [0122.664] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.664] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x18000 [0122.665] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.665] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x19000 [0122.665] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.666] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x1a000 [0122.666] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.666] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x1b000 [0122.666] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.667] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x1c000 [0122.667] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.667] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x1d000 [0122.667] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.668] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x1e000 [0122.668] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.668] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x1f000 [0122.668] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.669] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x20000 [0122.669] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.669] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x21000 [0122.669] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.670] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x22000 [0122.670] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.670] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x23000 [0122.670] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.671] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x24000 [0122.671] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.671] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x25000 [0122.671] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.675] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x26000 [0122.675] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.675] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x27000 [0122.675] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.676] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x28000 [0122.676] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.676] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x29000 [0122.676] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.677] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x2a000 [0122.677] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.677] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x2b000 [0122.677] ReadFile (in: hFile=0x3e4, lpBuffer=0x2329db0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2329db0*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.703] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x2c000 [0122.703] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.705] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x2d000 [0122.705] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.705] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x2e000 [0122.705] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.706] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x2f000 [0122.706] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.706] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x30000 [0122.706] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.706] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x31000 [0122.706] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.707] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x32000 [0122.707] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.707] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x33000 [0122.707] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.707] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x34000 [0122.707] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.708] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x35000 [0122.708] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.708] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x36000 [0122.708] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.709] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x37000 [0122.709] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.709] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x38000 [0122.709] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.709] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x39000 [0122.709] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.710] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x3a000 [0122.710] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.710] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x3b000 [0122.710] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.710] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x3c000 [0122.711] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.711] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x3d000 [0122.711] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.711] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x3e000 [0122.711] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.712] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x3f000 [0122.712] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.712] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x40000 [0122.712] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.713] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x41000 [0122.713] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.713] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x42000 [0122.713] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.714] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x43000 [0122.714] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.714] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x44000 [0122.714] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.715] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x45000 [0122.715] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.715] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x46000 [0122.715] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.715] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x47000 [0122.715] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.716] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x48000 [0122.716] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.716] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x49000 [0122.716] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.716] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x4a000 [0122.716] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.717] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x4b000 [0122.717] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.717] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x4c000 [0122.717] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.718] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x4d000 [0122.718] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.718] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x4e000 [0122.718] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.720] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x4f000 [0122.720] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.720] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x50000 [0122.720] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.721] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x51000 [0122.721] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.721] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x52000 [0122.721] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.721] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x53000 [0122.721] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.722] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x54000 [0122.722] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.722] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x55000 [0122.722] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.723] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x56000 [0122.723] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.723] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x57000 [0122.723] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.723] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x58000 [0122.723] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.724] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x59000 [0122.724] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.724] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x5a000 [0122.724] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.724] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x5b000 [0122.724] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.725] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x5c000 [0122.725] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.725] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x5d000 [0122.725] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.725] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x5e000 [0122.726] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.726] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x5f000 [0122.726] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.726] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x60000 [0122.726] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.727] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x61000 [0122.727] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.727] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x62000 [0122.727] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.727] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x63000 [0122.727] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.728] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x64000 [0122.728] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.728] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x65000 [0122.728] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.728] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x66000 [0122.728] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.729] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x67000 [0122.729] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.729] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x68000 [0122.729] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.729] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x69000 [0122.730] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.730] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x6a000 [0122.730] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.730] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x6b000 [0122.730] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.730] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x6c000 [0122.731] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.731] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x6d000 [0122.731] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.731] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x6e000 [0122.731] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.731] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x6f000 [0122.731] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.731] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x70000 [0122.731] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.732] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x71000 [0122.732] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.732] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x72000 [0122.732] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.732] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x73000 [0122.732] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.732] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x74000 [0122.732] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.732] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x75000 [0122.733] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.733] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x76000 [0122.733] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.733] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x77000 [0122.733] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.733] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x78000 [0122.733] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.733] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x79000 [0122.733] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.734] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x7a000 [0122.734] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.734] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x7b000 [0122.734] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.734] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x7c000 [0122.735] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.735] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x7d000 [0122.735] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.735] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x7e000 [0122.735] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.736] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x7f000 [0122.736] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.736] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x80000 [0122.736] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.737] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x81000 [0122.737] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.737] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x82000 [0122.737] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.737] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x83000 [0122.737] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.737] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x84000 [0122.737] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.738] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x85000 [0122.738] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.738] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x86000 [0122.738] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.738] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x87000 [0122.738] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.738] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x88000 [0122.738] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.738] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x89000 [0122.738] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.739] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x8a000 [0122.739] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.739] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x8b000 [0122.739] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x1000, lpOverlapped=0x0) returned 1 [0122.739] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x8c000 [0122.739] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0xaa9, lpOverlapped=0x0) returned 1 [0122.739] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x8caa9 [0122.739] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105689, nNumberOfBytesToRead=0x157, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105689*, lpNumberOfBytesRead=0x580d87c*=0x0, lpOverlapped=0x0) returned 1 [0122.739] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d850*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d850*=0) returned 0x8caa9 [0122.739] ReadFile (in: hFile=0x3e4, lpBuffer=0x2105840, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d87c, lpOverlapped=0x0 | out: lpBuffer=0x2105840*, lpNumberOfBytesRead=0x580d87c*=0x0, lpOverlapped=0x0) returned 1 [0122.751] CloseHandle (hObject=0x3e4) returned 1 [0123.135] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0123.136] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", nBufferLength=0x55, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1", lpFilePart=0x0) returned 0x54 [0123.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d5d4) returned 1 [0123.136] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1"), fInfoLevelId=0x0, lpFileInformation=0x27a4efc | out: lpFileInformation=0x27a4efc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499c9860, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x8caa9)) returned 1 [0123.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d5d0) returned 1 [0123.146] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0123.146] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0123.146] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580e3cc) returned 1 [0123.146] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x27c9434 | out: lpFileInformation=0x27c9434*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0123.146] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580e3c8) returned 1 [0123.154] EtwEventActivityIdControl () returned 0x0 [0123.155] SetEvent (hEvent=0x3e0) returned 1 [0123.155] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x580ebac*=0x3e0, lpdwindex=0x580e9d0 | out: lpdwindex=0x580e9d0) returned 0x0 [0123.156] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0123.156] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0123.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ea8c) returned 1 [0123.156] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x27cc444 | out: lpFileInformation=0x27cc444*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499a3700, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x3ea538e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x3ea538e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x10de)) returned 1 [0123.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ea88) returned 1 [0123.157] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0123.157] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0123.157] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0123.157] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0123.157] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0123.157] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0123.159] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules")) returned 0x10 [0123.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0123.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x33 [0123.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x33, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0123.160] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428680 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x497da680, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x497da680, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="PSDESI~1")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8100bf6e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8100bf6e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="PSDIAG~1")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="PSSCHE~1")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="TROUBL~1")) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0123.161] FindClose (in: hFindFile=0x428680 | out: hFindFile=0x428680) returned 1 [0123.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0123.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0123.162] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.psd1")) returned 0xffffffff [0123.162] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.psm1")) returned 0xffffffff [0123.162] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.cdxml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.cdxml")) returned 0xffffffff [0123.162] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.xaml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.xaml")) returned 0xffffffff [0123.162] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.ni.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.ni.dll")) returned 0xffffffff [0123.162] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\modules.dll")) returned 0xffffffff [0123.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0123.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0123.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.162] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\bitstransfer"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0123.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0123.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0123.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.163] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\cimcmdlets"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0123.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x37, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", lpFilePart=0x0) returned 0x36 [0123.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.163] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\ise"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0123.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x50, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", lpFilePart=0x0) returned 0x4f [0123.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.163] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0123.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x54, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", lpFilePart=0x0) returned 0x53 [0123.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.164] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0123.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x4d, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", lpFilePart=0x0) returned 0x4c [0123.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.164] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0123.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0123.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.165] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.165] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0123.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x53, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", lpFilePart=0x0) returned 0x52 [0123.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.165] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496cfce0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496cfce0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496cfce0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.165] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0123.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x51, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", lpFilePart=0x0) returned 0x50 [0123.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.165] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.165] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0123.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0123.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.166] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0123.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x4e, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", lpFilePart=0x0) returned 0x4d [0123.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.166] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x498007e0, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x498007e0, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x498007e0, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0123.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x4f, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", lpFilePart=0x0) returned 0x4e [0123.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.166] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x497da680, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x497da680, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0123.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x41, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", lpFilePart=0x0) returned 0x40 [0123.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.167] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psdiagnostics"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8100bf6e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8100bf6e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0123.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x42, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", lpFilePart=0x0) returned 0x41 [0123.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.167] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\psscheduledjob"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0123.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x47, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", lpFilePart=0x0) returned 0x46 [0123.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eaec) returned 1 [0123.167] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\troubleshootingpack"), fInfoLevelId=0x0, lpFileInformation=0x580edb0 | out: lpFileInformation=0x580edb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0123.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eae8) returned 1 [0123.168] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ed9c) returned 1 [0123.168] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0123.168] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0123.168] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\*", lpFindFileData=0x580eb4c | out: lpFindFileData=0x580eb4c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x428680 [0123.168] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496f5e40, ftCreationTime.dwHighDateTime=0x1d73a90, ftLastAccessTime.dwLowDateTime=0x496f5e40, ftLastAccessTime.dwHighDateTime=0x1d73a90, ftLastWriteTime.dwLowDateTime=0x496f5e40, ftLastWriteTime.dwHighDateTime=0x1d73a90, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.168] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psd1", cAlternateFileName="")) returned 1 [0123.168] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 1 [0123.168] FindNextFileW (in: hFindFile=0x428680, lpFindFileData=0x580eb54 | out: lpFindFileData=0x580eb54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 0 [0123.168] FindClose (in: hFindFile=0x428680 | out: hFindFile=0x428680) returned 1 [0123.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb0c) returned 1 [0123.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ed6c) returned 1 [0123.168] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0123.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580eb14) returned 1 [0123.169] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x27d4dc4 | out: lpFileInformation=0x27d4dc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0123.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580eb10) returned 1 [0123.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580ec7c) returned 1 [0123.169] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3e4 [0123.169] GetFileType (hFile=0x3e4) returned 0x1 [0123.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580ec78) returned 1 [0123.170] GetFileType (hFile=0x3e4) returned 0x1 [0123.170] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x0 [0123.170] ReadFile (in: hFile=0x3e4, lpBuffer=0x27d5bf4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x27d5bf4*, lpNumberOfBytesRead=0x580ece4*=0x982, lpOverlapped=0x0) returned 1 [0123.171] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x982 [0123.171] ReadFile (in: hFile=0x3e4, lpBuffer=0x27d510a, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x27d510a*, lpNumberOfBytesRead=0x580ece4*=0x0, lpOverlapped=0x0) returned 1 [0123.171] SetFilePointer (in: hFile=0x3e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580ecb8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580ecb8*=0) returned 0x982 [0123.171] ReadFile (in: hFile=0x3e4, lpBuffer=0x27d5bf4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580ece4, lpOverlapped=0x0 | out: lpBuffer=0x27d5bf4*, lpNumberOfBytesRead=0x580ece4*=0x0, lpOverlapped=0x0) returned 1 [0123.171] CloseHandle (hObject=0x3e4) returned 1 [0123.173] CoCreateGuid (in: pguid=0x580ede4 | out: pguid=0x580ede4*(Data1=0x57187ee0, Data2=0x85f0, Data3=0x46c2, Data4=([0]=0x9e, [1]=0x45, [2]=0x8c, [3]=0x84, [4]=0x69, [5]=0x4, [6]=0x1e, [7]=0x51))) returned 0x0 [0123.173] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e4 [0123.173] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x34c [0123.173] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e8 [0123.174] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3ec [0123.174] SetEvent (hEvent=0x3ec) returned 1 [0123.174] SetEvent (hEvent=0x3e4) returned 1 [0123.174] SetEvent (hEvent=0x34c) returned 1 [0123.174] SetEvent (hEvent=0x3e8) returned 1 [0123.174] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f0 [0123.174] SetThreadUILanguage (LangId=0x0) returned 0x409 [0123.215] EtwEventActivityIdControl () returned 0x0 [0123.215] EtwEventActivityIdControl () returned 0x0 [0123.215] EtwEventActivityIdControl () returned 0x0 [0123.233] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0123.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.234] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580e610) returned 1 [0123.234] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580e8d4 | out: lpFileInformation=0x580e8d4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0123.234] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580e60c) returned 1 [0123.234] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0123.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.234] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x580e518, Length=0x20, ResultLength=0x580e588 | out: SystemInformation=0x580e518, ResultLength=0x580e588*=0x0) returned 0xc0000003 [0123.234] GetSystemInfo (in: lpSystemInfo=0x580e594 | out: lpSystemInfo=0x580e594*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0123.235] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e524 | out: phkResult=0x580e524*=0x3f4) returned 0x0 [0123.235] RegQueryValueExW (in: hKey=0x3f4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x580e540, lpData=0x0, lpcbData=0x580e53c*=0x0 | out: lpType=0x580e540*=0x0, lpData=0x0, lpcbData=0x580e53c*=0x0) returned 0x2 [0123.235] RegCloseKey (hKey=0x3f4) returned 0x0 [0123.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.235] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580e49c) returned 1 [0123.235] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3f4 [0123.235] GetFileType (hFile=0x3f4) returned 0x1 [0123.235] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580e498) returned 1 [0123.236] GetFileType (hFile=0x3f4) returned 0x1 [0123.236] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580e4d8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580e4d8*=0) returned 0x0 [0123.236] ReadFile (in: hFile=0x3f4, lpBuffer=0x2809718, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e504, lpOverlapped=0x0 | out: lpBuffer=0x2809718*, lpNumberOfBytesRead=0x580e504*=0x982, lpOverlapped=0x0) returned 1 [0123.237] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580e4d8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580e4d8*=0) returned 0x982 [0123.237] ReadFile (in: hFile=0x3f4, lpBuffer=0x2808c2e, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x580e504, lpOverlapped=0x0 | out: lpBuffer=0x2808c2e*, lpNumberOfBytesRead=0x580e504*=0x0, lpOverlapped=0x0) returned 1 [0123.237] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580e4d8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580e4d8*=0) returned 0x982 [0123.237] ReadFile (in: hFile=0x3f4, lpBuffer=0x2809718, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580e504, lpOverlapped=0x0 | out: lpBuffer=0x2809718*, lpNumberOfBytesRead=0x580e504*=0x0, lpOverlapped=0x0) returned 1 [0123.237] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x580e46c, Length=0x20, ResultLength=0x580e4dc | out: SystemInformation=0x580e46c, ResultLength=0x580e4dc*=0x0) returned 0xc0000003 [0123.237] GetSystemInfo (in: lpSystemInfo=0x580e4e8 | out: lpSystemInfo=0x580e4e8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0123.237] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e478 | out: phkResult=0x580e478*=0x3f8) returned 0x0 [0123.238] RegQueryValueExW (in: hKey=0x3f8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x580e494, lpData=0x0, lpcbData=0x580e490*=0x0 | out: lpType=0x580e494*=0x0, lpData=0x0, lpcbData=0x580e490*=0x0) returned 0x2 [0123.238] RegCloseKey (hKey=0x3f8) returned 0x0 [0123.238] CloseHandle (hObject=0x3f4) returned 1 [0123.238] CoCreateGuid (in: pguid=0x580e568 | out: pguid=0x580e568*(Data1=0xe92c6080, Data2=0xaf5b, Data3=0x4da9, Data4=([0]=0x8f, [1]=0x8b, [2]=0xff, [3]=0x5e, [4]=0xa, [5]=0x49, [6]=0xa0, [7]=0xf7))) returned 0x0 [0123.239] QueryPerformanceCounter (in: lpPerformanceCount=0x580e2c8 | out: lpPerformanceCount=0x580e2c8*=1806424855720) returned 1 [0123.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.239] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580dfb4) returned 1 [0123.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580e278 | out: lpFileInformation=0x580e278*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0123.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580dfb0) returned 1 [0123.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.239] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580df48) returned 1 [0123.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x580e20c | out: lpFileInformation=0x580e20c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2d1d80, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e2d1d80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f20f74b, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x982)) returned 1 [0123.239] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580df44) returned 1 [0123.239] CoTaskMemAlloc (cb=0x10) returned 0x42b938 [0123.239] CoTaskMemAlloc (cb=0x10) returned 0x42b968 [0123.239] CoTaskMemAlloc (cb=0xe4) returned 0x401ed8 [0123.239] CoTaskMemAlloc (cb=0x30) returned 0x4239a0 [0123.239] WinVerifyTrust () returned 0x800b0100 [0123.249] CoTaskMemFree (pv=0x42b938) [0123.249] CoTaskMemFree (pv=0x4239a0) [0123.249] CryptCATHandleFromStore () returned 0x3a9980 [0123.249] WTHelperGetProvSignerFromChain () returned 0x0 [0123.249] CoTaskMemAlloc (cb=0x10) returned 0x42b938 [0123.249] CoTaskMemAlloc (cb=0x30) returned 0x4239a0 [0123.249] WinVerifyTrust () returned 0x0 [0123.249] CoTaskMemFree (pv=0x4239a0) [0123.249] CoTaskMemFree (pv=0x42b938) [0123.249] CoTaskMemFree (pv=0x401ed8) [0123.249] CoTaskMemFree (pv=0x42b968) [0123.252] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en-US\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en-us\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0123.252] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0123.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0123.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0123.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0123.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x64 [0123.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x64, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x63 [0123.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580da04) returned 1 [0123.259] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x580dcc8 | out: lpFileInformation=0x580dcc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.260] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580da00) returned 1 [0123.260] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0123.260] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0123.260] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x580d980, nSize=0xc6 | out: lpBuffer="") returned 0xc5 [0123.262] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0123.263] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0123.263] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x51, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x50 [0123.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d80c) returned 1 [0123.263] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x580dad0 | out: lpFileInformation=0x580dad0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d808) returned 1 [0123.270] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0123.272] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\keecfmwgj\\documents\\windowspowershell\\modules")) returned 0xffffffff [0123.277] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0123.277] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0123.277] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x57, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x56 [0123.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d80c) returned 1 [0123.277] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x580dad0 | out: lpFileInformation=0x580dad0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d808) returned 1 [0123.280] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0123.282] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules")) returned 0x10 [0123.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0123.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x59, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x58 [0123.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d80c) returned 1 [0123.283] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x580dad0 | out: lpFileInformation=0x580dad0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d808) returned 1 [0123.285] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0123.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0123.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0123.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0123.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0123.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0123.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0123.623] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1")) returned 0x20 [0123.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.633] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x580d830, Length=0x20, ResultLength=0x580d8a0 | out: SystemInformation=0x580d830, ResultLength=0x580d8a0*=0x0) returned 0xc0000003 [0123.633] GetSystemInfo (in: lpSystemInfo=0x580d8ac | out: lpSystemInfo=0x580d8ac*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0123.633] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x580d83c | out: phkResult=0x580d83c*=0x3f4) returned 0x0 [0123.634] RegQueryValueExW (in: hKey=0x3f4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x580d858, lpData=0x0, lpcbData=0x580d854*=0x0 | out: lpType=0x580d858*=0x0, lpData=0x0, lpcbData=0x580d854*=0x0) returned 0x2 [0123.634] RegCloseKey (hKey=0x3f4) returned 0x0 [0123.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.635] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d5e0) returned 1 [0123.635] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x28ae1e8 | out: lpFileInformation=0x28ae1e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0123.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d5dc) returned 1 [0123.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.635] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d5a0) returned 1 [0123.635] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x580d864 | out: lpFileInformation=0x580d864*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0123.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d59c) returned 1 [0123.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d534) returned 1 [0123.636] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x580d7f8 | out: lpFileInformation=0x580d7f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0123.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d530) returned 1 [0123.636] CoTaskMemAlloc (cb=0x10) returned 0x43c688 [0123.636] CoTaskMemAlloc (cb=0x10) returned 0x43c658 [0123.636] CoTaskMemAlloc (cb=0xe4) returned 0x401ed8 [0123.636] CoTaskMemAlloc (cb=0x30) returned 0x4241f0 [0123.636] WinVerifyTrust () returned 0x800b0100 [0123.649] CoTaskMemFree (pv=0x43c688) [0123.652] CoTaskMemFree (pv=0x4241f0) [0123.652] CryptCATHandleFromStore () returned 0x3a9aa0 [0123.653] WTHelperGetProvSignerFromChain () returned 0x0 [0123.653] CoTaskMemAlloc (cb=0x10) returned 0x43c688 [0123.653] CoTaskMemAlloc (cb=0x30) returned 0x4241f0 [0123.653] WinVerifyTrust () returned 0x0 [0123.653] CoTaskMemFree (pv=0x4241f0) [0123.653] CoTaskMemFree (pv=0x43c688) [0123.653] CoTaskMemFree (pv=0x401ed8) [0123.653] CoTaskMemFree (pv=0x43c658) [0123.653] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.653] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d7ec) returned 1 [0123.653] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3f4 [0123.653] GetFileType (hFile=0x3f4) returned 0x1 [0123.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d7e8) returned 1 [0123.654] GetFileType (hFile=0x3f4) returned 0x1 [0123.654] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x0 [0123.654] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x1000, lpOverlapped=0x0) returned 1 [0123.654] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x1000 [0123.654] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x1000, lpOverlapped=0x0) returned 1 [0123.654] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x2000 [0123.654] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x1000, lpOverlapped=0x0) returned 1 [0123.655] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x3000 [0123.655] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x1000, lpOverlapped=0x0) returned 1 [0123.655] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x4000 [0123.655] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x1000, lpOverlapped=0x0) returned 1 [0123.655] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x5000 [0123.655] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x1000, lpOverlapped=0x0) returned 1 [0123.656] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x6000 [0123.656] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x1000, lpOverlapped=0x0) returned 1 [0123.656] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x7000 [0123.656] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x778, lpOverlapped=0x0) returned 1 [0123.656] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x7778 [0123.656] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af108, nNumberOfBytesToRead=0x88, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af108*, lpNumberOfBytesRead=0x580d854*=0x0, lpOverlapped=0x0) returned 1 [0123.656] SetFilePointer (in: hFile=0x3f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x580d828*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x580d828*=0) returned 0x7778 [0123.656] ReadFile (in: hFile=0x3f4, lpBuffer=0x28af9fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x580d854, lpOverlapped=0x0 | out: lpBuffer=0x28af9fc*, lpNumberOfBytesRead=0x580d854*=0x0, lpOverlapped=0x0) returned 1 [0123.657] NtQuerySystemInformation (in: SystemInformationClass=0xa4, SystemInformation=0x580d7bc, Length=0x20, ResultLength=0x580d82c | out: SystemInformation=0x580d7bc, ResultLength=0x580d82c*=0x0) returned 0xc0000003 [0123.657] GetSystemInfo (in: lpSystemInfo=0x580d838 | out: lpSystemInfo=0x580d838*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0123.657] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x580d7c8 | out: phkResult=0x580d7c8*=0x3f8) returned 0x0 [0123.657] RegQueryValueExW (in: hKey=0x3f8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x580d7e4, lpData=0x0, lpcbData=0x580d7e0*=0x0 | out: lpType=0x580d7e4*=0x0, lpData=0x0, lpcbData=0x580d7e0*=0x0) returned 0x2 [0123.657] RegCloseKey (hKey=0x3f8) returned 0x0 [0123.657] CloseHandle (hObject=0x3f4) returned 1 [0123.902] CoCreateGuid (in: pguid=0x580d8fc | out: pguid=0x580d8fc*(Data1=0xc81b718f, Data2=0x4a87, Data3=0x43e6, Data4=([0]=0xa4, [1]=0x85, [2]=0x2b, [3]=0x96, [4]=0x80, [5]=0x6e, [6]=0x9e, [7]=0xa9))) returned 0x0 [0123.902] GetCurrentProcess () returned 0xffffffff [0123.902] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x580d8c8 | out: TokenHandle=0x580d8c8*=0x3f4) returned 1 [0123.903] GetTokenInformation (in: TokenHandle=0x3f4, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x580d8c8 | out: TokenInformation=0x0, ReturnLength=0x580d8c8) returned 0 [0123.903] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x43a800 [0123.903] GetTokenInformation (in: TokenHandle=0x3f4, TokenInformationClass=0x8, TokenInformation=0x43a800, TokenInformationLength=0x4, ReturnLength=0x580d8c8 | out: TokenInformation=0x43a800, ReturnLength=0x580d8c8) returned 1 [0123.903] LocalFree (hMem=0x43a800) returned 0x0 [0123.903] DuplicateTokenEx (in: hExistingToken=0x3f4, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x580d8d0 | out: phNewToken=0x580d8d0*=0x3f8) returned 1 [0123.903] CheckTokenMembership (in: TokenHandle=0x3f8, SidToCheck=0x294f38c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x580d8e0 | out: IsMember=0x580d8e0) returned 1 [0123.903] CloseHandle (hObject=0x3f8) returned 1 [0123.907] QueryPerformanceCounter (in: lpPerformanceCount=0x580d66c | out: lpPerformanceCount=0x580d66c*=1806491680788) returned 1 [0123.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d358) returned 1 [0123.907] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x580d61c | out: lpFileInformation=0x580d61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0123.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d354) returned 1 [0123.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x580d2ec) returned 1 [0123.908] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x580d5b0 | out: lpFileInformation=0x580d5b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e285ac0, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x8e285ac0, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x2f214576, ftLastWriteTime.dwHighDateTime=0x1d21d40, nFileSizeHigh=0x0, nFileSizeLow=0x7778)) returned 1 [0123.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x580d2e8) returned 1 [0123.908] CoTaskMemAlloc (cb=0x10) returned 0x43c688 [0123.908] CoTaskMemAlloc (cb=0x10) returned 0x43c670 [0123.908] CoTaskMemAlloc (cb=0xe4) returned 0x401ed8 [0123.908] CoTaskMemAlloc (cb=0x30) returned 0x4241b8 [0123.908] WinVerifyTrust () returned 0x800b0100 [0123.922] CoTaskMemFree (pv=0x43c688) [0123.922] CoTaskMemFree (pv=0x4241b8) [0123.922] CryptCATHandleFromStore () returned 0x3a9b30 [0123.922] WTHelperGetProvSignerFromChain () returned 0x0 [0123.922] CoTaskMemAlloc (cb=0x10) returned 0x43c688 [0123.923] CoTaskMemAlloc (cb=0x30) returned 0x4241b8 [0123.923] WinVerifyTrust () returned 0x0 [0123.923] CoTaskMemFree (pv=0x4241b8) [0123.923] CoTaskMemFree (pv=0x43c688) [0123.923] CoTaskMemFree (pv=0x401ed8) [0123.923] CoTaskMemFree (pv=0x43c670) [0123.940] CoCreateGuid (in: pguid=0x580d548 | out: pguid=0x580d548*(Data1=0x8b8957ec, Data2=0xfa2a, Data3=0x44ca, Data4=([0]=0x90, [1]=0x47, [2]=0xf0, [3]=0xe4, [4]=0xf6, [5]=0x69, [6]=0xd0, [7]=0x79))) returned 0x0 [0123.941] CoCreateGuid (in: pguid=0x580d548 | out: pguid=0x580d548*(Data1=0x6526e1df, Data2=0x81e2, Data3=0x4cd6, Data4=([0]=0xb3, [1]=0x90, [2]=0x55, [3]=0xd2, [4]=0x30, [5]=0xf6, [6]=0x9, [7]=0x29))) returned 0x0 [0123.941] CoCreateGuid (in: pguid=0x580d548 | out: pguid=0x580d548*(Data1=0x255ff693, Data2=0x781, Data3=0x4854, Data4=([0]=0x92, [1]=0xfa, [2]=0x5d, [3]=0xc6, [4]=0x60, [5]=0x6a, [6]=0x1e, [7]=0x68))) returned 0x0 [0123.941] CoCreateGuid (in: pguid=0x580d548 | out: pguid=0x580d548*(Data1=0x56e334bf, Data2=0xa8bb, Data3=0x4b40, Data4=([0]=0xa7, [1]=0xc6, [2]=0x79, [3]=0xe7, [4]=0x63, [5]=0xb8, [6]=0x64, [7]=0xa3))) returned 0x0 [0123.943] CoCreateGuid (in: pguid=0x580d548 | out: pguid=0x580d548*(Data1=0x4240c44c, Data2=0x2e4d, Data3=0x49a4, Data4=([0]=0x92, [1]=0xc1, [2]=0xfb, [3]=0x97, [4]=0x80, [5]=0xb5, [6]=0xac, [7]=0x72))) returned 0x0 [0123.943] CoCreateGuid (in: pguid=0x580d548 | out: pguid=0x580d548*(Data1=0xffc01958, Data2=0xff37, Data3=0x4cf0, Data4=([0]=0xbb, [1]=0x7f, [2]=0xe7, [3]=0x7, [4]=0xff, [5]=0xca, [6]=0x71, [7]=0x8c))) returned 0x0 [0124.048] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8a0 | out: phkResult=0x580e8a0*=0x3f8) returned 0x0 [0124.048] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x0, lpcbData=0x580e8bc*=0x0 | out: lpType=0x580e8c0*=0x1, lpData=0x0, lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.048] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x2b17cec, lpcbData=0x580e8bc*=0x56 | out: lpType=0x580e8c0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.049] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.049] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8a0 | out: phkResult=0x580e8a0*=0x3f8) returned 0x0 [0124.049] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x0, lpcbData=0x580e8bc*=0x0 | out: lpType=0x580e8c0*=0x1, lpData=0x0, lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.049] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x2b1800c, lpcbData=0x580e8bc*=0x56 | out: lpType=0x580e8c0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.049] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.050] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8a0 | out: phkResult=0x580e8a0*=0x3f8) returned 0x0 [0124.050] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x0, lpcbData=0x580e8bc*=0x0 | out: lpType=0x580e8c0*=0x1, lpData=0x0, lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.050] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x2b18308, lpcbData=0x580e8bc*=0x56 | out: lpType=0x580e8c0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.050] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.050] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8a0 | out: phkResult=0x580e8a0*=0x3f8) returned 0x0 [0124.050] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x0, lpcbData=0x580e8bc*=0x0 | out: lpType=0x580e8c0*=0x1, lpData=0x0, lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.050] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x2b18610, lpcbData=0x580e8bc*=0x56 | out: lpType=0x580e8c0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.050] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.051] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8a0 | out: phkResult=0x580e8a0*=0x3f8) returned 0x0 [0124.051] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x0, lpcbData=0x580e8bc*=0x0 | out: lpType=0x580e8c0*=0x1, lpData=0x0, lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.051] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x2b18924, lpcbData=0x580e8bc*=0x56 | out: lpType=0x580e8c0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.051] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.051] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8a0 | out: phkResult=0x580e8a0*=0x3f8) returned 0x0 [0124.051] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x0, lpcbData=0x580e8bc*=0x0 | out: lpType=0x580e8c0*=0x1, lpData=0x0, lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.052] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x2b18c38, lpcbData=0x580e8bc*=0x56 | out: lpType=0x580e8c0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.052] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.052] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8a0 | out: phkResult=0x580e8a0*=0x3f8) returned 0x0 [0124.052] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x0, lpcbData=0x580e8bc*=0x0 | out: lpType=0x580e8c0*=0x1, lpData=0x0, lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.052] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e8c0, lpData=0x2b18f34, lpcbData=0x580e8bc*=0x56 | out: lpType=0x580e8c0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e8bc*=0x56) returned 0x0 [0124.052] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.053] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x580e8ec | out: phkResult=0x580e8ec*=0x3f8) returned 0x0 [0124.053] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e90c, lpData=0x0, lpcbData=0x580e908*=0x0 | out: lpType=0x580e90c*=0x1, lpData=0x0, lpcbData=0x580e908*=0x56) returned 0x0 [0124.053] RegQueryValueExW (in: hKey=0x3f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x580e90c, lpData=0x2b1927c, lpcbData=0x580e908*=0x56 | out: lpType=0x580e90c*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x580e908*=0x56) returned 0x0 [0124.053] RegCloseKey (hKey=0x3f8) returned 0x0 [0124.053] CoTaskMemAlloc (cb=0x20c) returned 0x5b95b08 [0124.053] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x5b95b08 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0124.053] CoTaskMemFree (pv=0x5b95b08) [0124.053] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0124.054] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x4386b8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0124.133] EtwEventActivityIdControl () returned 0x0 [0124.133] SetEvent (hEvent=0x3f0) returned 1 [0124.133] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x580ec48*=0x3f0, lpdwindex=0x580ea6c | out: lpdwindex=0x580ea6c) returned 0x0 [0124.134] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x580ebdc, nSize=0xc6 | out: lpBuffer="") returned 0x0 [0124.135] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0124.135] GetFileType (hFile=0xb) returned 0x2 [0124.136] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x580ed80 | out: lpMode=0x580ed80) returned 1 [0124.137] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x580ed40 | out: lpConsoleScreenBufferInfo=0x580ed40) returned 1 [0124.137] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x580ed40 | out: lpConsoleScreenBufferInfo=0x580ed40) returned 1 [0124.151] EtwEventActivityIdControl () returned 0x0 [0124.151] EtwEventActivityIdControl () returned 0x0 [0124.151] EtwEventActivityIdControl () returned 0x0 [0124.169] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f8 [0124.169] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x1388, cHandles=0x1, pHandles=0x580eec4*=0x3f8, lpdwindex=0x580ece8 | out: lpdwindex=0x580ece8) returned 0x80010115 [0129.182] EtwEventActivityIdControl () returned 0x0 [0129.186] CloseHandle (hObject=0x3f8) returned 1 [0129.187] EtwEventActivityIdControl () returned 0x0 [0129.188] EtwEventActivityIdControl () returned 0x0 [0129.188] EtwEventActivityIdControl () returned 0x0 [0129.188] EtwEventActivityIdControl () returned 0x0 [0129.189] SetEvent (hEvent=0x334) returned 1 [0129.190] SetEvent (hEvent=0x328) returned 1 [0129.190] SetEvent (hEvent=0x32c) returned 1 [0129.190] SetEvent (hEvent=0x330) returned 1 [0129.190] SetEvent (hEvent=0x344) returned 1 [0129.190] SetEvent (hEvent=0x338) returned 1 [0129.190] SetEvent (hEvent=0x33c) returned 1 [0129.190] SetEvent (hEvent=0x340) returned 1 [0129.190] SetEvent (hEvent=0x348) returned 1 [0129.196] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x580f4a0*=0x350, lpdwindex=0x580f2c4 | out: lpdwindex=0x580f2c4) returned 0x0 [0129.196] SetThreadUILanguage (LangId=0x0) returned 0x409 [0129.199] CoCreateGuid (in: pguid=0x580f30c | out: pguid=0x580f30c*(Data1=0xceba8d1a, Data2=0xcb8c, Data3=0x44e9, Data4=([0]=0xbc, [1]=0x49, [2]=0x1a, [3]=0x17, [4]=0x6f, [5]=0xbe, [6]=0x35, [7]=0xa5))) returned 0x0 [0129.200] QueryPerformanceCounter (in: lpPerformanceCount=0x580f2ec | out: lpPerformanceCount=0x580f2ec*=1807021010285) returned 1 [0129.250] QueryPerformanceCounter (in: lpPerformanceCount=0x580f2b4 | out: lpPerformanceCount=0x580f2b4*=1807026049504) returned 1 [0129.251] EtwEventActivityIdControl () returned 0x0 [0129.251] EtwEventActivityIdControl () returned 0x0 [0129.251] EtwEventActivityIdControl () returned 0x0 [0129.254] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x2, pHandles=0x580ee60*=0x40c, lpdwindex=0x580ed24 | out: lpdwindex=0x580ed24) returned 0x0 [0129.254] SetEvent (hEvent=0x408) returned 1 [0129.254] SetEvent (hEvent=0x40c) returned 1 [0129.254] EtwEventActivityIdControl () returned 0x0 [0129.254] SetEvent (hEvent=0x414) returned 1 [0129.254] SetEvent (hEvent=0x408) returned 1 [0129.254] SetEvent (hEvent=0x40c) returned 1 [0129.255] SetEvent (hEvent=0x424) returned 1 [0129.255] SetEvent (hEvent=0x418) returned 1 [0129.255] SetEvent (hEvent=0x41c) returned 1 [0129.255] SetEvent (hEvent=0x420) returned 1 [0129.255] SetEvent (hEvent=0x428) returned 1 [0129.257] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x580f4a0*=0x350, lpdwindex=0x580f2c4 | out: lpdwindex=0x580f2c4) returned 0x0 [0129.580] CoGetContextToken (in: pToken=0x580f88c | out: pToken=0x580f88c) returned 0x0 [0129.580] CoUninitialize () Thread: id = 65 os_tid = 0xfe0 Thread: id = 66 os_tid = 0xfe4 Thread: id = 67 os_tid = 0xfe8 Thread: id = 68 os_tid = 0xfec Thread: id = 69 os_tid = 0xff0 [0122.312] CoGetContextToken (in: pToken=0x5b8f9ec | out: pToken=0x5b8f9ec) returned 0x0 [0122.313] CObjectContext::QueryInterface () returned 0x0 [0122.313] CObjectContext::GetCurrentThreadType () returned 0x0 [0122.313] Release () returned 0x0 [0122.313] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 Thread: id = 70 os_tid = 0xff4 Process: id = "5" image_name = "revised proforma invoice_new order.exe" filename = "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe" page_root = "0xe6e8000" os_pid = "0xb2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe58" cmd_line = "\"C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e95f" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1363 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1364 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1365 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1366 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1367 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1368 start_va = 0x120000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1369 start_va = 0x240000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1370 start_va = 0xe70000 end_va = 0xf0ffff monitored = 1 entry_point = 0xecf3ae region_type = mapped_file name = "revised proforma invoice_new order.exe" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe") Region: id = 1371 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1372 start_va = 0x77040000 end_va = 0x771bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1373 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1374 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1375 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1376 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1377 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1378 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1379 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1380 start_va = 0x400000 end_va = 0x43bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1382 start_va = 0x360000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1383 start_va = 0x748b0000 end_va = 0x748b7fff monitored = 0 entry_point = 0x748b20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1384 start_va = 0x748c0000 end_va = 0x7491bfff monitored = 0 entry_point = 0x748ff9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1385 start_va = 0x74920000 end_va = 0x7495efff monitored = 0 entry_point = 0x7494e088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1386 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1387 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1388 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1389 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076c40000" filename = "" Region: id = 1390 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1391 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000076d60000" filename = "" Region: id = 1392 start_va = 0x440000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1393 start_va = 0x74a20000 end_va = 0x74a69fff monitored = 1 entry_point = 0x74a22e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 1394 start_va = 0x75d40000 end_va = 0x75e4ffff monitored = 0 entry_point = 0x75d53283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1395 start_va = 0x75150000 end_va = 0x75196fff monitored = 0 entry_point = 0x751574c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1396 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1397 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1398 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1399 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1400 start_va = 0x620000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1401 start_va = 0x280000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1402 start_va = 0x75ca0000 end_va = 0x75d3ffff monitored = 0 entry_point = 0x75cb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1403 start_va = 0x74cf0000 end_va = 0x74d9bfff monitored = 0 entry_point = 0x74cfa472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1404 start_va = 0x753d0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753d4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1405 start_va = 0x75710000 end_va = 0x757fffff monitored = 0 entry_point = 0x75720569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1406 start_va = 0x74b90000 end_va = 0x74beffff monitored = 0 entry_point = 0x74baa3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1407 start_va = 0x74b80000 end_va = 0x74b8bfff monitored = 0 entry_point = 0x74b810e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1408 start_va = 0x440000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1409 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1410 start_va = 0x74990000 end_va = 0x74a1cfff monitored = 1 entry_point = 0x749a2860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 1411 start_va = 0x72bf0000 end_va = 0x72bf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1412 start_va = 0x74c90000 end_va = 0x74ce6fff monitored = 0 entry_point = 0x74ca9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1413 start_va = 0x74e80000 end_va = 0x74f0ffff monitored = 0 entry_point = 0x74e96343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1414 start_va = 0x75b00000 end_va = 0x75bfffff monitored = 0 entry_point = 0x75b1b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1415 start_va = 0x77010000 end_va = 0x77019fff monitored = 0 entry_point = 0x770136a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1416 start_va = 0x74bf0000 end_va = 0x74c8cfff monitored = 0 entry_point = 0x74c23fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1417 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1418 start_va = 0x740000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 1419 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1420 start_va = 0x75c40000 end_va = 0x75c9ffff monitored = 0 entry_point = 0x75c5158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1421 start_va = 0x751a0000 end_va = 0x7526bfff monitored = 0 entry_point = 0x751a168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1425 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1426 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1427 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 1428 start_va = 0xf10000 end_va = 0x230ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 1429 start_va = 0x440000 end_va = 0x4dbfff monitored = 1 entry_point = 0x49f3ae region_type = mapped_file name = "revised proforma invoice_new order.exe" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe") Region: id = 1430 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1431 start_va = 0x440000 end_va = 0x4dbfff monitored = 1 entry_point = 0x49f3ae region_type = mapped_file name = "revised proforma invoice_new order.exe" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe") Region: id = 1432 start_va = 0x73b80000 end_va = 0x73b88fff monitored = 0 entry_point = 0x73b81220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1433 start_va = 0x71a60000 end_va = 0x7220efff monitored = 1 entry_point = 0x71a7d0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1434 start_va = 0x712b0000 end_va = 0x71a5efff monitored = 1 entry_point = 0x712cd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1435 start_va = 0x71a60000 end_va = 0x7220efff monitored = 1 entry_point = 0x71a7d0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1436 start_va = 0x72440000 end_va = 0x72453fff monitored = 0 entry_point = 0x7244ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\SysWOW64\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140_clr0400.dll") Region: id = 1437 start_va = 0x72390000 end_va = 0x7243afff monitored = 0 entry_point = 0x72425f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\SysWOW64\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase_clr0400.dll") Region: id = 1438 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1439 start_va = 0xf0000 end_va = 0xfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1440 start_va = 0x100000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1441 start_va = 0x110000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1442 start_va = 0x220000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1443 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1444 start_va = 0x280000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1445 start_va = 0x2b0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 1446 start_va = 0x290000 end_va = 0x290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1447 start_va = 0x2a0000 end_va = 0x2a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1448 start_va = 0xa60000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1449 start_va = 0x440000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1450 start_va = 0x300000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1451 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1452 start_va = 0x730000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 1453 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1454 start_va = 0x2f0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1455 start_va = 0x2310000 end_va = 0x430ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 1456 start_va = 0xa60000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1457 start_va = 0xb50000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 1458 start_va = 0xc40000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 1459 start_va = 0x4320000 end_va = 0x441ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 1460 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1461 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 1462 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1463 start_va = 0x4510000 end_va = 0x460ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 1464 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1465 start_va = 0x4610000 end_va = 0x48defff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1466 start_va = 0x70650000 end_va = 0x71a5afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 1467 start_va = 0x75270000 end_va = 0x753cbfff monitored = 0 entry_point = 0x752bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1468 start_va = 0x73ab0000 end_va = 0x73b2ffff monitored = 0 entry_point = 0x73ac37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1469 start_va = 0xb90000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1470 start_va = 0xc80000 end_va = 0xd5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 1471 start_va = 0x2f0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1472 start_va = 0x340000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1473 start_va = 0x74980000 end_va = 0x74982fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 1474 start_va = 0x705c0000 end_va = 0x70648fff monitored = 1 entry_point = 0x705c1130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 1475 start_va = 0x758a0000 end_va = 0x7592efff monitored = 0 entry_point = 0x758a3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1476 start_va = 0x350000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1477 start_va = 0x6fb60000 end_va = 0x705b4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 1478 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1479 start_va = 0x6f9b0000 end_va = 0x6fb52fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\f7568d7f1b9d356f64779b4c0927cfb3\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\f7568d7f1b9d356f64779b4c0927cfb3\\system.drawing.ni.dll") Region: id = 1480 start_va = 0x6eb40000 end_va = 0x6f9a5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\c9a4cbc00f690a9e3cddfc400f6e85bb\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\c9a4cbc00f690a9e3cddfc400f6e85bb\\system.windows.forms.ni.dll") Region: id = 1481 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1482 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1483 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1484 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1485 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1486 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1487 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1488 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1489 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1490 start_va = 0x6e320000 end_va = 0x6eb37fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 1491 start_va = 0x6e210000 end_va = 0x6e314fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\96f7edb07b12303f0ec2595c7f3778c7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\96f7edb07b12303f0ec2595c7f3778c7\\system.configuration.ni.dll") Region: id = 1492 start_va = 0x6da90000 end_va = 0x6e203fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\15af16d373cf0528cb74fc73d365fdbf\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\15af16d373cf0528cb74fc73d365fdbf\\system.xml.ni.dll") Region: id = 1493 start_va = 0x74960000 end_va = 0x74972fff monitored = 1 entry_point = 0x7496d900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 1494 start_va = 0x48e0000 end_va = 0x4bb1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 1495 start_va = 0x75ff0000 end_va = 0x76c39fff monitored = 0 entry_point = 0x76071601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1496 start_va = 0x3e0000 end_va = 0x3e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1497 start_va = 0x73c40000 end_va = 0x73c4afff monitored = 0 entry_point = 0x73c41992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1498 start_va = 0xd60000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 1499 start_va = 0x72370000 end_va = 0x72386fff monitored = 0 entry_point = 0x723735fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1500 start_va = 0x73950000 end_va = 0x73966fff monitored = 0 entry_point = 0x73953573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1501 start_va = 0xb00000 end_va = 0xb3bfff monitored = 0 entry_point = 0xb0128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1502 start_va = 0xb00000 end_va = 0xb3bfff monitored = 0 entry_point = 0xb0128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1503 start_va = 0xb00000 end_va = 0xb3bfff monitored = 0 entry_point = 0xb0128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1504 start_va = 0xb00000 end_va = 0xb3bfff monitored = 0 entry_point = 0xb0128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1505 start_va = 0xb00000 end_va = 0xb3bfff monitored = 0 entry_point = 0xb0128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1506 start_va = 0x73910000 end_va = 0x7394afff monitored = 0 entry_point = 0x7391128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1507 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1508 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1509 start_va = 0x73a60000 end_va = 0x73a72fff monitored = 0 entry_point = 0x73a61d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1510 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1511 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1512 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1513 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1514 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1515 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1516 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1517 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1518 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1519 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1520 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1521 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1522 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1523 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1524 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1525 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1526 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1527 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1528 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1529 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1530 start_va = 0x6d8a0000 end_va = 0x6da81fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.visualbasic.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.V9921e851#\\a891970b44db9e340c3ef3efa95b793c\\Microsoft.VisualBasic.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.v9921e851#\\a891970b44db9e340c3ef3efa95b793c\\microsoft.visualbasic.ni.dll") Region: id = 1531 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1532 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1533 start_va = 0x75800000 end_va = 0x75804fff monitored = 0 entry_point = 0x75801438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1534 start_va = 0x4420000 end_va = 0x445ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 1535 start_va = 0x4cd0000 end_va = 0x4dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004cd0000" filename = "" Region: id = 1536 start_va = 0x73a80000 end_va = 0x73a8dfff monitored = 0 entry_point = 0x73a81235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 1537 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1538 start_va = 0xe20000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 1539 start_va = 0x4c20000 end_va = 0x4c5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c20000" filename = "" Region: id = 1540 start_va = 0x4de0000 end_va = 0x4edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004de0000" filename = "" Region: id = 1541 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 1542 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 1543 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 1544 start_va = 0x3f0000 end_va = 0x3f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 1545 start_va = 0x75a70000 end_va = 0x75af2fff monitored = 0 entry_point = 0x75a723d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1546 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1547 start_va = 0x6d860000 end_va = 0x6d890fff monitored = 1 entry_point = 0x6d8612d7 region_type = mapped_file name = "wbemdisp.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemdisp.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemdisp.dll") Region: id = 1548 start_va = 0x6d800000 end_va = 0x6d85bfff monitored = 0 entry_point = 0x6d822b48 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1549 start_va = 0x74da0000 end_va = 0x74dd4fff monitored = 0 entry_point = 0x74da145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1550 start_va = 0x75c30000 end_va = 0x75c35fff monitored = 0 entry_point = 0x75c31782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1551 start_va = 0x5000000 end_va = 0x50bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 1552 start_va = 0x72480000 end_va = 0x7248afff monitored = 0 entry_point = 0x724852a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1553 start_va = 0x6d790000 end_va = 0x6d7f0fff monitored = 0 entry_point = 0x6d7cbf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\SysWOW64\\wbemcomn2.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn2.dll") Region: id = 1554 start_va = 0x72350000 end_va = 0x72369fff monitored = 0 entry_point = 0x723603d0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 1900 start_va = 0x6d780000 end_va = 0x6d78efff monitored = 0 entry_point = 0x6d7893d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1901 start_va = 0x50c0000 end_va = 0x51bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000050c0000" filename = "" Region: id = 1902 start_va = 0x6d6d0000 end_va = 0x6d775fff monitored = 0 entry_point = 0x6d73a2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1903 start_va = 0x6d6b0000 end_va = 0x6d6c7fff monitored = 0 entry_point = 0x6d6b1335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 1904 start_va = 0x724a0000 end_va = 0x724fefff monitored = 0 entry_point = 0x724a2134 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 1905 start_va = 0x4d0000 end_va = 0x4defff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wbemdisp.tlb" filename = "\\Windows\\SysWOW64\\wbem\\wbemdisp.tlb" (normalized: "c:\\windows\\syswow64\\wbem\\wbemdisp.tlb") Region: id = 1906 start_va = 0x51c0000 end_va = 0x527ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2012 start_va = 0x6d670000 end_va = 0x6d6a4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "custommarshalers.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\CustomMarshalers\\0df8ec76525d72c37f86b6d2ab717e84\\CustomMarshalers.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\custommarshalers\\0df8ec76525d72c37f86b6d2ab717e84\\custommarshalers.ni.dll") Region: id = 2013 start_va = 0x6d650000 end_va = 0x6d667fff monitored = 1 entry_point = 0x6d6558de region_type = mapped_file name = "custommarshalers.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\CustomMarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\custommarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\custommarshalers.dll") Region: id = 2014 start_va = 0x4e0000 end_va = 0x4f8fff monitored = 1 entry_point = 0x4e58de region_type = mapped_file name = "custommarshalers.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\CustomMarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\custommarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\custommarshalers.dll") Region: id = 2015 start_va = 0x4e0000 end_va = 0x4f8fff monitored = 1 entry_point = 0x4e58de region_type = mapped_file name = "custommarshalers.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\CustomMarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\custommarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\custommarshalers.dll") Region: id = 2016 start_va = 0x4e0000 end_va = 0x4f8fff monitored = 1 entry_point = 0x4e58de region_type = mapped_file name = "custommarshalers.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\CustomMarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\custommarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\custommarshalers.dll") Region: id = 2017 start_va = 0x4e0000 end_va = 0x4f8fff monitored = 1 entry_point = 0x4e58de region_type = mapped_file name = "custommarshalers.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\CustomMarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\CustomMarshalers.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\custommarshalers\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\custommarshalers.dll") Region: id = 2018 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2019 start_va = 0x4f0000 end_va = 0x4f3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\SysWOW64\\stdole2.tlb" (normalized: "c:\\windows\\syswow64\\stdole2.tlb") Region: id = 2020 start_va = 0x6d520000 end_va = 0x6d64ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\e114780fd3ea5727401c06ea4f22ef35\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\e114780fd3ea5727401c06ea4f22ef35\\system.management.ni.dll") Region: id = 2021 start_va = 0x5000000 end_va = 0x503ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 2022 start_va = 0x5080000 end_va = 0x50bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005080000" filename = "" Region: id = 2023 start_va = 0x5290000 end_va = 0x538ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005290000" filename = "" Region: id = 2024 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 2025 start_va = 0x7ef50000 end_va = 0x7ef9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef50000" filename = "" Region: id = 2026 start_va = 0x7ef40000 end_va = 0x7ef4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef40000" filename = "" Region: id = 2027 start_va = 0x53c0000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053c0000" filename = "" Region: id = 2028 start_va = 0x54d0000 end_va = 0x55cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054d0000" filename = "" Region: id = 2029 start_va = 0x7ef3d000 end_va = 0x7ef3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef3d000" filename = "" Region: id = 2030 start_va = 0x6d4f0000 end_va = 0x6d510fff monitored = 1 entry_point = 0x6d4f98e0 region_type = mapped_file name = "wminet_utils.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WMINet_Utils.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\wminet_utils.dll") Region: id = 2031 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2032 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2033 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2034 start_va = 0x44d0000 end_va = 0x450ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 2035 start_va = 0x53c0000 end_va = 0x54bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053c0000" filename = "" Region: id = 2036 start_va = 0xba0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 2037 start_va = 0xbe0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 2038 start_va = 0x5630000 end_va = 0x572ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005630000" filename = "" Region: id = 2039 start_va = 0x7ef3a000 end_va = 0x7ef3cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef3a000" filename = "" Region: id = 2040 start_va = 0x620000 end_va = 0x624fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 2706 start_va = 0x5570000 end_va = 0x55affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005570000" filename = "" Region: id = 2707 start_va = 0x5800000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 2708 start_va = 0x7ef37000 end_va = 0x7ef39fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef37000" filename = "" Region: id = 2721 start_va = 0xb00000 end_va = 0xb12fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 2739 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2740 start_va = 0x4490000 end_va = 0x44cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2741 start_va = 0x4bd0000 end_va = 0x4c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bd0000" filename = "" Region: id = 2742 start_va = 0x7ef37000 end_va = 0x7ef39fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef37000" filename = "" Region: id = 2743 start_va = 0x54c0000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054c0000" filename = "" Region: id = 2744 start_va = 0x5500000 end_va = 0x553ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 2745 start_va = 0x5790000 end_va = 0x57cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005790000" filename = "" Region: id = 2746 start_va = 0x5800000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 2747 start_va = 0x7ef31000 end_va = 0x7ef33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef31000" filename = "" Region: id = 2748 start_va = 0x7ef34000 end_va = 0x7ef36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef34000" filename = "" Region: id = 2829 start_va = 0x53a0000 end_va = 0x53dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053a0000" filename = "" Region: id = 2830 start_va = 0x5400000 end_va = 0x543ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 2831 start_va = 0x5530000 end_va = 0x562ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005530000" filename = "" Region: id = 2832 start_va = 0x56a0000 end_va = 0x56dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000056a0000" filename = "" Region: id = 2833 start_va = 0x620000 end_va = 0x620fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2834 start_va = 0xb00000 end_va = 0xb06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2835 start_va = 0x620000 end_va = 0x620fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2836 start_va = 0xb00000 end_va = 0xb06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2837 start_va = 0x620000 end_va = 0x620fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2838 start_va = 0x620000 end_va = 0x626fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2839 start_va = 0x620000 end_va = 0x620fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2840 start_va = 0x620000 end_va = 0x626fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2841 start_va = 0x620000 end_va = 0x620fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2842 start_va = 0x620000 end_va = 0x626fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2843 start_va = 0x56e0000 end_va = 0x57dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000056e0000" filename = "" Region: id = 2844 start_va = 0x57f0000 end_va = 0x582ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000057f0000" filename = "" Region: id = 2845 start_va = 0x5a20000 end_va = 0x5b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a20000" filename = "" Region: id = 2846 start_va = 0x7ef34000 end_va = 0x7ef36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef34000" filename = "" Region: id = 2847 start_va = 0xde0000 end_va = 0xe1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 2848 start_va = 0x54a0000 end_va = 0x54dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054a0000" filename = "" Region: id = 2849 start_va = 0x54e0000 end_va = 0x55dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054e0000" filename = "" Region: id = 2850 start_va = 0x5420000 end_va = 0x545ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005420000" filename = "" Region: id = 2851 start_va = 0x59b0000 end_va = 0x5aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059b0000" filename = "" Region: id = 2852 start_va = 0x7ef34000 end_va = 0x7ef36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef34000" filename = "" Region: id = 2853 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2854 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2855 start_va = 0xb10000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 2856 start_va = 0xb20000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 2857 start_va = 0xb30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 2858 start_va = 0xb40000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 2859 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 2860 start_va = 0xba0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 2861 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 2862 start_va = 0xbc0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 2863 start_va = 0xbd0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 2864 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2865 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2866 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2867 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2868 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2869 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2870 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2871 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2872 start_va = 0x6d410000 end_va = 0x6d4e7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Security\\93d03eb9812405fa70e89d4efd5f7e14\\System.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.security\\93d03eb9812405fa70e89d4efd5f7e14\\system.security.ni.dll") Thread: id = 72 os_tid = 0xb30 [0170.298] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0171.217] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe.config", nBufferLength=0x105, lpBuffer=0x21d0ec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe.config", lpFilePart=0x0) returned 0x53 [0171.223] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x21cde8 | out: phkResult=0x21cde8*=0x0) returned 0x2 [0171.223] RegCloseKey (hKey=0x80000002) returned 0x0 [0171.302] GetCurrentProcess () returned 0xffffffff [0171.302] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d424 | out: TokenHandle=0x21d424*=0x40) returned 1 [0171.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x21cedc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0171.330] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x21d41c | out: lpFileInformation=0x21d41c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0171.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x21cea8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0171.334] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x21d424 | out: lpFileInformation=0x21d424*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0171.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x21ce44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0171.338] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21d35c) returned 1 [0171.339] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1f0 [0171.339] GetFileType (hFile=0x1f0) returned 0x1 [0171.339] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21d358) returned 1 [0171.339] GetFileType (hFile=0x1f0) returned 0x1 [0171.358] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x21c698, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0171.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x21c6fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0171.359] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21c93c) returned 1 [0171.359] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x21cc00 | out: lpFileInformation=0x21cc00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0171.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21c938) returned 1 [0171.416] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x21cacc | out: pfEnabled=0x21cacc) returned 0x0 [0171.460] GetFileSize (in: hFile=0x1f0, lpFileSizeHigh=0x21d418 | out: lpFileSizeHigh=0x21d418*=0x0) returned 0x8c8e [0171.461] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d3d4, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d3d4*=0x1000, lpOverlapped=0x0) returned 1 [0171.475] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d284, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d284*=0x1000, lpOverlapped=0x0) returned 1 [0171.477] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d138, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d138*=0x1000, lpOverlapped=0x0) returned 1 [0171.478] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d138, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d138*=0x1000, lpOverlapped=0x0) returned 1 [0171.478] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d138, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d138*=0x1000, lpOverlapped=0x0) returned 1 [0171.479] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d070, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d070*=0x1000, lpOverlapped=0x0) returned 1 [0171.484] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d1dc, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d1dc*=0x1000, lpOverlapped=0x0) returned 1 [0171.486] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d0d0, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d0d0*=0x1000, lpOverlapped=0x0) returned 1 [0171.486] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d0d0, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d0d0*=0xc8e, lpOverlapped=0x0) returned 1 [0171.487] ReadFile (in: hFile=0x1f0, lpBuffer=0x2342dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x21d194, lpOverlapped=0x0 | out: lpBuffer=0x2342dd4*, lpNumberOfBytesRead=0x21d194*=0x0, lpOverlapped=0x0) returned 1 [0171.487] CloseHandle (hObject=0x1f0) returned 1 [0171.487] CloseHandle (hObject=0x40) returned 1 [0171.488] GetCurrentProcess () returned 0xffffffff [0171.488] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d570 | out: TokenHandle=0x21d570*=0x40) returned 1 [0171.489] CloseHandle (hObject=0x40) returned 1 [0171.489] GetCurrentProcess () returned 0xffffffff [0171.489] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d570 | out: TokenHandle=0x21d570*=0x40) returned 1 [0171.490] CloseHandle (hObject=0x40) returned 1 [0171.496] GetCurrentProcess () returned 0xffffffff [0171.496] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d424 | out: TokenHandle=0x21d424*=0x40) returned 1 [0171.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe.config" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x21d41c | out: lpFileInformation=0x21d41c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.497] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe.config", nBufferLength=0x105, lpBuffer=0x21cea8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe.config", lpFilePart=0x0) returned 0x53 [0171.497] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe.config" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x21d424 | out: lpFileInformation=0x21d424*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.498] CloseHandle (hObject=0x40) returned 1 [0171.498] GetCurrentProcess () returned 0xffffffff [0171.498] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d570 | out: TokenHandle=0x21d570*=0x40) returned 1 [0171.498] CloseHandle (hObject=0x40) returned 1 [0171.499] GetCurrentProcess () returned 0xffffffff [0171.500] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d570 | out: TokenHandle=0x21d570*=0x40) returned 1 [0171.500] CloseHandle (hObject=0x40) returned 1 [0171.510] GetCurrentProcess () returned 0xffffffff [0171.511] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d388 | out: TokenHandle=0x21d388*=0x40) returned 1 [0171.516] CloseHandle (hObject=0x40) returned 1 [0171.516] GetCurrentProcess () returned 0xffffffff [0171.516] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21d3a0 | out: TokenHandle=0x21d3a0*=0x40) returned 1 [0171.521] CloseHandle (hObject=0x40) returned 1 [0171.535] GetModuleHandleW (lpModuleName="user32.dll") returned 0x75b00000 [0171.535] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x21d5ec, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWÖn+û\x93\x03Dþ¦qôØ!", lpUsedDefaultChar=0x0) returned 14 [0171.536] GetProcAddress (hModule=0x75b00000, lpProcName="DefWindowProcW") returned 0x770725dd [0171.536] GetStockObject (i=5) returned 0x1900015 [0171.540] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0171.543] CoTaskMemAlloc (cb=0x5c) returned 0x5814f8 [0171.543] RegisterClassW (lpWndClass=0x21d5dc) returned 0xc1bb [0171.544] CoTaskMemFree (pv=0x5814f8) [0171.545] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0171.546] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.0.app.0.34f5582_r14_ad1", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x90024 [0171.548] SetWindowLongW (hWnd=0x90024, nIndex=-4, dwNewLong=1996957149) returned 14223574 [0171.549] GetWindowLongW (hWnd=0x90024, nIndex=-4) returned 1996957149 [0171.553] GetCurrentProcess () returned 0xffffffff [0171.553] GetCurrentThread () returned 0xfffffffe [0171.553] GetCurrentProcess () returned 0xffffffff [0171.554] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x21cf6c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x21cf6c*=0x40) returned 1 [0171.556] GetCurrentThreadId () returned 0xb30 [0171.561] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x21cef0 | out: phkResult=0x21cef0*=0x1f0) returned 0x0 [0171.562] RegQueryValueExW (in: hKey=0x1f0, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x21cf10, lpData=0x0, lpcbData=0x21cf0c*=0x0 | out: lpType=0x21cf10*=0x0, lpData=0x0, lpcbData=0x21cf0c*=0x0) returned 0x2 [0171.562] RegQueryValueExW (in: hKey=0x1f0, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x21cf10, lpData=0x0, lpcbData=0x21cf0c*=0x0 | out: lpType=0x21cf10*=0x0, lpData=0x0, lpcbData=0x21cf0c*=0x0) returned 0x2 [0171.562] RegCloseKey (hKey=0x1f0) returned 0x0 [0171.566] SetWindowLongW (hWnd=0x90024, nIndex=-4, dwNewLong=14223614) returned 1996957149 [0171.566] GetWindowLongW (hWnd=0x90024, nIndex=-4) returned 14223614 [0171.567] GetWindowLongW (hWnd=0x90024, nIndex=-16) returned 79691776 [0171.597] CallWindowProcW (lpPrevWndFunc=0x770725dd, hWnd=0x90024, Msg=0x24, wParam=0x0, lParam=0x21d1c8) returned 0x0 [0171.598] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc179 [0171.598] CallWindowProcW (lpPrevWndFunc=0x770725dd, hWnd=0x90024, Msg=0x81, wParam=0x0, lParam=0x21d1bc) returned 0x1 [0171.601] CallWindowProcW (lpPrevWndFunc=0x770725dd, hWnd=0x90024, Msg=0x83, wParam=0x0, lParam=0x21d1a8) returned 0x0 [0171.744] CallWindowProcW (lpPrevWndFunc=0x770725dd, hWnd=0x90024, Msg=0x1, wParam=0x0, lParam=0x21d1bc) returned 0x0 [0172.076] GetCurrentProcessId () returned 0xb2c [0172.078] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x21e794 | out: lpLuid=0x21e794*(LowPart=0x14, HighPart=0)) returned 1 [0172.082] GetCurrentProcess () returned 0xffffffff [0172.082] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x21e790 | out: TokenHandle=0x21e790*=0x238) returned 1 [0172.082] AdjustTokenPrivileges (in: TokenHandle=0x238, DisableAllPrivileges=0, NewState=0x235df14*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0172.083] CloseHandle (hObject=0x238) returned 1 [0172.090] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3319540, Length=0x20000, ResultLength=0x21ee74 | out: SystemInformation=0x3319540, ResultLength=0x21ee74*=0xc340) returned 0x0 [0172.102] GetCurrentProcessId () returned 0xb2c [0172.102] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3319540, Length=0x20000, ResultLength=0x21ee64 | out: SystemInformation=0x3319540, ResultLength=0x21ee64*=0xc340) returned 0x0 [0178.215] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x238 [0178.215] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x23c [0178.224] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x21e02c | out: phkResult=0x21e02c*=0x240) returned 0x0 [0178.225] RegQueryValueExW (in: hKey=0x240, lpValueName="InstallationType", lpReserved=0x0, lpType=0x21e04c, lpData=0x0, lpcbData=0x21e048*=0x0 | out: lpType=0x21e04c*=0x1, lpData=0x0, lpcbData=0x21e048*=0xe) returned 0x0 [0178.225] RegQueryValueExW (in: hKey=0x240, lpValueName="InstallationType", lpReserved=0x0, lpType=0x21e04c, lpData=0x2380a70, lpcbData=0x21e048*=0xe | out: lpType=0x21e04c*=0x1, lpData="Client", lpcbData=0x21e048*=0xe) returned 0x0 [0178.226] RegCloseKey (hKey=0x240) returned 0x0 [0178.246] GetCurrentProcess () returned 0xffffffff [0178.246] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21dc80 | out: TokenHandle=0x21dc80*=0x240) returned 1 [0178.259] CloseHandle (hObject=0x240) returned 1 [0178.259] GetCurrentProcess () returned 0xffffffff [0178.259] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x21dc98 | out: TokenHandle=0x21dc98*=0x240) returned 1 [0178.260] CloseHandle (hObject=0x240) returned 1 [0178.283] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf4 | out: phkResult=0x21edf4*=0x240) returned 0x0 [0178.283] RegQueryValueExW (in: hKey=0x240, lpValueName="HWRPortReuseOnSocketBind", lpReserved=0x0, lpType=0x21ee10, lpData=0x0, lpcbData=0x21ee0c*=0x0 | out: lpType=0x21ee10*=0x0, lpData=0x0, lpcbData=0x21ee0c*=0x0) returned 0x2 [0178.284] RegCloseKey (hKey=0x240) returned 0x0 [0178.286] GetCurrentProcessId () returned 0xb2c [0178.289] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.297] EnumProcessModules (in: hProcess=0x240, lphModule=0x2384960, cb=0x100, lpcbNeeded=0x21ee00 | out: lphModule=0x2384960, lpcbNeeded=0x21ee00) returned 1 [0178.298] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x2384aa0, cb=0xc | out: lpmodinfo=0x2384aa0*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.299] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.300] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.300] CoTaskMemFree (pv=0x5a4cc0) [0178.301] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.301] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.301] CoTaskMemFree (pv=0x5a4cc0) [0178.301] CloseHandle (hObject=0x240) returned 1 [0178.302] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e928, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.302] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x0) returned 0x2 [0178.303] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.303] RegQueryValueExW (in: hKey=0x240, lpValueName="UseHttpPipeliningAndBufferPooling", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.303] RegCloseKey (hKey=0x240) returned 0x0 [0178.303] GetCurrentProcessId () returned 0xb2c [0178.304] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.304] EnumProcessModules (in: hProcess=0x240, lphModule=0x2387594, cb=0x100, lpcbNeeded=0x21ee00 | out: lphModule=0x2387594, lpcbNeeded=0x21ee00) returned 1 [0178.305] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x23876d4, cb=0xc | out: lpmodinfo=0x23876d4*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.305] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.305] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.305] CoTaskMemFree (pv=0x5a4cc0) [0178.305] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.305] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.305] CoTaskMemFree (pv=0x5a4cc0) [0178.305] CloseHandle (hObject=0x240) returned 1 [0178.306] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e928, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.306] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseSafeSynchronousClose", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x0) returned 0x2 [0178.306] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.306] RegQueryValueExW (in: hKey=0x240, lpValueName="UseSafeSynchronousClose", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.306] RegCloseKey (hKey=0x240) returned 0x0 [0178.307] GetCurrentProcessId () returned 0xb2c [0178.307] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.307] EnumProcessModules (in: hProcess=0x240, lphModule=0x238a1f4, cb=0x100, lpcbNeeded=0x21ee00 | out: lphModule=0x238a1f4, lpcbNeeded=0x21ee00) returned 1 [0178.308] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x238a334, cb=0xc | out: lpmodinfo=0x238a334*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.308] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.308] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.308] CoTaskMemFree (pv=0x5a4cc0) [0178.308] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.308] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.309] CoTaskMemFree (pv=0x5a4cc0) [0178.309] CloseHandle (hObject=0x240) returned 1 [0178.309] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e928, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.309] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x0) returned 0x2 [0178.310] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.310] RegQueryValueExW (in: hKey=0x240, lpValueName="UseStrictRfcInterimResponseHandling", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.310] RegCloseKey (hKey=0x240) returned 0x0 [0178.310] GetCurrentProcessId () returned 0xb2c [0178.310] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.311] EnumProcessModules (in: hProcess=0x240, lphModule=0x238cee4, cb=0x100, lpcbNeeded=0x21ee00 | out: lphModule=0x238cee4, lpcbNeeded=0x21ee00) returned 1 [0178.311] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x238d024, cb=0xc | out: lpmodinfo=0x238d024*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.312] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.312] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.312] CoTaskMemFree (pv=0x5a4cc0) [0178.312] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.312] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.312] CoTaskMemFree (pv=0x5a4cc0) [0178.312] CloseHandle (hObject=0x240) returned 1 [0178.312] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e928, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.313] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.AllowDangerousUnicodeDecompositions", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x0) returned 0x2 [0178.313] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.313] RegQueryValueExW (in: hKey=0x240, lpValueName="AllowDangerousUnicodeDecompositions", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.313] RegCloseKey (hKey=0x240) returned 0x0 [0178.314] GetCurrentProcessId () returned 0xb2c [0178.314] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.314] EnumProcessModules (in: hProcess=0x240, lphModule=0x238f998, cb=0x100, lpcbNeeded=0x21ee00 | out: lphModule=0x238f998, lpcbNeeded=0x21ee00) returned 1 [0178.315] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x238fad8, cb=0xc | out: lpmodinfo=0x238fad8*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.315] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.315] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.315] CoTaskMemFree (pv=0x5a4cc0) [0178.315] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.315] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.315] CoTaskMemFree (pv=0x5a4cc0) [0178.315] CloseHandle (hObject=0x240) returned 1 [0178.316] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e928, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.316] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.UseStrictIPv6AddressParsing", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x0) returned 0x2 [0178.317] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.317] RegQueryValueExW (in: hKey=0x240, lpValueName="UseStrictIPv6AddressParsing", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.317] RegCloseKey (hKey=0x240) returned 0x0 [0178.317] GetCurrentProcessId () returned 0xb2c [0178.317] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.318] EnumProcessModules (in: hProcess=0x240, lphModule=0x239243c, cb=0x100, lpcbNeeded=0x21ee00 | out: lphModule=0x239243c, lpcbNeeded=0x21ee00) returned 1 [0178.318] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x239257c, cb=0xc | out: lpmodinfo=0x239257c*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.318] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.318] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.319] CoTaskMemFree (pv=0x5a4cc0) [0178.319] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.319] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.319] CoTaskMemFree (pv=0x5a4cc0) [0178.319] CloseHandle (hObject=0x240) returned 1 [0178.319] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e928, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.320] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.AllowAllUriEncodingExpansion", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x0) returned 0x2 [0178.320] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.320] RegQueryValueExW (in: hKey=0x240, lpValueName="AllowAllUriEncodingExpansion", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.320] RegCloseKey (hKey=0x240) returned 0x0 [0178.328] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.328] RegQueryValueExW (in: hKey=0x240, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.328] RegCloseKey (hKey=0x240) returned 0x0 [0178.328] GetCurrentProcessId () returned 0xb2c [0178.329] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.329] EnumProcessModules (in: hProcess=0x240, lphModule=0x2395de0, cb=0x100, lpcbNeeded=0x21edfc | out: lphModule=0x2395de0, lpcbNeeded=0x21edfc) returned 1 [0178.329] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x2395f20, cb=0xc | out: lpmodinfo=0x2395f20*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.330] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.330] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.330] CoTaskMemFree (pv=0x5a4cc0) [0178.330] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.330] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.330] CoTaskMemFree (pv=0x5a4cc0) [0178.330] CloseHandle (hObject=0x240) returned 1 [0178.331] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e924, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.331] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SchSendAuxRecord", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf4 | out: phkResult=0x21edf4*=0x0) returned 0x2 [0178.331] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf4 | out: phkResult=0x21edf4*=0x240) returned 0x0 [0178.331] RegQueryValueExW (in: hKey=0x240, lpValueName="SchSendAuxRecord", lpReserved=0x0, lpType=0x21ee10, lpData=0x0, lpcbData=0x21ee0c*=0x0 | out: lpType=0x21ee10*=0x0, lpData=0x0, lpcbData=0x21ee0c*=0x0) returned 0x2 [0178.331] RegCloseKey (hKey=0x240) returned 0x0 [0178.332] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf8 | out: phkResult=0x21edf8*=0x240) returned 0x0 [0178.332] RegQueryValueExW (in: hKey=0x240, lpValueName="SystemDefaultTlsVersions", lpReserved=0x0, lpType=0x21ee14, lpData=0x0, lpcbData=0x21ee10*=0x0 | out: lpType=0x21ee14*=0x0, lpData=0x0, lpcbData=0x21ee10*=0x0) returned 0x2 [0178.332] RegCloseKey (hKey=0x240) returned 0x0 [0178.332] GetCurrentProcessId () returned 0xb2c [0178.333] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb2c) returned 0x240 [0178.333] EnumProcessModules (in: hProcess=0x240, lphModule=0x2398c68, cb=0x100, lpcbNeeded=0x21edfc | out: lphModule=0x2398c68, lpcbNeeded=0x21edfc) returned 1 [0178.334] GetModuleInformation (in: hProcess=0x240, hModule=0x400000, lpmodinfo=0x2398da8, cb=0xc | out: lpmodinfo=0x2398da8*(lpBaseOfDll=0x400000, SizeOfImage=0x3c000, EntryPoint=0x43764e)) returned 1 [0178.334] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.334] GetModuleBaseNameW (in: hProcess=0x240, hModule=0x400000, lpBaseName=0x5a4cc0, nSize=0x800 | out: lpBaseName="Revised Proforma Invoice_New order.exe") returned 0x26 [0178.334] CoTaskMemFree (pv=0x5a4cc0) [0178.334] CoTaskMemAlloc (cb=0x804) returned 0x5a4cc0 [0178.334] GetModuleFileNameExW (in: hProcess=0x240, hModule=0x400000, lpFilename=0x5a4cc0, nSize=0x800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\revised proforma invoice_new order.exe")) returned 0x4c [0178.334] CoTaskMemFree (pv=0x5a4cc0) [0178.334] CloseHandle (hObject=0x240) returned 1 [0178.335] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e924, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0178.335] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.RequireCertificateEKUs", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf4 | out: phkResult=0x21edf4*=0x0) returned 0x2 [0178.335] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x21edf4 | out: phkResult=0x21edf4*=0x240) returned 0x0 [0178.335] RegQueryValueExW (in: hKey=0x240, lpValueName="RequireCertificateEKUs", lpReserved=0x0, lpType=0x21ee10, lpData=0x0, lpcbData=0x21ee0c*=0x0 | out: lpType=0x21ee10*=0x0, lpData=0x0, lpcbData=0x21ee0c*=0x0) returned 0x2 [0178.335] RegCloseKey (hKey=0x240) returned 0x0 [0178.374] CreateBindCtx (in: reserved=0x0, ppbc=0x21ee54 | out: ppbc=0x21ee54*=0x564348) returned 0x0 [0178.374] IUnknown:QueryInterface (in: This=0x564348, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e910 | out: ppvObject=0x21e910*=0x564348) returned 0x0 [0178.375] IUnknown:QueryInterface (in: This=0x564348, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e8c4 | out: ppvObject=0x21e8c4*=0x0) returned 0x80004002 [0178.375] IUnknown:QueryInterface (in: This=0x564348, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e6ec | out: ppvObject=0x21e6ec*=0x0) returned 0x80004002 [0178.375] IUnknown:AddRef (This=0x564348) returned 0x3 [0178.375] IUnknown:QueryInterface (in: This=0x564348, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21e220 | out: ppvObject=0x21e220*=0x0) returned 0x80004002 [0178.375] IUnknown:QueryInterface (in: This=0x564348, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21e1d0 | out: ppvObject=0x21e1d0*=0x0) returned 0x80004002 [0178.375] IUnknown:QueryInterface (in: This=0x564348, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e1dc | out: ppvObject=0x21e1dc*=0x0) returned 0x80004002 [0178.375] CoGetContextToken (in: pToken=0x21e23c | out: pToken=0x21e23c) returned 0x0 [0178.376] CObjectContext::QueryInterface () returned 0x0 [0178.376] CObjectContext::GetCurrentApartmentType () returned 0x0 [0178.376] Release () returned 0x0 [0178.377] CoGetObjectContext (in: riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x5a0ce4 | out: ppv=0x5a0ce4*=0x56ec68) returned 0x0 [0178.402] CoGetContextToken (in: pToken=0x21e64c | out: pToken=0x21e64c) returned 0x0 [0178.402] IUnknown:QueryInterface (in: This=0x564348, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e6d0 | out: ppvObject=0x21e6d0*=0x0) returned 0x80004002 [0178.402] IUnknown:Release (This=0x564348) returned 0x2 [0178.402] CoGetContextToken (in: pToken=0x21ec1c | out: pToken=0x21ec1c) returned 0x0 [0178.402] CoGetContextToken (in: pToken=0x21eb7c | out: pToken=0x21eb7c) returned 0x0 [0178.402] IUnknown:QueryInterface (in: This=0x564348, riid=0x21ec4c*(Data1=0xe, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec48 | out: ppvObject=0x21ec48*=0x564348) returned 0x0 [0178.403] IUnknown:AddRef (This=0x564348) returned 0x4 [0178.403] IUnknown:Release (This=0x564348) returned 0x3 [0178.403] IUnknown:Release (This=0x564348) returned 0x2 [0178.403] CoGetContextToken (in: pToken=0x21eca4 | out: pToken=0x21eca4) returned 0x0 [0178.403] IUnknown:AddRef (This=0x564348) returned 0x3 [0178.404] MkParseDisplayName (in: pbc=0x564348, szUserName="WinMgmts:", pchEaten=0x21ee88, ppmk=0x21ee40 | out: pchEaten=0x21ee88, ppmk=0x21ee40*=0x5b4328) returned 0x0 [0178.908] malloc (_Size=0x80) returned 0x502e70 [0178.912] DllGetClassObject (in: rclsid=0x5b6134*(Data1=0x172bddf8, Data2=0xceea, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), riid=0x21ea80*(Data1=0x11a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21e138 | out: ppv=0x21e138*=0x0) returned 0x80004002 [0178.912] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080810 [0178.912] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0178.912] DllGetClassObject (in: rclsid=0x5b6134*(Data1=0x172bddf8, Data2=0xceea, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), riid=0x752bee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21ec34 | out: ppv=0x21ec34*=0x5080810) returned 0x0 [0178.912] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080810 [0178.913] WinMGMTS:IClassFactory:CreateInstance (in: This=0x5080810, pUnkOuter=0x0, riid=0x752bf084*(Data1=0x11a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ebe0 | out: ppvObject=0x21ebe0*=0x5080850) returned 0x0 [0178.913] GetVersionExW (in: lpVersionInformation=0x21ea2c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x7f, dwMinorVersion=0x36b7, dwBuildNumber=0x3, dwPlatformId=0x21ea90, szCSDVersion="堡痕\x08쀕") | out: lpVersionInformation=0x21ea2c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0178.913] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Wbem\\Scripting", ulOptions=0x0, samDesired=0x1, phkResult=0x21ea20 | out: phkResult=0x21ea20*=0x284) returned 0x0 [0178.913] RegQueryValueExW (in: hKey=0x284, lpValueName="Default Impersonation Level", lpReserved=0x0, lpType=0x0, lpData=0x21ea28, lpcbData=0x21ea24*=0x4 | out: lpType=0x0, lpData=0x21ea28*=0x3, lpcbData=0x21ea24*=0x4) returned 0x0 [0178.913] RegCloseKey (hKey=0x284) returned 0x0 [0178.913] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080828 [0178.913] GetSystemDirectoryW (in: lpBuffer=0x5080828, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0178.913] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\advapi32.dll", hFile=0x0, dwFlags=0x0) returned 0x75ca0000 [0178.914] GetProcAddress (hModule=0x75ca0000, lpProcName="DuplicateTokenEx") returned 0x75caca24 [0178.914] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0178.914] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080828 [0178.915] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080850 [0178.915] WinMGMTS:IUnknown:Release (This=0x5080810) returned 0x0 [0178.915] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0178.915] WinMGMTS:IParseDisplayName:ParseDisplayName (in: This=0x5080850, pbc=0x564348, pszDisplayName="WinMgmts:", pchEaten=0x21edf8, ppmkOut=0x21edfc | out: pchEaten=0x21edf8*=0x9, ppmkOut=0x21edfc*=0x5b4328) returned 0x0 [0178.915] _wcsnicmp (_String1="WinMgmts:", _String2="WINMGMTS:", _MaxCount=0x9) returned 0 [0178.916] IBindCtx:GetObjectParam (in: This=0x564348, pszKey="WmiObject", ppunk=0x21ed00 | out: ppunk=0x21ed00*=0x0) returned 0x80004005 [0178.916] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080860 [0178.916] _wcsnicmp (_String1="", _String2="{", _MaxCount=0x1) returned -123 [0178.917] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080880 [0178.917] CoCreateInstance (in: rclsid=0x6d8642b0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d8642a0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x5080898 | out: ppv=0x5080898*=0x59f020) returned 0x0 [0179.301] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x50808e8 [0179.301] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080950 [0179.301] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x50809b0 [0179.301] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0179.301] GetCurrentThreadId () returned 0xb30 [0179.301] _wcsnicmp (_String1="", _String2="[", _MaxCount=0x1) returned -91 [0179.301] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0179.301] GetCurrentThreadId () returned 0xb30 [0179.301] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Wbem\\Scripting", ulOptions=0x0, samDesired=0x1, phkResult=0x21ebe8 | out: phkResult=0x21ebe8*=0x298) returned 0x0 [0179.301] RegQueryValueExW (in: hKey=0x298, lpValueName="Default Namespace", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x21ebf0*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x21ebf0*=0x16) returned 0x0 [0179.301] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x50809d0 [0179.301] RegQueryValueExW (in: hKey=0x298, lpValueName="Default Namespace", lpReserved=0x0, lpType=0x0, lpData=0x50809d0, lpcbData=0x21ebf0*=0x16 | out: lpType=0x0, lpData=0x50809d0*=0x72, lpcbData=0x21ebf0*=0x16) returned 0x0 [0179.301] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x50809f0 [0179.302] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0179.302] RegCloseKey (hKey=0x298) returned 0x0 [0179.302] CoCreateInstance (in: rclsid=0x6d8653b8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d8650dc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppv=0x21ec1c | out: ppv=0x21ec1c*=0x59f338) returned 0x0 [0179.649] SysStringLen (param_1=".") returned 0x1 [0179.649] WbemDefPath:IWbemPath:SetServer (This=0x59f338, Name=".") returned 0x0 [0179.649] CoCreateInstance (in: rclsid=0x6d8653b8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d8650dc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppv=0x21ebd4 | out: ppv=0x21ebd4*=0x59f3a8) returned 0x0 [0179.649] CoCreateInstance (in: rclsid=0x6d8653b8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d8650dc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppv=0x21eb78 | out: ppv=0x21eb78*=0x59f418) returned 0x0 [0179.649] WbemDefPath:IWbemPath:SetText (This=0x59f418, uMode=0x4, pszPath="root\\cimv2") returned 0x0 [0179.649] WbemDefPath:IUnknown:Release (This=0x59f418) returned 0x0 [0179.649] SysStringLen (param_1="root\\cimv2") returned 0xa [0179.649] WbemDefPath:IWbemPath:SetText (This=0x59f3a8, uMode=0xc, pszPath="root\\cimv2") returned 0x0 [0179.649] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f3a8, puCount=0x21ebe4 | out: puCount=0x21ebe4*=0x2) returned 0x0 [0179.649] WbemDefPath:IWbemPath:RemoveAllNamespaces (This=0x59f338) returned 0x0 [0179.649] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x59f3a8, uIndex=0x0, puNameBufLength=0x21ebac*=0x0, pName=0x0 | out: puNameBufLength=0x21ebac*=0x5, pName=0x0) returned 0x0 [0179.650] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080810 [0179.650] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x59f3a8, uIndex=0x0, puNameBufLength=0x21ebac*=0x5, pName="৐ԈÄԈ\x03" | out: puNameBufLength=0x21ebac*=0x5, pName="root") returned 0x0 [0179.650] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0179.650] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x59f338, uIndex=0x0, pszName="root") returned 0x0 [0179.650] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x59f3a8, uIndex=0x1, puNameBufLength=0x21ebac*=0x0, pName=0x0 | out: puNameBufLength=0x21ebac*=0x6, pName=0x0) returned 0x0 [0179.650] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080810 [0179.650] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x59f3a8, uIndex=0x1, puNameBufLength=0x21ebac*=0x6, pName="৐ԈÄԈ" | out: puNameBufLength=0x21ebac*=0x6, pName="cimv2") returned 0x0 [0179.650] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0179.650] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x59f338, uIndex=0x1, pszName="cimv2") returned 0x0 [0179.650] WbemDefPath:IUnknown:Release (This=0x59f3a8) returned 0x0 [0179.650] WbemDefPath:IWbemPath:GetText (in: This=0x59f338, lFlags=4, puBuffLength=0x21ec00*=0x0, pszText=0x0 | out: puBuffLength=0x21ec00*=0xf, pszText=0x0) returned 0x0 [0179.650] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080a10 [0179.650] WbemDefPath:IWbemPath:GetText (in: This=0x59f338, lFlags=4, puBuffLength=0x21ec00*=0xf, pszText="ÄԈ৐Ԉ" | out: puBuffLength=0x21ec00*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0179.650] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0179.650] WbemDefPath:IUnknown:Release (This=0x59f338) returned 0x0 [0179.650] WbemLocator:IWbemLocator:ConnectServer (in: This=0x59f020, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x21ec88 | out: ppNamespace=0x21ec88*=0x56d830) returned 0x0 [0182.593] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080a10 [0182.593] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080a80 [0182.593] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080ae0 [0182.593] WbemLocator:IUnknown:QueryInterface (in: This=0x56d830, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21eb58 | out: ppvObject=0x21eb58*=0x5b9ab4) returned 0x0 [0182.593] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x5b9ab4, pProxy=0x56d830, pAuthnSvc=0x21eb48, pAuthzSvc=0x21eb4c, pServerPrincName=0x0, pAuthnLevel=0x21eb74, pImpLevel=0x21eb70, pAuthInfo=0x0, pCapabilites=0x21eb60 | out: pAuthnSvc=0x21eb48*=0xa, pAuthzSvc=0x21eb4c*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21eb74*=0x6, pImpLevel=0x21eb70*=0x2, pAuthInfo=0x0, pCapabilites=0x21eb60*=0x1) returned 0x0 [0182.593] WbemLocator:IUnknown:Release (This=0x5b9ab4) returned 0x1 [0182.593] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.593] GetCurrentThreadId () returned 0xb30 [0182.594] WbemLocator:IUnknown:QueryInterface (in: This=0x56d830, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21eb88 | out: ppvObject=0x21eb88*=0x5b9ab4) returned 0x0 [0182.594] WbemLocator:IClientSecurity:CopyProxy (in: This=0x5b9ab4, pProxy=0x56d830, ppCopy=0x21eb8c | out: ppCopy=0x21eb8c*=0x56d8d0) returned 0x0 [0182.594] WbemLocator:IUnknown:QueryInterface (in: This=0x56d8d0, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21eaa4 | out: ppvObject=0x21eaa4*=0x5b9ab4) returned 0x0 [0182.594] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x5b9ab4, pProxy=0x56d8d0, pAuthnSvc=0x21eac8, pAuthzSvc=0x21eab8, pServerPrincName=0x0, pAuthnLevel=0x0, pImpLevel=0x0, pAuthInfo=0x0, pCapabilites=0x0 | out: pAuthnSvc=0x21eac8*=0xa, pAuthzSvc=0x21eab8*=0x0, pServerPrincName=0x0, pAuthnLevel=0x0, pImpLevel=0x0, pAuthInfo=0x0, pCapabilites=0x0) returned 0x0 [0182.594] WbemLocator:IUnknown:Release (This=0x5b9ab4) returned 0x3 [0182.594] WbemLocator:IUnknown:QueryInterface (in: This=0x56d8d0, riid=0x6d8634f0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ea7c | out: ppvObject=0x21ea7c*=0x5b9ad4) returned 0x0 [0182.594] WbemLocator:IUnknown:QueryInterface (in: This=0x56d8d0, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ea80 | out: ppvObject=0x21ea80*=0x5b9ab4) returned 0x0 [0182.594] WbemLocator:IClientSecurity:SetBlanket (This=0x5b9ab4, pProxy=0x56d8d0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0182.594] WbemLocator:IUnknown:Release (This=0x5b9ab4) returned 0x4 [0182.594] WbemLocator:IUnknown:Release (This=0x5b9ad4) returned 0x3 [0182.594] WbemLocator:IUnknown:Release (This=0x5b9ab4) returned 0x2 [0182.594] WbemLocator:IUnknown:AddRef (This=0x56d8d0) returned 0x3 [0182.594] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080b98 [0182.594] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x50809d0 [0182.595] WbemLocator:IUnknown:Release (This=0x56d830) returned 0x2 [0182.595] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.595] GetCurrentThreadId () returned 0xb30 [0182.595] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.595] GetCurrentThreadId () returned 0xb30 [0182.595] WbemLocator:IUnknown:QueryInterface (in: This=0x56d8d0, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec4c | out: ppvObject=0x21ec4c*=0x5b9ab4) returned 0x0 [0182.595] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x5b9ab4, pProxy=0x56d8d0, pAuthnSvc=0x21ec3c, pAuthzSvc=0x21ec40, pServerPrincName=0x0, pAuthnLevel=0x21ec6c, pImpLevel=0x21ec70, pAuthInfo=0x0, pCapabilites=0x21ec54 | out: pAuthnSvc=0x21ec3c*=0xa, pAuthzSvc=0x21ec40*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21ec6c*=0x6, pImpLevel=0x21ec70*=0x3, pAuthInfo=0x0, pCapabilites=0x21ec54*=0x20) returned 0x0 [0182.595] WbemLocator:IUnknown:Release (This=0x5b9ab4) returned 0x2 [0182.595] CreatePointerMoniker (in: punk=0x5080a10, ppmk=0x21edfc | out: ppmk=0x21edfc*=0x5b4328) returned 0x0 [0182.595] IUnknown:AddRef (This=0x5080a10) returned 0x2 [0182.596] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0182.596] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0182.596] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0182.596] WbemLocator:IUnknown:Release (This=0x59f020) returned 0x0 [0182.596] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0182.596] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0182.596] WinMGMTS:IUnknown:Release (This=0x5080850) returned 0x0 [0182.596] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0182.597] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e904 | out: ppvObject=0x21e904*=0x5b4328) returned 0x0 [0182.597] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e8b8 | out: ppvObject=0x21e8b8*=0x0) returned 0x80004002 [0182.597] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e6e0 | out: ppvObject=0x21e6e0*=0x0) returned 0x80004002 [0182.598] IUnknown:AddRef (This=0x5b4328) returned 0x3 [0182.598] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21e214 | out: ppvObject=0x21e214*=0x0) returned 0x80004002 [0182.598] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21e1c4 | out: ppvObject=0x21e1c4*=0x0) returned 0x80004002 [0182.598] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e1d0 | out: ppvObject=0x21e1d0*=0x5b433c) returned 0x0 [0182.598] IMarshal:GetUnmarshalClass (in: This=0x5b433c, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21e1d8 | out: pCid=0x21e1d8*(Data1=0x306, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0182.598] IUnknown:Release (This=0x5b433c) returned 0x3 [0182.598] CoGetContextToken (in: pToken=0x21e230 | out: pToken=0x21e230) returned 0x0 [0182.598] CoGetContextToken (in: pToken=0x21e644 | out: pToken=0x21e644) returned 0x0 [0182.598] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e6c4 | out: ppvObject=0x21e6c4*=0x0) returned 0x80004002 [0182.598] IUnknown:Release (This=0x5b4328) returned 0x2 [0182.599] CoGetContextToken (in: pToken=0x21ec14 | out: pToken=0x21ec14) returned 0x0 [0182.599] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0182.599] IUnknown:QueryInterface (in: This=0x5b4328, riid=0x21ec44*(Data1=0xf, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec40 | out: ppvObject=0x21ec40*=0x5b4328) returned 0x0 [0182.599] IUnknown:AddRef (This=0x5b4328) returned 0x4 [0182.599] IUnknown:Release (This=0x5b4328) returned 0x3 [0182.599] IUnknown:Release (This=0x564348) returned 0x2 [0182.599] IUnknown:Release (This=0x5b4328) returned 0x2 [0182.599] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0182.599] IUnknown:AddRef (This=0x5b4328) returned 0x3 [0182.599] BindMoniker (in: pmk=0x5b4328, grfOpt=0x0, iidResult=0x235c810*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvResult=0x21ee44 | out: ppvResult=0x21ee44*=0x5080a10) returned 0x0 [0182.599] IUnknown:QueryInterface (in: This=0x5080a10, riid=0x235c810*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ee44 | out: ppvObject=0x21ee44*=0x5080a10) returned 0x0 [0182.604] LoadRegTypeLib (in: rguid=0x6d86364c*(Data1=0x565783c6, Data2=0xcb41, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x2, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x0, pptlib=0x21e6b0*=0x0 | out: pptlib=0x21e6b0*=0x5bd608) returned 0x0 [0182.849] ITypeLib:GetTypeInfoOfGuid (in: This=0x5bd608, GUID=0x5080a54*(Data1=0x62e522dc, Data2=0x8cf3, Data3=0x40a8, Data4=([0]=0x8b, [1]=0x2e, [2]=0x37, [3]=0xd5, [4]=0x95, [5]=0x65, [6]=0x1e, [7]=0x40)), ppTInfo=0x5080a3c | out: ppTInfo=0x5080a3c*=0x5bf15c) returned 0x0 [0182.849] IUnknown:Release (This=0x5bd608) returned 0x1 [0182.849] IUnknown:AddRef (This=0x5bf15c) returned 0x2 [0182.850] ITypeInfo:RemoteGetTypeAttr (in: This=0x5bf15c, ppTypeAttr=0x21e6e0, pDummy=0x2a3fcce | out: ppTypeAttr=0x21e6e0, pDummy=0x2a3fcce) returned 0x0 [0182.894] ITypeInfo:LocalReleaseTypeAttr (This=0x5bf15c) returned 0x581768 [0182.894] IUnknown:Release (This=0x5bf15c) returned 0x1 [0182.894] CoGetContextToken (in: pToken=0x21e234 | out: pToken=0x21e234) returned 0x0 [0182.894] CoGetContextToken (in: pToken=0x21e644 | out: pToken=0x21e644) returned 0x0 [0182.894] IUnknown:Release (This=0x5b4328) returned 0x2 [0182.926] CoGetContextToken (in: pToken=0x21e914 | out: pToken=0x21e914) returned 0x0 [0182.927] LoadRegTypeLib (in: rguid=0x6d86364c*(Data1=0x565783c6, Data2=0xcb41, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x2, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x409, pptlib=0x21e924*=0x0 | out: pptlib=0x21e924*=0x5bd608) returned 0x0 [0182.928] ITypeLib:GetTypeInfoOfGuid (in: This=0x5bd608, GUID=0x5080a44*(Data1=0xd2f68443, Data2=0x85dc, Data3=0x427e, Data4=([0]=0x91, [1]=0xd8, [2]=0x36, [3]=0x65, [4]=0x54, [5]=0xcc, [6]=0x75, [7]=0x4c)), ppTInfo=0x5080a38 | out: ppTInfo=0x5080a38*=0x5bf188) returned 0x0 [0182.928] IUnknown:Release (This=0x5bd608) returned 0x2 [0182.928] IUnknown:AddRef (This=0x5bf188) returned 0x2 [0182.928] DispGetIDsOfNames (in: ptinfo=0x5bf188, rgszNames=0x21e980*="InstancesOf", cNames=0x1, rgdispid=0x21e970 | out: rgdispid=0x21e970*=5) returned 0x0 [0182.942] IUnknown:Release (This=0x5bf188) returned 0x1 [0182.948] IUnknown:AddRef (This=0x5bf188) returned 0x2 [0182.948] ITypeInfo:LocalInvoke (This=0x5bf188) returned 0x0 [0182.949] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.949] GetCurrentThreadId () returned 0xb30 [0182.949] WbemLocator:IUnknown:AddRef (This=0x56d8d0) returned 0x3 [0182.949] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.949] GetCurrentThreadId () returned 0xb30 [0182.949] IWbemServices:CreateInstanceEnum (in: This=0x56d8d0, strFilter="Win32_BaseBoard", lFlags=16, pCtx=0x0, ppEnum=0x21e5c4 | out: ppEnum=0x21e5c4*=0x5991f0) returned 0x0 [0182.971] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080850 [0182.971] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x50808b0 [0182.971] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080910 [0182.971] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080970 [0182.971] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080bf8 [0182.971] IUnknown:QueryInterface (in: This=0x5991f0, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e4dc | out: ppvObject=0x21e4dc*=0x5991f4) returned 0x0 [0182.972] IClientSecurity:QueryBlanket (in: This=0x5991f4, pProxy=0x5991f0, pAuthnSvc=0x21e4cc, pAuthzSvc=0x21e4d0, pServerPrincName=0x0, pAuthnLevel=0x21e4f8, pImpLevel=0x21e4f4, pAuthInfo=0x0, pCapabilites=0x21e4e4 | out: pAuthnSvc=0x21e4cc*=0xa, pAuthzSvc=0x21e4d0*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21e4f8*=0x6, pImpLevel=0x21e4f4*=0x2, pAuthInfo=0x0, pCapabilites=0x21e4e4*=0x1) returned 0x0 [0182.972] IUnknown:Release (This=0x5991f4) returned 0x1 [0182.972] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.972] GetCurrentThreadId () returned 0xb30 [0182.972] WbemLocator:IUnknown:QueryInterface (in: This=0x56d8d0, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e4c0 | out: ppvObject=0x21e4c0*=0x5b9ab4) returned 0x0 [0182.972] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x5b9ab4, pProxy=0x56d8d0, pAuthnSvc=0x21e4b0, pAuthzSvc=0x21e4b4, pServerPrincName=0x0, pAuthnLevel=0x21e4e0, pImpLevel=0x21e4e4, pAuthInfo=0x0, pCapabilites=0x21e4c8 | out: pAuthnSvc=0x21e4b0*=0xa, pAuthzSvc=0x21e4b4*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21e4e0*=0x6, pImpLevel=0x21e4e4*=0x3, pAuthInfo=0x0, pCapabilites=0x21e4c8*=0x20) returned 0x0 [0182.972] WbemLocator:IUnknown:Release (This=0x5b9ab4) returned 0x3 [0182.972] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.972] GetCurrentThreadId () returned 0xb30 [0182.972] WbemLocator:IUnknown:QueryInterface (in: This=0x56d8d0, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e4c0 | out: ppvObject=0x21e4c0*=0x5b9ab4) returned 0x0 [0182.972] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x5b9ab4, pProxy=0x56d8d0, pAuthnSvc=0x21e4b0, pAuthzSvc=0x21e4b4, pServerPrincName=0x0, pAuthnLevel=0x21e4e4, pImpLevel=0x21e4e0, pAuthInfo=0x0, pCapabilites=0x21e4c8 | out: pAuthnSvc=0x21e4b0*=0xa, pAuthzSvc=0x21e4b4*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21e4e4*=0x6, pImpLevel=0x21e4e0*=0x3, pAuthInfo=0x0, pCapabilites=0x21e4c8*=0x20) returned 0x0 [0182.972] WbemLocator:IUnknown:Release (This=0x5b9ab4) returned 0x3 [0182.972] IUnknown:QueryInterface (in: This=0x5991f0, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e50c | out: ppvObject=0x21e50c*=0x5991f4) returned 0x0 [0182.972] IClientSecurity:CopyProxy (in: This=0x5991f4, pProxy=0x5991f0, ppCopy=0x21e510 | out: ppCopy=0x21e510*=0x5992b8) returned 0x0 [0182.972] IUnknown:QueryInterface (in: This=0x5992b8, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e428 | out: ppvObject=0x21e428*=0x5992bc) returned 0x0 [0182.973] IClientSecurity:QueryBlanket (in: This=0x5992bc, pProxy=0x5992b8, pAuthnSvc=0x21e44c, pAuthzSvc=0x21e43c, pServerPrincName=0x0, pAuthnLevel=0x0, pImpLevel=0x0, pAuthInfo=0x0, pCapabilites=0x0 | out: pAuthnSvc=0x21e44c*=0xa, pAuthzSvc=0x21e43c*=0x0, pServerPrincName=0x0, pAuthnLevel=0x0, pImpLevel=0x0, pAuthInfo=0x0, pCapabilites=0x0) returned 0x0 [0182.973] IUnknown:Release (This=0x5992bc) returned 0x3 [0182.973] IUnknown:QueryInterface (in: This=0x5992b8, riid=0x6d8634f0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e400 | out: ppvObject=0x21e400*=0x5bfe6c) returned 0x0 [0182.973] IUnknown:QueryInterface (in: This=0x5992b8, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e404 | out: ppvObject=0x21e404*=0x5992bc) returned 0x0 [0182.973] IClientSecurity:SetBlanket (This=0x5992bc, pProxy=0x5992b8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0182.977] IUnknown:Release (This=0x5992bc) returned 0x4 [0182.977] WbemLocator:IUnknown:Release (This=0x5bfe6c) returned 0x3 [0182.977] IUnknown:Release (This=0x5991f4) returned 0x2 [0182.977] IUnknown:AddRef (This=0x5992b8) returned 0x3 [0182.977] IUnknown:Release (This=0x5991f0) returned 0x2 [0182.977] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x21e57c | out: pperrinfo=0x21e57c*=0x0) returned 0x1 [0182.978] WbemLocator:IUnknown:Release (This=0x56d8d0) returned 0x2 [0182.978] IUnknown:Release (This=0x5bf188) returned 0x1 [0182.979] LoadRegTypeLib (in: rguid=0x6d86364c*(Data1=0x565783c6, Data2=0xcb41, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x2, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x0, pptlib=0x21e16c*=0x0 | out: pptlib=0x21e16c*=0x5bd608) returned 0x0 [0182.980] ITypeLib:GetTypeInfoOfGuid (in: This=0x5bd608, GUID=0x5080888*(Data1=0x4b83d61, Data2=0x21ae, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x33, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), ppTInfo=0x5080870 | out: ppTInfo=0x5080870*=0x5bf290) returned 0x0 [0182.980] IUnknown:Release (This=0x5bd608) returned 0x3 [0182.980] IUnknown:AddRef (This=0x5bf290) returned 0x2 [0182.980] ITypeInfo:RemoteGetTypeAttr (in: This=0x5bf290, ppTypeAttr=0x21e19c, pDummy=0x2a3fa0a | out: ppTypeAttr=0x21e19c, pDummy=0x2a3fa0a) returned 0x0 [0182.982] ITypeInfo:LocalReleaseTypeAttr (This=0x5bf290) returned 0x581768 [0182.982] IUnknown:Release (This=0x5bf290) returned 0x1 [0182.983] CoGetContextToken (in: pToken=0x21dcf0 | out: pToken=0x21dcf0) returned 0x0 [0182.983] CoGetContextToken (in: pToken=0x21e104 | out: pToken=0x21e104) returned 0x0 [0182.983] CoGetContextToken (in: pToken=0x21ecec | out: pToken=0x21ecec) returned 0x0 [0182.983] CoGetContextToken (in: pToken=0x21ec4c | out: pToken=0x21ec4c) returned 0x0 [0182.985] CoGetContextToken (in: pToken=0x21ec6c | out: pToken=0x21ec6c) returned 0x0 [0182.985] LoadRegTypeLib (in: rguid=0x6d86364c*(Data1=0x565783c6, Data2=0xcb41, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x2, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x400, pptlib=0x21ec80*=0x0 | out: pptlib=0x21ec80*=0x5bd608) returned 0x0 [0182.987] ITypeLib:GetTypeInfoOfGuid (in: This=0x5bd608, GUID=0x5080878*(Data1=0x76a6415f, Data2=0xcb41, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x2, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), ppTInfo=0x508086c | out: ppTInfo=0x508086c*=0x5bf238) returned 0x0 [0182.987] IUnknown:Release (This=0x5bd608) returned 0x4 [0182.987] IUnknown:AddRef (This=0x5bf238) returned 0x2 [0182.987] ITypeInfo:LocalInvoke (This=0x5bf238) returned 0x0 [0182.987] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0182.987] GetCurrentThreadId () returned 0xb30 [0182.987] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080810 [0182.987] IUnknown:Release (This=0x5bf238) returned 0x1 [0182.987] ?WbemMemFree@CWin32DefaultArena@@SAHPAX@Z () returned 0x1 [0183.420] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x58cf40 [0183.422] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x58cfc8 [0183.431] CoGetContextToken (in: pToken=0x21e9b4 | out: pToken=0x21e9b4) returned 0x0 [0183.434] CoGetContextToken (in: pToken=0x21e4cc | out: pToken=0x21e4cc) returned 0x0 [0183.434] IUnknown:AddRef (This=0x5bf238) returned 0x2 [0183.434] ITypeInfo:LocalInvoke (This=0x5bf238) returned 0x0 [0183.434] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.434] GetCurrentThreadId () returned 0xb30 [0183.434] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.434] GetCurrentThreadId () returned 0xb30 [0183.435] IUnknown:AddRef (This=0x5992b8) returned 0x3 [0183.435] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.435] GetCurrentThreadId () returned 0xb30 [0183.435] IEnumWbemClassObject:Clone (in: This=0x5992b8, ppEnum=0x21e720 | out: ppEnum=0x21e720*=0x599380) returned 0x0 [0183.437] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080cb0 [0183.437] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080d10 [0183.437] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080d70 [0183.437] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080990 [0183.437] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080dd0 [0183.437] IUnknown:QueryInterface (in: This=0x599380, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e638 | out: ppvObject=0x21e638*=0x599384) returned 0x0 [0183.438] IClientSecurity:QueryBlanket (in: This=0x599384, pProxy=0x599380, pAuthnSvc=0x21e628, pAuthzSvc=0x21e62c, pServerPrincName=0x0, pAuthnLevel=0x21e654, pImpLevel=0x21e650, pAuthInfo=0x0, pCapabilites=0x21e640 | out: pAuthnSvc=0x21e628*=0xa, pAuthzSvc=0x21e62c*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21e654*=0x6, pImpLevel=0x21e650*=0x2, pAuthInfo=0x0, pCapabilites=0x21e640*=0x1) returned 0x0 [0183.438] IUnknown:Release (This=0x599384) returned 0x1 [0183.438] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.438] GetCurrentThreadId () returned 0xb30 [0183.438] IUnknown:QueryInterface (in: This=0x5992b8, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e61c | out: ppvObject=0x21e61c*=0x5992bc) returned 0x0 [0183.438] IClientSecurity:QueryBlanket (in: This=0x5992bc, pProxy=0x5992b8, pAuthnSvc=0x21e60c, pAuthzSvc=0x21e610, pServerPrincName=0x0, pAuthnLevel=0x21e63c, pImpLevel=0x21e640, pAuthInfo=0x0, pCapabilites=0x21e624 | out: pAuthnSvc=0x21e60c*=0xa, pAuthzSvc=0x21e610*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21e63c*=0x6, pImpLevel=0x21e640*=0x3, pAuthInfo=0x0, pCapabilites=0x21e624*=0x20) returned 0x0 [0183.438] IUnknown:Release (This=0x5992bc) returned 0x3 [0183.438] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.438] GetCurrentThreadId () returned 0xb30 [0183.438] IUnknown:QueryInterface (in: This=0x5992b8, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e61c | out: ppvObject=0x21e61c*=0x5992bc) returned 0x0 [0183.438] IClientSecurity:QueryBlanket (in: This=0x5992bc, pProxy=0x5992b8, pAuthnSvc=0x21e60c, pAuthzSvc=0x21e610, pServerPrincName=0x0, pAuthnLevel=0x21e640, pImpLevel=0x21e63c, pAuthInfo=0x0, pCapabilites=0x21e624 | out: pAuthnSvc=0x21e60c*=0xa, pAuthzSvc=0x21e610*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21e640*=0x6, pImpLevel=0x21e63c*=0x3, pAuthInfo=0x0, pCapabilites=0x21e624*=0x20) returned 0x0 [0183.438] IUnknown:Release (This=0x5992bc) returned 0x3 [0183.438] IUnknown:QueryInterface (in: This=0x599380, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e668 | out: ppvObject=0x21e668*=0x599384) returned 0x0 [0183.438] IClientSecurity:CopyProxy (in: This=0x599384, pProxy=0x599380, ppCopy=0x21e66c | out: ppCopy=0x21e66c*=0x599448) returned 0x0 [0183.439] IUnknown:QueryInterface (in: This=0x599448, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e584 | out: ppvObject=0x21e584*=0x59944c) returned 0x0 [0183.439] IClientSecurity:QueryBlanket (in: This=0x59944c, pProxy=0x599448, pAuthnSvc=0x21e5a8, pAuthzSvc=0x21e598, pServerPrincName=0x0, pAuthnLevel=0x0, pImpLevel=0x0, pAuthInfo=0x0, pCapabilites=0x0 | out: pAuthnSvc=0x21e5a8*=0xa, pAuthzSvc=0x21e598*=0x0, pServerPrincName=0x0, pAuthnLevel=0x0, pImpLevel=0x0, pAuthInfo=0x0, pCapabilites=0x0) returned 0x0 [0183.439] IUnknown:Release (This=0x59944c) returned 0x3 [0183.439] IUnknown:QueryInterface (in: This=0x599448, riid=0x6d8634f0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e55c | out: ppvObject=0x21e55c*=0x5742cc) returned 0x0 [0183.439] IUnknown:QueryInterface (in: This=0x599448, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e560 | out: ppvObject=0x21e560*=0x59944c) returned 0x0 [0183.439] IClientSecurity:SetBlanket (This=0x59944c, pProxy=0x599448, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0183.441] IUnknown:Release (This=0x59944c) returned 0x4 [0183.441] WbemLocator:IUnknown:Release (This=0x5742cc) returned 0x3 [0183.441] IUnknown:Release (This=0x599384) returned 0x2 [0183.442] IUnknown:AddRef (This=0x599448) returned 0x3 [0183.442] IUnknown:Release (This=0x599380) returned 0x2 [0183.442] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x21e6d8 | out: pperrinfo=0x21e6d8*=0x0) returned 0x1 [0183.442] IUnknown:Release (This=0x5992b8) returned 0x2 [0183.442] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.442] GetCurrentThreadId () returned 0xb30 [0183.442] IUnknown:AddRef (This=0x599448) returned 0x3 [0183.442] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.442] GetCurrentThreadId () returned 0xb30 [0183.442] IEnumWbemClassObject:Reset (This=0x599448) returned 0x0 [0183.443] IUnknown:Release (This=0x599448) returned 0x2 [0183.443] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080810 [0183.443] IUnknown:Release (This=0x5bf238) returned 0x1 [0183.444] CoGetContextToken (in: pToken=0x21dc98 | out: pToken=0x21dc98) returned 0x0 [0183.444] CoGetContextToken (in: pToken=0x21e0ac | out: pToken=0x21e0ac) returned 0x0 [0183.452] CoGetContextToken (in: pToken=0x21ea8c | out: pToken=0x21ea8c) returned 0x0 [0183.453] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.453] GetCurrentThreadId () returned 0xb30 [0183.453] IUnknown:AddRef (This=0x599448) returned 0x3 [0183.453] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.453] GetCurrentThreadId () returned 0xb30 [0183.453] IEnumWbemClassObject:Next (in: This=0x599448, lTimeout=-1, uCount=0x1, apObjects=0x21ee10, puReturned=0x21ee08 | out: apObjects=0x21ee10*=0x5d1f98, puReturned=0x21ee08*=0x1) returned 0x0 [0183.459] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080e88 [0183.459] IUnknown:AddRef (This=0x5d1f98) returned 0x2 [0183.459] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080ed0 [0183.459] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080f40 [0183.459] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5080fa0 [0183.459] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x50809b0 [0183.459] WbemLocator:IUnknown:AddRef (This=0x56d8d0) returned 0x3 [0183.459] IUnknown:AddRef (This=0x599448) returned 0x4 [0183.459] IUnknown:QueryInterface (in: This=0x599448, riid=0x6d8631fc*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ed70 | out: ppvObject=0x21ed70*=0x59944c) returned 0x0 [0183.459] IClientSecurity:QueryBlanket (in: This=0x59944c, pProxy=0x599448, pAuthnSvc=0x21ed60, pAuthzSvc=0x21ed64, pServerPrincName=0x0, pAuthnLevel=0x21ed80, pImpLevel=0x21ed8c, pAuthInfo=0x0, pCapabilites=0x21ed78 | out: pAuthnSvc=0x21ed60*=0xa, pAuthzSvc=0x21ed64*=0x0, pServerPrincName=0x0, pAuthnLevel=0x21ed80*=0x6, pImpLevel=0x21ed8c*=0x3, pAuthInfo=0x0, pCapabilites=0x21ed78*=0x20) returned 0x0 [0183.459] IUnknown:Release (This=0x59944c) returned 0x4 [0183.459] WbemLocator:IUnknown:Release (This=0x56d8d0) returned 0x2 [0183.460] WbemLocator:IUnknown:AddRef (This=0x56d8d0) returned 0x3 [0183.460] IUnknown:Release (This=0x599448) returned 0x3 [0183.460] SysStringLen (param_1="\\\\.\\root\\cimv2") returned 0xe [0183.460] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5081000 [0183.460] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5081030 [0183.460] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5081050 [0183.460] IUnknown:AddRef (This=0x5d1f98) returned 0x3 [0183.460] IUnknown:Release (This=0x5d1f98) returned 0x2 [0183.460] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x21edc4 | out: pperrinfo=0x21edc4*=0x0) returned 0x1 [0183.460] IUnknown:Release (This=0x599448) returned 0x2 [0183.460] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x21ee08 | out: pperrinfo=0x21ee08*=0x0) returned 0x1 [0183.462] LoadRegTypeLib (in: rguid=0x6d86364c*(Data1=0x565783c6, Data2=0xcb41, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x2, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x0, pptlib=0x21e5d4*=0x0 | out: pptlib=0x21e5d4*=0x5bd608) returned 0x0 [0183.463] ITypeLib:GetTypeInfoOfGuid (in: This=0x5bd608, GUID=0x6d8770c4*(Data1=0xd6bdafb2, Data2=0x9435, Data3=0x491f, Data4=([0]=0xbb, [1]=0x87, [2]=0x6a, [3]=0xa0, [4]=0xf0, [5]=0xbc, [6]=0x31, [7]=0xa2)), ppTInfo=0x508101c | out: ppTInfo=0x508101c*=0x5bf2bc) returned 0x0 [0183.463] IUnknown:Release (This=0x5bd608) returned 0x5 [0183.463] IUnknown:AddRef (This=0x5bf2bc) returned 0x2 [0183.463] ITypeInfo:RemoteGetTypeAttr (in: This=0x5bf2bc, ppTypeAttr=0x21e614, pDummy=0x2a3fdf2 | out: ppTypeAttr=0x21e614, pDummy=0x2a3fdf2) returned 0x0 [0183.464] ITypeInfo:LocalReleaseTypeAttr (This=0x5bf2bc) returned 0x581768 [0183.464] IUnknown:Release (This=0x5bf2bc) returned 0x1 [0183.464] CoGetContextToken (in: pToken=0x21e168 | out: pToken=0x21e168) returned 0x0 [0183.465] CoGetContextToken (in: pToken=0x21e57c | out: pToken=0x21e57c) returned 0x0 [0183.469] CoGetContextToken (in: pToken=0x21e934 | out: pToken=0x21e934) returned 0x0 [0183.469] LoadRegTypeLib (in: rguid=0x6d86364c*(Data1=0x565783c6, Data2=0xcb41, Data3=0x11d1, Data4=([0]=0x8b, [1]=0x2, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x6, [6]=0xd9, [7]=0xb6)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x409, pptlib=0x21e928*=0x0 | out: pptlib=0x21e928*=0x5bd608) returned 0x0 [0183.470] ITypeLib:GetTypeInfoOfGuid (in: This=0x5bd608, GUID=0x6d8655e4*(Data1=0x269ad56a, Data2=0x8a67, Data3=0x4129, Data4=([0]=0xbc, [1]=0x8c, [2]=0x5, [3]=0x6, [4]=0xdc, [5]=0xfe, [6]=0x98, [7]=0x80)), ppTInfo=0x5081018 | out: ppTInfo=0x5081018*=0x5bf2e8) returned 0x0 [0183.470] IUnknown:Release (This=0x5bd608) returned 0x6 [0183.470] IUnknown:AddRef (This=0x5bf2e8) returned 0x2 [0183.470] DispGetIDsOfNames (in: ptinfo=0x5bf2e8, rgszNames=0x21e9a0*="SerialNumber", cNames=0x1, rgdispid=0x21e990 | out: rgdispid=0x21e990*=-1) returned 0x80020006 [0183.492] IUnknown:AddRef (This=0x5d1f98) returned 0x3 [0183.492] IWbemClassObject:Get (in: This=0x5d1f98, wszName="SerialNumber", lFlags=0, pVal=0x0, pType=0x0, plFlavor=0x21e8b0*=0 | out: pVal=0x0, pType=0x0, plFlavor=0x21e8b0*=0) returned 0x0 [0183.492] IUnknown:Release (This=0x5d1f98) returned 0x2 [0183.492] SysStringLen (param_1="SerialNumber") returned 0xc [0183.492] ?WbemMemAlloc@CWin32DefaultArena@@SAPAXK@Z () returned 0x5081078 [0183.492] SysStringLen (param_1="SerialNumber") returned 0xc [0183.492] IUnknown:Release (This=0x5bf2e8) returned 0x1 [0183.492] IUnknown:AddRef (This=0x5bf2e8) returned 0x2 [0183.492] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.493] GetCurrentThreadId () returned 0xb30 [0183.493] SysStringLen (param_1="SerialNumber") returned 0xc [0183.493] IWbemClassObject:Get (in: This=0x5d1f98, wszName="SerialNumber", lFlags=0, pVal=0x21e730*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x21e768, varVal2=0x6d862d81), pType=0x21e740*=1837510022, plFlavor=0x0 | out: pVal=0x21e730*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="..CN747510BO0504.", varVal2=0x6d862d81), pType=0x21e740*=8, plFlavor=0x0) returned 0x0 [0183.493] IUnknown:Release (This=0x5bf2e8) returned 0x1 [0183.494] SysStringByteLen (bstr="..CN747510BO0504.") returned 0x22 [0183.494] SysStringByteLen (bstr="..CN747510BO0504.") returned 0x22 [0183.496] CoGetContextToken (in: pToken=0x21ea8c | out: pToken=0x21ea8c) returned 0x0 [0183.496] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.497] GetCurrentThreadId () returned 0xb30 [0183.497] IUnknown:AddRef (This=0x599448) returned 0x3 [0183.497] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0183.497] GetCurrentThreadId () returned 0xb30 [0183.497] IEnumWbemClassObject:Next (in: This=0x599448, lTimeout=-1, uCount=0x1, apObjects=0x21ee10, puReturned=0x21ee08 | out: apObjects=0x21ee10*=0x0, puReturned=0x21ee08*=0x0) returned 0x1 [0183.498] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x21edc4 | out: pperrinfo=0x21edc4*=0x0) returned 0x1 [0183.498] IUnknown:Release (This=0x599448) returned 0x2 [0183.498] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x21ee08 | out: pperrinfo=0x21ee08*=0x0) returned 0x1 [0183.582] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2c0 [0183.583] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2c4 [0183.591] SetEvent (hEvent=0x2c4) returned 1 [0183.619] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edf8*=0x2c0, lpdwindex=0x21ec1c | out: lpdwindex=0x21ec1c) returned 0x0 [0183.619] CoGetContextToken (in: pToken=0x21eccc | out: pToken=0x21eccc) returned 0x0 [0183.619] CoGetContextToken (in: pToken=0x21ec2c | out: pToken=0x21ec2c) returned 0x0 [0183.619] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f4f8, riid=0x21ecfc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecf8 | out: ppvObject=0x21ecf8*=0x59f4f8) returned 0x0 [0183.619] WbemDefPath:IUnknown:AddRef (This=0x59f4f8) returned 0x3 [0183.619] WbemDefPath:IUnknown:Release (This=0x59f4f8) returned 0x2 [0183.626] WbemDefPath:IWbemPath:SetText (This=0x59f4f8, uMode=0x4, pszPath="win32_processor") returned 0x0 [0183.630] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f4f8, puCount=0x21ee78 | out: puCount=0x21ee78*=0x0) returned 0x0 [0183.630] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ee74*=0x0, pszText=0x0 | out: puBuffLength=0x21ee74*=0x10, pszText=0x0) returned 0x0 [0183.631] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ee74*=0x10, pszText="000000000000000" | out: puBuffLength=0x21ee74*=0x10, pszText="win32_processor") returned 0x0 [0183.632] WbemDefPath:IWbemPath:GetInfo (in: This=0x59f4f8, uRequestedInfo=0x0, puResponse=0x21ee80 | out: puResponse=0x21ee80*=0xc15) returned 0x0 [0183.632] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f4f8, puCount=0x21ee78 | out: puCount=0x21ee78*=0x0) returned 0x0 [0183.632] WbemDefPath:IWbemPath:GetInfo (in: This=0x59f4f8, uRequestedInfo=0x0, puResponse=0x21ee80 | out: puResponse=0x21ee80*=0xc15) returned 0x0 [0183.632] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f4f8, puCount=0x21ee68 | out: puCount=0x21ee68*=0x0) returned 0x0 [0183.632] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ee64*=0x0, pszText=0x0 | out: puBuffLength=0x21ee64*=0x10, pszText=0x0) returned 0x0 [0183.633] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ee64*=0x10, pszText="000000000000000" | out: puBuffLength=0x21ee64*=0x10, pszText="win32_processor") returned 0x0 [0183.633] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f4f8, puCount=0x21ee68 | out: puCount=0x21ee68*=0x0) returned 0x0 [0183.633] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ee64*=0x0, pszText=0x0 | out: puBuffLength=0x21ee64*=0x10, pszText=0x0) returned 0x0 [0183.633] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ee64*=0x10, pszText="000000000000000" | out: puBuffLength=0x21ee64*=0x10, pszText="win32_processor") returned 0x0 [0183.633] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f4f8, puCount=0x21edf8 | out: puCount=0x21edf8*=0x0) returned 0x0 [0183.634] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2f4 [0183.634] SetEvent (hEvent=0x2c4) returned 1 [0183.634] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21e654*=0x2f4, lpdwindex=0x21e478 | out: lpdwindex=0x21e478) returned 0x0 [0183.638] CoGetContextToken (in: pToken=0x21e52c | out: pToken=0x21e52c) returned 0x0 [0183.638] CoGetContextToken (in: pToken=0x21e48c | out: pToken=0x21e48c) returned 0x0 [0183.638] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f568, riid=0x21e55c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21e558 | out: ppvObject=0x21e558*=0x59f568) returned 0x0 [0183.638] WbemDefPath:IUnknown:AddRef (This=0x59f568) returned 0x3 [0183.638] WbemDefPath:IUnknown:Release (This=0x59f568) returned 0x2 [0183.638] WbemDefPath:IWbemPath:SetText (This=0x59f568, uMode=0x4, pszPath="//./root/cimv2") returned 0x0 [0183.639] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f568, puCount=0x21ede4 | out: puCount=0x21ede4*=0x2) returned 0x0 [0183.639] WbemDefPath:IWbemPath:GetText (in: This=0x59f568, lFlags=4, puBuffLength=0x21ede0*=0x0, pszText=0x0 | out: puBuffLength=0x21ede0*=0xf, pszText=0x0) returned 0x0 [0183.639] WbemDefPath:IWbemPath:GetText (in: This=0x59f568, lFlags=4, puBuffLength=0x21ede0*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ede0*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0183.639] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2f8 [0183.639] SetEvent (hEvent=0x2c4) returned 1 [0183.639] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21ed40*=0x2f8, lpdwindex=0x21eb64 | out: lpdwindex=0x21eb64) returned 0x0 [0183.642] CoGetContextToken (in: pToken=0x21ec14 | out: pToken=0x21ec14) returned 0x0 [0183.642] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0183.642] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f5d8, riid=0x21ec44*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ec40 | out: ppvObject=0x21ec40*=0x59f5d8) returned 0x0 [0183.642] WbemDefPath:IUnknown:AddRef (This=0x59f5d8) returned 0x3 [0183.642] WbemDefPath:IUnknown:Release (This=0x59f5d8) returned 0x2 [0183.642] WbemDefPath:IWbemPath:SetText (This=0x59f5d8, uMode=0x4, pszPath="\\\\.\\root\\cimv2") returned 0x0 [0183.642] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f5d8, puCount=0x21edbc | out: puCount=0x21edbc*=0x2) returned 0x0 [0183.642] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21edb8*=0x0, pszText=0x0 | out: puBuffLength=0x21edb8*=0xf, pszText=0x0) returned 0x0 [0183.642] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21edb8*=0xf, pszText="00000000000000" | out: puBuffLength=0x21edb8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0183.654] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21ecdc*=0x30c, lpdwindex=0x21eb94 | out: lpdwindex=0x21eb94) returned 0x0 [0184.307] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f5d8, puCount=0x21ede0 | out: puCount=0x21ede0*=0x2) returned 0x0 [0184.307] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21eddc*=0x0, pszText=0x0 | out: puBuffLength=0x21eddc*=0xf, pszText=0x0) returned 0x0 [0184.307] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21eddc*=0xf, pszText="00000000000000" | out: puBuffLength=0x21eddc*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0184.307] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ede4*=0x0, pszText=0x0 | out: puBuffLength=0x21ede4*=0x10, pszText=0x0) returned 0x0 [0184.308] WbemDefPath:IWbemPath:GetText (in: This=0x59f4f8, lFlags=2, puBuffLength=0x21ede4*=0x10, pszText="000000000000000" | out: puBuffLength=0x21ede4*=0x10, pszText="win32_processor") returned 0x0 [0184.310] CoGetContextToken (in: pToken=0x21eb84 | out: pToken=0x21eb84) returned 0x0 [0184.310] CoGetContextToken (in: pToken=0x21eae4 | out: pToken=0x21eae4) returned 0x0 [0184.310] CoGetContextToken (in: pToken=0x21eae4 | out: pToken=0x21eae4) returned 0x0 [0184.310] CoGetContextToken (in: pToken=0x21ea84 | out: pToken=0x21ea84) returned 0x0 [0184.310] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71c28ae0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ea5c | out: ppvObject=0x21ea5c*=0x56ede8) returned 0x0 [0184.311] CObjectContext::ContextCallback () returned 0x0 [0184.319] IUnknown:Release (This=0x56ede8) returned 0x1 [0184.320] CoUnmarshalInterface (in: pStm=0x5a87a8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21ead8 | out: ppv=0x21ead8*=0x5d70fc) returned 0x0 [0184.320] CoMarshalInterface (pStm=0x5a87a8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5d70fc, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0184.321] WbemLocator:IUnknown:QueryInterface (in: This=0x5d70fc, riid=0x21ebb4*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x21ebb0 | out: ppvObject=0x21ebb0*=0x5c4668) returned 0x0 [0184.327] WbemLocator:IUnknown:Release (This=0x5d70fc) returned 0x1 [0184.327] IWbemServices:GetObject (in: This=0x5c4668, strObjectPath="win32_processor", lFlags=0, pCtx=0x0, ppObject=0x21ed98*=0x0, ppCallResult=0x0 | out: ppObject=0x21ed98*=0x5eec00, ppCallResult=0x0) returned 0x0 [0184.337] WbemLocator:IUnknown:Release (This=0x5c4668) returned 0x0 [0184.337] IWbemClassObject:Get (in: This=0x5eec00, wszName="__PATH", lFlags=0, pVal=0x21ed80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee28*=0, plFlavor=0x21ee24*=0 | out: pVal=0x21ed80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_Processor", varVal2=0x0), pType=0x21ee28*=8, plFlavor=0x21ee24*=64) returned 0x0 [0184.338] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_Processor") returned 0x4e [0184.339] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_Processor") returned 0x4e [0184.339] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x34c [0184.339] SetEvent (hEvent=0x2c4) returned 1 [0184.339] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21ed3c*=0x34c, lpdwindex=0x21eb60 | out: lpdwindex=0x21eb60) returned 0x0 [0184.342] CoGetContextToken (in: pToken=0x21ec14 | out: pToken=0x21ec14) returned 0x0 [0184.342] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0184.342] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f648, riid=0x21ec44*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ec40 | out: ppvObject=0x21ec40*=0x59f648) returned 0x0 [0184.342] WbemDefPath:IUnknown:AddRef (This=0x59f648) returned 0x3 [0184.342] WbemDefPath:IUnknown:Release (This=0x59f648) returned 0x2 [0184.342] WbemDefPath:IWbemPath:SetText (This=0x59f648, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_Processor") returned 0x0 [0184.342] IWbemClassObject:Get (in: This=0x5eec00, wszName="__CLASS", lFlags=0, pVal=0x21edf0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee70*=0, plFlavor=0x21ee6c*=0 | out: pVal=0x21edf0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_Processor", varVal2=0x0), pType=0x21ee70*=8, plFlavor=0x21ee6c*=64) returned 0x0 [0184.342] SysStringByteLen (bstr="Win32_Processor") returned 0x1e [0184.342] SysStringByteLen (bstr="Win32_Processor") returned 0x1e [0184.342] CoGetContextToken (in: pToken=0x21ec14 | out: pToken=0x21ec14) returned 0x0 [0184.342] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0184.342] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0184.343] CoUnmarshalInterface (in: pStm=0x5a87a8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21eb68 | out: ppv=0x21eb68*=0x5d70fc) returned 0x0 [0184.343] CoMarshalInterface (pStm=0x5a87a8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5d70fc, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0184.343] WbemLocator:IUnknown:QueryInterface (in: This=0x5d70fc, riid=0x21ec44*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x21ec40 | out: ppvObject=0x21ec40*=0x5c4758) returned 0x0 [0184.344] WbemLocator:IUnknown:Release (This=0x5d70fc) returned 0x1 [0184.344] IWbemServices:CreateInstanceEnum (in: This=0x5c4758, strFilter="Win32_Processor", lFlags=17, pCtx=0x0, ppEnum=0x21edec | out: ppEnum=0x21edec*=0x5995d8) returned 0x0 [0184.354] IUnknown:QueryInterface (in: This=0x5995d8, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec78 | out: ppvObject=0x21ec78*=0x5995dc) returned 0x0 [0184.354] IClientSecurity:QueryBlanket (in: This=0x5995dc, pProxy=0x5995d8, pAuthnSvc=0x21ecc8, pAuthzSvc=0x21ecc4, pServerPrincName=0x21ecbc, pAuthnLevel=0x21ecc0, pImpLevel=0x21ecb0, pAuthInfo=0x21ecb4, pCapabilites=0x21ecb8 | out: pAuthnSvc=0x21ecc8*=0xa, pAuthzSvc=0x21ecc4*=0x0, pServerPrincName=0x21ecbc, pAuthnLevel=0x21ecc0*=0x6, pImpLevel=0x21ecb0*=0x2, pAuthInfo=0x21ecb4, pCapabilites=0x21ecb8*=0x1) returned 0x0 [0184.354] IUnknown:Release (This=0x5995dc) returned 0x1 [0184.354] IUnknown:QueryInterface (in: This=0x5995d8, riid=0x6d4f35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec6c | out: ppvObject=0x21ec6c*=0x5d71ec) returned 0x0 [0184.354] IUnknown:QueryInterface (in: This=0x5995d8, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec58 | out: ppvObject=0x21ec58*=0x5995dc) returned 0x0 [0184.354] IClientSecurity:SetBlanket (This=0x5995dc, pProxy=0x5995d8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0184.359] IUnknown:Release (This=0x5995dc) returned 0x2 [0184.359] WbemLocator:IUnknown:Release (This=0x5d71ec) returned 0x1 [0184.359] CoTaskMemFree (pv=0x5cf518) [0184.359] IUnknown:AddRef (This=0x5995d8) returned 0x2 [0184.360] CoGetContextToken (in: pToken=0x21e194 | out: pToken=0x21e194) returned 0x0 [0184.360] CoGetContextToken (in: pToken=0x21e5a4 | out: pToken=0x21e5a4) returned 0x0 [0184.360] IUnknown:QueryInterface (in: This=0x5995d8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e540 | out: ppvObject=0x21e540*=0x5d71d4) returned 0x0 [0184.360] WbemLocator:IRpcOptions:Query (in: This=0x5d71d4, pPrx=0x5d14f8, dwProperty=2, pdwValue=0x21e634 | out: pdwValue=0x21e634) returned 0x80004002 [0184.360] WbemLocator:IUnknown:Release (This=0x5d71d4) returned 0x2 [0184.361] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0184.361] CoGetContextToken (in: pToken=0x21ead4 | out: pToken=0x21ead4) returned 0x0 [0184.361] IUnknown:QueryInterface (in: This=0x5995d8, riid=0x21eba4*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x21ea70 | out: ppvObject=0x21ea70*=0x5995d8) returned 0x0 [0184.361] IUnknown:Release (This=0x5995d8) returned 0x2 [0184.361] WbemLocator:IUnknown:Release (This=0x5c4758) returned 0x0 [0184.362] SysStringLen (param_1=0x0) returned 0x0 [0184.362] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f5d8, puCount=0x21ee28 | out: puCount=0x21ee28*=0x2) returned 0x0 [0184.363] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21ee24*=0x0, pszText=0x0 | out: puBuffLength=0x21ee24*=0xf, pszText=0x0) returned 0x0 [0184.363] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21ee24*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee24*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0184.363] CoGetContextToken (in: pToken=0x21ec74 | out: pToken=0x21ec74) returned 0x0 [0184.363] IEnumWbemClassObject:Clone (in: This=0x5995d8, ppEnum=0x21ee28 | out: ppEnum=0x21ee28*=0x5996a0) returned 0x0 [0184.448] IUnknown:QueryInterface (in: This=0x5996a0, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ece4 | out: ppvObject=0x21ece4*=0x5996a4) returned 0x0 [0184.449] IClientSecurity:QueryBlanket (in: This=0x5996a4, pProxy=0x5996a0, pAuthnSvc=0x21ed34, pAuthzSvc=0x21ed30, pServerPrincName=0x21ed28, pAuthnLevel=0x21ed2c, pImpLevel=0x21ed1c, pAuthInfo=0x21ed20, pCapabilites=0x21ed24 | out: pAuthnSvc=0x21ed34*=0xa, pAuthzSvc=0x21ed30*=0x0, pServerPrincName=0x21ed28, pAuthnLevel=0x21ed2c*=0x6, pImpLevel=0x21ed1c*=0x2, pAuthInfo=0x21ed20, pCapabilites=0x21ed24*=0x1) returned 0x0 [0184.449] IUnknown:Release (This=0x5996a4) returned 0x1 [0184.449] IUnknown:QueryInterface (in: This=0x5996a0, riid=0x6d4f35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x5d70fc) returned 0x0 [0184.449] IUnknown:QueryInterface (in: This=0x5996a0, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ecc4 | out: ppvObject=0x21ecc4*=0x5996a4) returned 0x0 [0184.449] IClientSecurity:SetBlanket (This=0x5996a4, pProxy=0x5996a0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0184.607] IUnknown:Release (This=0x5996a4) returned 0x2 [0184.607] WbemLocator:IUnknown:Release (This=0x5d70fc) returned 0x1 [0184.607] CoTaskMemFree (pv=0x5cf4e8) [0184.607] IUnknown:AddRef (This=0x5996a0) returned 0x2 [0184.608] CoGetContextToken (in: pToken=0x21e1f4 | out: pToken=0x21e1f4) returned 0x0 [0184.608] CoGetContextToken (in: pToken=0x21e604 | out: pToken=0x21e604) returned 0x0 [0184.608] IUnknown:QueryInterface (in: This=0x5996a0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e5a0 | out: ppvObject=0x21e5a0*=0x5d70e4) returned 0x0 [0184.608] WbemLocator:IRpcOptions:Query (in: This=0x5d70e4, pPrx=0x5ea248, dwProperty=2, pdwValue=0x21e694 | out: pdwValue=0x21e694) returned 0x80004002 [0184.608] WbemLocator:IUnknown:Release (This=0x5d70e4) returned 0x2 [0184.609] CoGetContextToken (in: pToken=0x21ebd4 | out: pToken=0x21ebd4) returned 0x0 [0184.609] CoGetContextToken (in: pToken=0x21eb34 | out: pToken=0x21eb34) returned 0x0 [0184.609] IUnknown:QueryInterface (in: This=0x5996a0, riid=0x21ec04*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x21ead0 | out: ppvObject=0x21ead0*=0x5996a0) returned 0x0 [0184.609] IUnknown:Release (This=0x5996a0) returned 0x2 [0184.609] SysStringLen (param_1=0x0) returned 0x0 [0184.610] IEnumWbemClassObject:Reset (This=0x5996a0) returned 0x0 [0185.153] CoTaskMemAlloc (cb=0x4) returned 0x5c5e10 [0185.153] IEnumWbemClassObject:Next (in: This=0x5996a0, lTimeout=-1, uCount=0x1, apObjects=0x5c5e10, puReturned=0x23a18e8 | out: apObjects=0x5c5e10*=0x5f1eb0, puReturned=0x23a18e8*=0x1) returned 0x0 [0194.128] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x5f1eb0) returned 0x0 [0194.128] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.128] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.129] IUnknown:AddRef (This=0x5f1eb0) returned 0x3 [0194.129] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.129] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.129] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x5f1eb4) returned 0x0 [0194.129] IMarshal:GetUnmarshalClass (in: This=0x5f1eb4, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.129] IUnknown:Release (This=0x5f1eb4) returned 0x3 [0194.130] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.130] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.130] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.130] IUnknown:Release (This=0x5f1eb0) returned 0x2 [0194.130] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.130] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.130] IUnknown:QueryInterface (in: This=0x5f1eb0, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x5f1eb0) returned 0x0 [0194.130] IUnknown:AddRef (This=0x5f1eb0) returned 0x4 [0194.130] IUnknown:Release (This=0x5f1eb0) returned 0x3 [0194.131] IUnknown:Release (This=0x5f1eb0) returned 0x2 [0194.131] CoTaskMemFree (pv=0x5c5e10) [0194.131] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.131] IUnknown:AddRef (This=0x5f1eb0) returned 0x3 [0194.132] IWbemClassObject:Get (in: This=0x5f1eb0, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.134] IWbemClassObject:Get (in: This=0x5f1eb0, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.134] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"") returned 0x6e [0194.134] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"") returned 0x6e [0194.135] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x354 [0194.135] SetEvent (hEvent=0x2c4) returned 1 [0194.135] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x354, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.143] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.143] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.143] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f728, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x59f728) returned 0x0 [0194.143] WbemDefPath:IUnknown:AddRef (This=0x59f728) returned 0x3 [0194.143] WbemDefPath:IUnknown:Release (This=0x59f728) returned 0x2 [0194.143] WbemDefPath:IWbemPath:SetText (This=0x59f728, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"") returned 0x0 [0194.143] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f5d8, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.143] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.143] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.145] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f5d8, puCount=0x21ee34 | out: puCount=0x21ee34*=0x2) returned 0x0 [0194.145] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21ee30*=0x0, pszText=0x0 | out: puBuffLength=0x21ee30*=0xf, pszText=0x0) returned 0x0 [0194.145] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=4, puBuffLength=0x21ee30*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee30*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.160] IWbemClassObject:Get (in: This=0x5f1eb0, wszName="processorID", lFlags=0, pVal=0x21ee30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a21ac*=0, plFlavor=0x23a21b0*=0 | out: pVal=0x21ee30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="0F8BFBFF00050657", varVal2=0x0), pType=0x23a21ac*=8, plFlavor=0x23a21b0*=0) returned 0x0 [0194.160] SysStringByteLen (bstr="0F8BFBFF00050657") returned 0x20 [0194.160] SysStringByteLen (bstr="0F8BFBFF00050657") returned 0x20 [0194.160] IWbemClassObject:Get (in: This=0x5f1eb0, wszName="processorID", lFlags=0, pVal=0x21ee38*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a21ac*=8, plFlavor=0x23a21b0*=0 | out: pVal=0x21ee38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="0F8BFBFF00050657", varVal2=0x0), pType=0x23a21ac*=8, plFlavor=0x23a21b0*=0) returned 0x0 [0194.161] SysStringByteLen (bstr="0F8BFBFF00050657") returned 0x20 [0194.161] SysStringByteLen (bstr="0F8BFBFF00050657") returned 0x20 [0194.162] CoTaskMemAlloc (cb=0x4) returned 0x5734c0 [0194.162] IEnumWbemClassObject:Next (in: This=0x5996a0, lTimeout=-1, uCount=0x1, apObjects=0x5734c0, puReturned=0x23a18e8 | out: apObjects=0x5734c0*=0x0, puReturned=0x23a18e8*=0x0) returned 0x1 [0194.164] CoTaskMemFree (pv=0x5734c0) [0194.165] CoGetContextToken (in: pToken=0x21ed4c | out: pToken=0x21ed4c) returned 0x0 [0194.165] IUnknown:Release (This=0x5996a0) returned 0x1 [0194.165] IUnknown:Release (This=0x5996a0) returned 0x0 [0194.185] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x358 [0194.185] SetEvent (hEvent=0x2c4) returned 1 [0194.185] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edf8*=0x358, lpdwindex=0x21ec1c | out: lpdwindex=0x21ec1c) returned 0x0 [0194.188] CoGetContextToken (in: pToken=0x21eccc | out: pToken=0x21eccc) returned 0x0 [0194.188] CoGetContextToken (in: pToken=0x21ec2c | out: pToken=0x21ec2c) returned 0x0 [0194.188] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f798, riid=0x21ecfc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecf8 | out: ppvObject=0x21ecf8*=0x59f798) returned 0x0 [0194.188] WbemDefPath:IUnknown:AddRef (This=0x59f798) returned 0x3 [0194.188] WbemDefPath:IUnknown:Release (This=0x59f798) returned 0x2 [0194.188] WbemDefPath:IWbemPath:SetText (This=0x59f798, uMode=0x4, pszPath="Win32_NetworkAdapterConfiguration") returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f798, puCount=0x21ee78 | out: puCount=0x21ee78*=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ee74*=0x0, pszText=0x0 | out: puBuffLength=0x21ee74*=0x22, pszText=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ee74*=0x22, pszText="000000000000000000000000000000000" | out: puBuffLength=0x21ee74*=0x22, pszText="Win32_NetworkAdapterConfiguration") returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetInfo (in: This=0x59f798, uRequestedInfo=0x0, puResponse=0x21ee80 | out: puResponse=0x21ee80*=0xc15) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f798, puCount=0x21ee78 | out: puCount=0x21ee78*=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetInfo (in: This=0x59f798, uRequestedInfo=0x0, puResponse=0x21ee80 | out: puResponse=0x21ee80*=0xc15) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f798, puCount=0x21ee68 | out: puCount=0x21ee68*=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ee64*=0x0, pszText=0x0 | out: puBuffLength=0x21ee64*=0x22, pszText=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ee64*=0x22, pszText="000000000000000000000000000000000" | out: puBuffLength=0x21ee64*=0x22, pszText="Win32_NetworkAdapterConfiguration") returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f798, puCount=0x21ee68 | out: puCount=0x21ee68*=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ee64*=0x0, pszText=0x0 | out: puBuffLength=0x21ee64*=0x22, pszText=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ee64*=0x22, pszText="000000000000000000000000000000000" | out: puBuffLength=0x21ee64*=0x22, pszText="Win32_NetworkAdapterConfiguration") returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f798, puCount=0x21edf8 | out: puCount=0x21edf8*=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f568, puCount=0x21ede4 | out: puCount=0x21ede4*=0x2) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f568, lFlags=4, puBuffLength=0x21ede0*=0x0, pszText=0x0 | out: puBuffLength=0x21ede0*=0xf, pszText=0x0) returned 0x0 [0194.188] WbemDefPath:IWbemPath:GetText (in: This=0x59f568, lFlags=4, puBuffLength=0x21ede0*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ede0*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.189] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x35c [0194.189] SetEvent (hEvent=0x2c4) returned 1 [0194.189] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21ed40*=0x35c, lpdwindex=0x21eb64 | out: lpdwindex=0x21eb64) returned 0x0 [0194.191] CoGetContextToken (in: pToken=0x21ec14 | out: pToken=0x21ec14) returned 0x0 [0194.191] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0194.191] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f808, riid=0x21ec44*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ec40 | out: ppvObject=0x21ec40*=0x59f808) returned 0x0 [0194.192] WbemDefPath:IUnknown:AddRef (This=0x59f808) returned 0x3 [0194.192] WbemDefPath:IUnknown:Release (This=0x59f808) returned 0x2 [0194.192] WbemDefPath:IWbemPath:SetText (This=0x59f808, uMode=0x4, pszPath="\\\\.\\root\\cimv2") returned 0x0 [0194.192] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21edbc | out: puCount=0x21edbc*=0x2) returned 0x0 [0194.192] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21edb8*=0x0, pszText=0x0 | out: puBuffLength=0x21edb8*=0xf, pszText=0x0) returned 0x0 [0194.192] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21edb8*=0xf, pszText="00000000000000" | out: puBuffLength=0x21edb8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.206] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21ecdc*=0x370, lpdwindex=0x21eb94 | out: lpdwindex=0x21eb94) returned 0x0 [0194.228] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ede0 | out: puCount=0x21ede0*=0x2) returned 0x0 [0194.228] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21eddc*=0x0, pszText=0x0 | out: puBuffLength=0x21eddc*=0xf, pszText=0x0) returned 0x0 [0194.228] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21eddc*=0xf, pszText="00000000000000" | out: puBuffLength=0x21eddc*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.228] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ede4*=0x0, pszText=0x0 | out: puBuffLength=0x21ede4*=0x22, pszText=0x0) returned 0x0 [0194.228] WbemDefPath:IWbemPath:GetText (in: This=0x59f798, lFlags=2, puBuffLength=0x21ede4*=0x22, pszText="000000000000000000000000000000000" | out: puBuffLength=0x21ede4*=0x22, pszText="Win32_NetworkAdapterConfiguration") returned 0x0 [0194.229] CoGetContextToken (in: pToken=0x21eb64 | out: pToken=0x21eb64) returned 0x0 [0194.229] CoGetContextToken (in: pToken=0x21eac4 | out: pToken=0x21eac4) returned 0x0 [0194.229] CoGetContextToken (in: pToken=0x21eac4 | out: pToken=0x21eac4) returned 0x0 [0194.229] CoGetContextToken (in: pToken=0x21ea64 | out: pToken=0x21ea64) returned 0x0 [0194.229] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71c28ae0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ea3c | out: ppvObject=0x21ea3c*=0x56ede8) returned 0x0 [0194.230] CObjectContext::ContextCallback () returned 0x0 [0194.233] IUnknown:Release (This=0x56ede8) returned 0x1 [0194.234] CoUnmarshalInterface (in: pStm=0x5a8808, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21eab8 | out: ppv=0x21eab8*=0x5d74bc) returned 0x0 [0194.234] CoMarshalInterface (pStm=0x5a8808, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5d74bc, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0194.234] WbemLocator:IUnknown:QueryInterface (in: This=0x5d74bc, riid=0x21eb94*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x21eb90 | out: ppvObject=0x21eb90*=0x5c4988) returned 0x0 [0194.236] WbemLocator:IUnknown:Release (This=0x5d74bc) returned 0x1 [0194.236] IWbemServices:GetObject (in: This=0x5c4988, strObjectPath="Win32_NetworkAdapterConfiguration", lFlags=0, pCtx=0x0, ppObject=0x21ed98*=0x0, ppCallResult=0x0 | out: ppObject=0x21ed98*=0x60a6d0, ppCallResult=0x0) returned 0x0 [0194.292] WbemLocator:IUnknown:Release (This=0x5c4988) returned 0x0 [0194.292] IWbemClassObject:Get (in: This=0x60a6d0, wszName="__PATH", lFlags=0, pVal=0x21ed80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee28*=0, plFlavor=0x21ee24*=0 | out: pVal=0x21ed80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_NetworkAdapterConfiguration", varVal2=0x0), pType=0x21ee28*=8, plFlavor=0x21ee24*=64) returned 0x0 [0194.292] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_NetworkAdapterConfiguration") returned 0x72 [0194.292] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_NetworkAdapterConfiguration") returned 0x72 [0194.292] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x38c [0194.293] SetEvent (hEvent=0x2c4) returned 1 [0194.293] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21ed3c*=0x38c, lpdwindex=0x21eb60 | out: lpdwindex=0x21eb60) returned 0x0 [0194.296] CoGetContextToken (in: pToken=0x21ec14 | out: pToken=0x21ec14) returned 0x0 [0194.296] CoGetContextToken (in: pToken=0x21eb74 | out: pToken=0x21eb74) returned 0x0 [0194.296] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f878, riid=0x21ec44*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ec40 | out: ppvObject=0x21ec40*=0x59f878) returned 0x0 [0194.296] WbemDefPath:IUnknown:AddRef (This=0x59f878) returned 0x3 [0194.296] WbemDefPath:IUnknown:Release (This=0x59f878) returned 0x2 [0194.296] WbemDefPath:IWbemPath:SetText (This=0x59f878, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_NetworkAdapterConfiguration") returned 0x0 [0194.296] IWbemClassObject:Get (in: This=0x60a6d0, wszName="__CLASS", lFlags=0, pVal=0x21edf0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee70*=0, plFlavor=0x21ee6c*=0 | out: pVal=0x21edf0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_NetworkAdapterConfiguration", varVal2=0x0), pType=0x21ee70*=8, plFlavor=0x21ee6c*=64) returned 0x0 [0194.296] SysStringByteLen (bstr="Win32_NetworkAdapterConfiguration") returned 0x42 [0194.296] SysStringByteLen (bstr="Win32_NetworkAdapterConfiguration") returned 0x42 [0194.296] CoGetContextToken (in: pToken=0x21ebec | out: pToken=0x21ebec) returned 0x0 [0194.296] CoGetContextToken (in: pToken=0x21eb4c | out: pToken=0x21eb4c) returned 0x0 [0194.296] CoGetContextToken (in: pToken=0x21eb4c | out: pToken=0x21eb4c) returned 0x0 [0194.296] CoUnmarshalInterface (in: pStm=0x5a8808, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x21eb40 | out: ppv=0x21eb40*=0x5d74bc) returned 0x0 [0194.297] CoMarshalInterface (pStm=0x5a8808, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5d74bc, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0194.297] WbemLocator:IUnknown:QueryInterface (in: This=0x5d74bc, riid=0x21ec1c*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x21ec18 | out: ppvObject=0x21ec18*=0x5ef4c8) returned 0x0 [0194.297] WbemLocator:IUnknown:Release (This=0x5d74bc) returned 0x1 [0194.297] IWbemServices:CreateInstanceEnum (in: This=0x5ef4c8, strFilter="Win32_NetworkAdapterConfiguration", lFlags=17, pCtx=0x0, ppEnum=0x21edec | out: ppEnum=0x21edec*=0x599830) returned 0x0 [0194.317] IUnknown:QueryInterface (in: This=0x599830, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec54 | out: ppvObject=0x21ec54*=0x599834) returned 0x0 [0194.317] IClientSecurity:QueryBlanket (in: This=0x599834, pProxy=0x599830, pAuthnSvc=0x21eca4, pAuthzSvc=0x21eca0, pServerPrincName=0x21ec98, pAuthnLevel=0x21ec9c, pImpLevel=0x21ec8c, pAuthInfo=0x21ec90, pCapabilites=0x21ec94 | out: pAuthnSvc=0x21eca4*=0xa, pAuthzSvc=0x21eca0*=0x0, pServerPrincName=0x21ec98, pAuthnLevel=0x21ec9c*=0x6, pImpLevel=0x21ec8c*=0x2, pAuthInfo=0x21ec90, pCapabilites=0x21ec94*=0x1) returned 0x0 [0194.317] IUnknown:Release (This=0x599834) returned 0x1 [0194.317] IUnknown:QueryInterface (in: This=0x599830, riid=0x6d4f35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec48 | out: ppvObject=0x21ec48*=0x5d75ac) returned 0x0 [0194.318] IUnknown:QueryInterface (in: This=0x599830, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ec34 | out: ppvObject=0x21ec34*=0x599834) returned 0x0 [0194.318] IClientSecurity:SetBlanket (This=0x599834, pProxy=0x599830, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0194.375] IUnknown:Release (This=0x599834) returned 0x2 [0194.375] WbemLocator:IUnknown:Release (This=0x5d75ac) returned 0x1 [0194.375] CoTaskMemFree (pv=0x5cf5d8) [0194.375] IUnknown:AddRef (This=0x599830) returned 0x2 [0194.376] CoGetContextToken (in: pToken=0x21e170 | out: pToken=0x21e170) returned 0x0 [0194.376] CoGetContextToken (in: pToken=0x21e584 | out: pToken=0x21e584) returned 0x0 [0194.376] IUnknown:QueryInterface (in: This=0x599830, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e51c | out: ppvObject=0x21e51c*=0x5d7594) returned 0x0 [0194.376] WbemLocator:IRpcOptions:Query (in: This=0x5d7594, pPrx=0x5f7ac0, dwProperty=2, pdwValue=0x21e610 | out: pdwValue=0x21e610) returned 0x80004002 [0194.376] WbemLocator:IUnknown:Release (This=0x5d7594) returned 0x2 [0194.376] CoGetContextToken (in: pToken=0x21eb54 | out: pToken=0x21eb54) returned 0x0 [0194.376] CoGetContextToken (in: pToken=0x21eab4 | out: pToken=0x21eab4) returned 0x0 [0194.376] IUnknown:QueryInterface (in: This=0x599830, riid=0x21eb84*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x21ea50 | out: ppvObject=0x21ea50*=0x599830) returned 0x0 [0194.376] IUnknown:Release (This=0x599830) returned 0x2 [0194.376] WbemLocator:IUnknown:Release (This=0x5ef4c8) returned 0x0 [0194.377] SysStringLen (param_1=0x0) returned 0x0 [0194.377] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee28 | out: puCount=0x21ee28*=0x2) returned 0x0 [0194.377] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee24*=0x0, pszText=0x0 | out: puBuffLength=0x21ee24*=0xf, pszText=0x0) returned 0x0 [0194.377] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee24*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee24*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.377] CoGetContextToken (in: pToken=0x21ec74 | out: pToken=0x21ec74) returned 0x0 [0194.377] IEnumWbemClassObject:Clone (in: This=0x599830, ppEnum=0x21ee28 | out: ppEnum=0x21ee28*=0x5999c0) returned 0x0 [0194.379] IUnknown:QueryInterface (in: This=0x5999c0, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ece4 | out: ppvObject=0x21ece4*=0x5999c4) returned 0x0 [0194.379] IClientSecurity:QueryBlanket (in: This=0x5999c4, pProxy=0x5999c0, pAuthnSvc=0x21ed34, pAuthzSvc=0x21ed30, pServerPrincName=0x21ed28, pAuthnLevel=0x21ed2c, pImpLevel=0x21ed1c, pAuthInfo=0x21ed20, pCapabilites=0x21ed24 | out: pAuthnSvc=0x21ed34*=0xa, pAuthzSvc=0x21ed30*=0x0, pServerPrincName=0x21ed28, pAuthnLevel=0x21ed2c*=0x6, pImpLevel=0x21ed1c*=0x2, pAuthInfo=0x21ed20, pCapabilites=0x21ed24*=0x1) returned 0x0 [0194.379] IUnknown:Release (This=0x5999c4) returned 0x1 [0194.379] IUnknown:QueryInterface (in: This=0x5999c0, riid=0x6d4f35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x5d74bc) returned 0x0 [0194.379] IUnknown:QueryInterface (in: This=0x5999c0, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21ecc4 | out: ppvObject=0x21ecc4*=0x5999c4) returned 0x0 [0194.379] IClientSecurity:SetBlanket (This=0x5999c4, pProxy=0x5999c0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0194.381] IUnknown:Release (This=0x5999c4) returned 0x2 [0194.381] WbemLocator:IUnknown:Release (This=0x5d74bc) returned 0x1 [0194.381] CoTaskMemFree (pv=0x5cf4e8) [0194.381] IUnknown:AddRef (This=0x5999c0) returned 0x2 [0194.381] CoGetContextToken (in: pToken=0x21e1f4 | out: pToken=0x21e1f4) returned 0x0 [0194.382] CoGetContextToken (in: pToken=0x21e604 | out: pToken=0x21e604) returned 0x0 [0194.382] IUnknown:QueryInterface (in: This=0x5999c0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e5a0 | out: ppvObject=0x21e5a0*=0x5d74a4) returned 0x0 [0194.382] WbemLocator:IRpcOptions:Query (in: This=0x5d74a4, pPrx=0x5f7af0, dwProperty=2, pdwValue=0x21e694 | out: pdwValue=0x21e694) returned 0x80004002 [0194.382] WbemLocator:IUnknown:Release (This=0x5d74a4) returned 0x2 [0194.382] CoGetContextToken (in: pToken=0x21ebd4 | out: pToken=0x21ebd4) returned 0x0 [0194.382] CoGetContextToken (in: pToken=0x21eb34 | out: pToken=0x21eb34) returned 0x0 [0194.382] IUnknown:QueryInterface (in: This=0x5999c0, riid=0x21ec04*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x21ead0 | out: ppvObject=0x21ead0*=0x5999c0) returned 0x0 [0194.382] IUnknown:Release (This=0x5999c0) returned 0x2 [0194.382] SysStringLen (param_1=0x0) returned 0x0 [0194.382] IEnumWbemClassObject:Reset (This=0x5999c0) returned 0x0 [0194.383] CoTaskMemAlloc (cb=0x4) returned 0x5f6ca0 [0194.383] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6ca0, puReturned=0x23a3dd4 | out: apObjects=0x5f6ca0*=0x5f1c18, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.495] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x5f1c18) returned 0x0 [0194.496] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.496] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.496] IUnknown:AddRef (This=0x5f1c18) returned 0x3 [0194.496] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.496] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.496] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x5f1c1c) returned 0x0 [0194.496] IMarshal:GetUnmarshalClass (in: This=0x5f1c1c, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.496] IUnknown:Release (This=0x5f1c1c) returned 0x3 [0194.496] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.496] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.496] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.496] IUnknown:Release (This=0x5f1c18) returned 0x2 [0194.496] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.497] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.497] IUnknown:QueryInterface (in: This=0x5f1c18, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x5f1c18) returned 0x0 [0194.497] IUnknown:AddRef (This=0x5f1c18) returned 0x4 [0194.497] IUnknown:Release (This=0x5f1c18) returned 0x3 [0194.497] IUnknown:Release (This=0x5f1c18) returned 0x2 [0194.497] CoTaskMemFree (pv=0x5f6ca0) [0194.497] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.497] IUnknown:AddRef (This=0x5f1c18) returned 0x3 [0194.497] IWbemClassObject:Get (in: This=0x5f1c18, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.497] IWbemClassObject:Get (in: This=0x5f1c18, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=0", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.498] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=0") returned 0x82 [0194.498] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=0") returned 0x82 [0194.498] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x390 [0194.498] SetEvent (hEvent=0x2c4) returned 1 [0194.498] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x390, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.502] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.502] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.502] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f8e8, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x59f8e8) returned 0x0 [0194.502] WbemDefPath:IUnknown:AddRef (This=0x59f8e8) returned 0x3 [0194.502] WbemDefPath:IUnknown:Release (This=0x59f8e8) returned 0x2 [0194.502] WbemDefPath:IWbemPath:SetText (This=0x59f8e8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=0") returned 0x0 [0194.502] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.502] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.502] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.507] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.507] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.507] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.507] IWbemClassObject:Get (in: This=0x5f1c18, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a4680*=0, plFlavor=0x23a4684*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a4680*=11, plFlavor=0x23a4684*=0) returned 0x0 [0194.507] IWbemClassObject:Get (in: This=0x5f1c18, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a4680*=11, plFlavor=0x23a4684*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a4680*=11, plFlavor=0x23a4684*=0) returned 0x0 [0194.512] IUnknown:Release (This=0x5f1c18) returned 0x2 [0194.514] CoTaskMemAlloc (cb=0x4) returned 0x5f6cf0 [0194.514] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6cf0, puReturned=0x23a3dd4 | out: apObjects=0x5f6cf0*=0x5f2388, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.520] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x5f2388) returned 0x0 [0194.520] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.521] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.521] IUnknown:AddRef (This=0x5f2388) returned 0x3 [0194.521] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.521] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.521] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x5f238c) returned 0x0 [0194.521] IMarshal:GetUnmarshalClass (in: This=0x5f238c, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.521] IUnknown:Release (This=0x5f238c) returned 0x3 [0194.521] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.521] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.521] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.521] IUnknown:Release (This=0x5f2388) returned 0x2 [0194.521] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.521] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.521] IUnknown:QueryInterface (in: This=0x5f2388, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x5f2388) returned 0x0 [0194.522] IUnknown:AddRef (This=0x5f2388) returned 0x4 [0194.522] IUnknown:Release (This=0x5f2388) returned 0x3 [0194.522] IUnknown:Release (This=0x5f2388) returned 0x2 [0194.522] CoTaskMemFree (pv=0x5f6cf0) [0194.522] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.522] IUnknown:AddRef (This=0x5f2388) returned 0x3 [0194.522] IWbemClassObject:Get (in: This=0x5f2388, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.522] IWbemClassObject:Get (in: This=0x5f2388, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=1", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.522] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=1") returned 0x82 [0194.522] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=1") returned 0x82 [0194.523] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x394 [0194.523] SetEvent (hEvent=0x2c4) returned 1 [0194.523] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x394, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.529] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.529] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.529] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f958, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x59f958) returned 0x0 [0194.529] WbemDefPath:IUnknown:AddRef (This=0x59f958) returned 0x3 [0194.529] WbemDefPath:IUnknown:Release (This=0x59f958) returned 0x2 [0194.529] WbemDefPath:IWbemPath:SetText (This=0x59f958, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=1") returned 0x0 [0194.529] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.529] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.529] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.529] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.529] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.529] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.529] IWbemClassObject:Get (in: This=0x5f2388, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a5144*=0, plFlavor=0x23a5148*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a5144*=11, plFlavor=0x23a5148*=0) returned 0x0 [0194.530] IWbemClassObject:Get (in: This=0x5f2388, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a5144*=11, plFlavor=0x23a5148*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a5144*=11, plFlavor=0x23a5148*=0) returned 0x0 [0194.530] IUnknown:Release (This=0x5f2388) returned 0x2 [0194.530] CoTaskMemAlloc (cb=0x4) returned 0x5f6d40 [0194.530] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6d40, puReturned=0x23a3dd4 | out: apObjects=0x5f6d40*=0x60cb18, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.532] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x60cb18) returned 0x0 [0194.532] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.532] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.532] IUnknown:AddRef (This=0x60cb18) returned 0x3 [0194.532] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.532] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.532] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x60cb1c) returned 0x0 [0194.532] IMarshal:GetUnmarshalClass (in: This=0x60cb1c, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.532] IUnknown:Release (This=0x60cb1c) returned 0x3 [0194.532] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.532] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.532] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.532] IUnknown:Release (This=0x60cb18) returned 0x2 [0194.532] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.532] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.533] IUnknown:QueryInterface (in: This=0x60cb18, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x60cb18) returned 0x0 [0194.533] IUnknown:AddRef (This=0x60cb18) returned 0x4 [0194.533] IUnknown:Release (This=0x60cb18) returned 0x3 [0194.533] IUnknown:Release (This=0x60cb18) returned 0x2 [0194.533] CoTaskMemFree (pv=0x5f6d40) [0194.533] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.533] IUnknown:AddRef (This=0x60cb18) returned 0x3 [0194.533] IWbemClassObject:Get (in: This=0x60cb18, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.533] IWbemClassObject:Get (in: This=0x60cb18, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=2", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.533] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=2") returned 0x82 [0194.533] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=2") returned 0x82 [0194.534] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x398 [0194.534] SetEvent (hEvent=0x2c4) returned 1 [0194.534] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x398, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.537] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.537] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.537] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f9c8, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x59f9c8) returned 0x0 [0194.537] WbemDefPath:IUnknown:AddRef (This=0x59f9c8) returned 0x3 [0194.537] WbemDefPath:IUnknown:Release (This=0x59f9c8) returned 0x2 [0194.537] WbemDefPath:IWbemPath:SetText (This=0x59f9c8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=2") returned 0x0 [0194.537] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.537] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.537] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.537] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.537] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.537] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.537] IWbemClassObject:Get (in: This=0x60cb18, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a59c0*=0, plFlavor=0x23a59c4*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a59c0*=11, plFlavor=0x23a59c4*=0) returned 0x0 [0194.538] IWbemClassObject:Get (in: This=0x60cb18, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a59c0*=11, plFlavor=0x23a59c4*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a59c0*=11, plFlavor=0x23a59c4*=0) returned 0x0 [0194.538] IUnknown:Release (This=0x60cb18) returned 0x2 [0194.538] CoTaskMemAlloc (cb=0x4) returned 0x5f6d90 [0194.538] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6d90, puReturned=0x23a3dd4 | out: apObjects=0x5f6d90*=0x60ce50, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.539] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x60ce50) returned 0x0 [0194.539] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.539] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.540] IUnknown:AddRef (This=0x60ce50) returned 0x3 [0194.540] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.540] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.540] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x60ce54) returned 0x0 [0194.540] IMarshal:GetUnmarshalClass (in: This=0x60ce54, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.540] IUnknown:Release (This=0x60ce54) returned 0x3 [0194.540] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.540] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.540] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.540] IUnknown:Release (This=0x60ce50) returned 0x2 [0194.540] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.540] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.540] IUnknown:QueryInterface (in: This=0x60ce50, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x60ce50) returned 0x0 [0194.540] IUnknown:AddRef (This=0x60ce50) returned 0x4 [0194.540] IUnknown:Release (This=0x60ce50) returned 0x3 [0194.540] IUnknown:Release (This=0x60ce50) returned 0x2 [0194.540] CoTaskMemFree (pv=0x5f6d90) [0194.540] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.540] IUnknown:AddRef (This=0x60ce50) returned 0x3 [0194.541] IWbemClassObject:Get (in: This=0x60ce50, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.541] IWbemClassObject:Get (in: This=0x60ce50, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=3", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.541] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=3") returned 0x82 [0194.541] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=3") returned 0x82 [0194.541] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x39c [0194.541] SetEvent (hEvent=0x2c4) returned 1 [0194.542] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x39c, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.544] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.544] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d1a0, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d1a0) returned 0x0 [0194.545] WbemDefPath:IUnknown:AddRef (This=0x60d1a0) returned 0x3 [0194.545] WbemDefPath:IUnknown:Release (This=0x60d1a0) returned 0x2 [0194.545] WbemDefPath:IWbemPath:SetText (This=0x60d1a0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=3") returned 0x0 [0194.545] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.545] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.545] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.545] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.545] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.545] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.545] IWbemClassObject:Get (in: This=0x60ce50, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6248*=0, plFlavor=0x23a624c*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6248*=11, plFlavor=0x23a624c*=0) returned 0x0 [0194.545] IWbemClassObject:Get (in: This=0x60ce50, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6248*=11, plFlavor=0x23a624c*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6248*=11, plFlavor=0x23a624c*=0) returned 0x0 [0194.546] IUnknown:Release (This=0x60ce50) returned 0x2 [0194.546] CoTaskMemAlloc (cb=0x4) returned 0x5f6de0 [0194.546] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6de0, puReturned=0x23a3dd4 | out: apObjects=0x5f6de0*=0x60e188, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.547] IUnknown:QueryInterface (in: This=0x60e188, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x60e188) returned 0x0 [0194.547] IUnknown:QueryInterface (in: This=0x60e188, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.547] IUnknown:QueryInterface (in: This=0x60e188, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.547] IUnknown:AddRef (This=0x60e188) returned 0x3 [0194.547] IUnknown:QueryInterface (in: This=0x60e188, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.547] IUnknown:QueryInterface (in: This=0x60e188, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.548] IUnknown:QueryInterface (in: This=0x60e188, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x60e18c) returned 0x0 [0194.548] IMarshal:GetUnmarshalClass (in: This=0x60e18c, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.548] IUnknown:Release (This=0x60e18c) returned 0x3 [0194.548] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.548] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.548] IUnknown:QueryInterface (in: This=0x60e188, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.548] IUnknown:Release (This=0x60e188) returned 0x2 [0194.548] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.548] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.548] IUnknown:QueryInterface (in: This=0x60e188, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x60e188) returned 0x0 [0194.548] IUnknown:AddRef (This=0x60e188) returned 0x4 [0194.548] IUnknown:Release (This=0x60e188) returned 0x3 [0194.548] IUnknown:Release (This=0x60e188) returned 0x2 [0194.548] CoTaskMemFree (pv=0x5f6de0) [0194.548] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.548] IUnknown:AddRef (This=0x60e188) returned 0x3 [0194.548] IWbemClassObject:Get (in: This=0x60e188, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.549] IWbemClassObject:Get (in: This=0x60e188, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=4", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.549] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=4") returned 0x82 [0194.549] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=4") returned 0x82 [0194.549] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a0 [0194.549] SetEvent (hEvent=0x2c4) returned 1 [0194.549] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3a0, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.552] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.552] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d210, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d210) returned 0x0 [0194.552] WbemDefPath:IUnknown:AddRef (This=0x60d210) returned 0x3 [0194.552] WbemDefPath:IUnknown:Release (This=0x60d210) returned 0x2 [0194.552] WbemDefPath:IWbemPath:SetText (This=0x60d210, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=4") returned 0x0 [0194.553] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.553] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.553] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.553] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.553] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.553] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.553] IWbemClassObject:Get (in: This=0x60e188, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6ac4*=0, plFlavor=0x23a6ac8*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6ac4*=11, plFlavor=0x23a6ac8*=0) returned 0x0 [0194.553] IWbemClassObject:Get (in: This=0x60e188, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6ac4*=11, plFlavor=0x23a6ac8*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a6ac4*=11, plFlavor=0x23a6ac8*=0) returned 0x0 [0194.553] IUnknown:Release (This=0x60e188) returned 0x2 [0194.553] CoTaskMemAlloc (cb=0x4) returned 0x5f6e30 [0194.553] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6e30, puReturned=0x23a3dd4 | out: apObjects=0x5f6e30*=0x60ecc0, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.555] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x60ecc0) returned 0x0 [0194.555] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.555] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.555] IUnknown:AddRef (This=0x60ecc0) returned 0x3 [0194.555] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.555] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.555] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x60ecc4) returned 0x0 [0194.555] IMarshal:GetUnmarshalClass (in: This=0x60ecc4, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.555] IUnknown:Release (This=0x60ecc4) returned 0x3 [0194.555] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.555] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.555] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.556] IUnknown:Release (This=0x60ecc0) returned 0x2 [0194.556] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.556] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.556] IUnknown:QueryInterface (in: This=0x60ecc0, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x60ecc0) returned 0x0 [0194.556] IUnknown:AddRef (This=0x60ecc0) returned 0x4 [0194.556] IUnknown:Release (This=0x60ecc0) returned 0x3 [0194.556] IUnknown:Release (This=0x60ecc0) returned 0x2 [0194.556] CoTaskMemFree (pv=0x5f6e30) [0194.556] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.556] IUnknown:AddRef (This=0x60ecc0) returned 0x3 [0194.556] IWbemClassObject:Get (in: This=0x60ecc0, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.556] IWbemClassObject:Get (in: This=0x60ecc0, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=5", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.557] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=5") returned 0x82 [0194.557] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=5") returned 0x82 [0194.558] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a4 [0194.558] SetEvent (hEvent=0x2c4) returned 1 [0194.558] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3a4, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.561] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.561] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.561] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d280, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d280) returned 0x0 [0194.561] WbemDefPath:IUnknown:AddRef (This=0x60d280) returned 0x3 [0194.561] WbemDefPath:IUnknown:Release (This=0x60d280) returned 0x2 [0194.561] WbemDefPath:IWbemPath:SetText (This=0x60d280, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=5") returned 0x0 [0194.561] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.561] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.561] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.561] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.561] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.561] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.561] IWbemClassObject:Get (in: This=0x60ecc0, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7340*=0, plFlavor=0x23a7344*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7340*=11, plFlavor=0x23a7344*=0) returned 0x0 [0194.562] IWbemClassObject:Get (in: This=0x60ecc0, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7340*=11, plFlavor=0x23a7344*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7340*=11, plFlavor=0x23a7344*=0) returned 0x0 [0194.562] IUnknown:Release (This=0x60ecc0) returned 0x2 [0194.562] CoTaskMemAlloc (cb=0x4) returned 0x5f6e80 [0194.562] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6e80, puReturned=0x23a3dd4 | out: apObjects=0x5f6e80*=0x60eff8, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.563] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x60eff8) returned 0x0 [0194.563] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.563] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.564] IUnknown:AddRef (This=0x60eff8) returned 0x3 [0194.564] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.564] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.564] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x60effc) returned 0x0 [0194.564] IMarshal:GetUnmarshalClass (in: This=0x60effc, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.564] IUnknown:Release (This=0x60effc) returned 0x3 [0194.564] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.564] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.564] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.564] IUnknown:Release (This=0x60eff8) returned 0x2 [0194.564] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.564] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.564] IUnknown:QueryInterface (in: This=0x60eff8, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x60eff8) returned 0x0 [0194.564] IUnknown:AddRef (This=0x60eff8) returned 0x4 [0194.564] IUnknown:Release (This=0x60eff8) returned 0x3 [0194.564] IUnknown:Release (This=0x60eff8) returned 0x2 [0194.564] CoTaskMemFree (pv=0x5f6e80) [0194.564] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.564] IUnknown:AddRef (This=0x60eff8) returned 0x3 [0194.565] IWbemClassObject:Get (in: This=0x60eff8, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.565] IWbemClassObject:Get (in: This=0x60eff8, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=6", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.565] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=6") returned 0x82 [0194.565] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=6") returned 0x82 [0194.565] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a8 [0194.565] SetEvent (hEvent=0x2c4) returned 1 [0194.565] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3a8, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.568] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.568] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.568] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d2f0, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d2f0) returned 0x0 [0194.568] WbemDefPath:IUnknown:AddRef (This=0x60d2f0) returned 0x3 [0194.568] WbemDefPath:IUnknown:Release (This=0x60d2f0) returned 0x2 [0194.568] WbemDefPath:IWbemPath:SetText (This=0x60d2f0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=6") returned 0x0 [0194.568] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.568] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.568] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.569] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.569] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.569] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.569] IWbemClassObject:Get (in: This=0x60eff8, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7bbc*=0, plFlavor=0x23a7bc0*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7bbc*=11, plFlavor=0x23a7bc0*=0) returned 0x0 [0194.569] IWbemClassObject:Get (in: This=0x60eff8, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7bbc*=11, plFlavor=0x23a7bc0*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a7bbc*=11, plFlavor=0x23a7bc0*=0) returned 0x0 [0194.569] IUnknown:Release (This=0x60eff8) returned 0x2 [0194.569] CoTaskMemAlloc (cb=0x4) returned 0x5f6ed0 [0194.569] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6ed0, puReturned=0x23a3dd4 | out: apObjects=0x5f6ed0*=0x5f2ab8, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.571] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x5f2ab8) returned 0x0 [0194.571] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.571] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.571] IUnknown:AddRef (This=0x5f2ab8) returned 0x3 [0194.571] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.571] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.571] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x5f2abc) returned 0x0 [0194.571] IMarshal:GetUnmarshalClass (in: This=0x5f2abc, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.571] IUnknown:Release (This=0x5f2abc) returned 0x3 [0194.571] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.571] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.571] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.571] IUnknown:Release (This=0x5f2ab8) returned 0x2 [0194.572] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.572] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.572] IUnknown:QueryInterface (in: This=0x5f2ab8, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x5f2ab8) returned 0x0 [0194.572] IUnknown:AddRef (This=0x5f2ab8) returned 0x4 [0194.572] IUnknown:Release (This=0x5f2ab8) returned 0x3 [0194.572] IUnknown:Release (This=0x5f2ab8) returned 0x2 [0194.572] CoTaskMemFree (pv=0x5f6ed0) [0194.572] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.572] IUnknown:AddRef (This=0x5f2ab8) returned 0x3 [0194.572] IWbemClassObject:Get (in: This=0x5f2ab8, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.572] IWbemClassObject:Get (in: This=0x5f2ab8, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=7", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.573] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=7") returned 0x82 [0194.573] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=7") returned 0x82 [0194.573] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3ac [0194.573] SetEvent (hEvent=0x2c4) returned 1 [0194.573] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3ac, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.576] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.576] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.576] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d360, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d360) returned 0x0 [0194.576] WbemDefPath:IUnknown:AddRef (This=0x60d360) returned 0x3 [0194.576] WbemDefPath:IUnknown:Release (This=0x60d360) returned 0x2 [0194.576] WbemDefPath:IWbemPath:SetText (This=0x60d360, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=7") returned 0x0 [0194.576] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.576] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.576] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.576] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.576] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.576] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.577] IWbemClassObject:Get (in: This=0x5f2ab8, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8444*=0, plFlavor=0x23a8448*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8444*=11, plFlavor=0x23a8448*=0) returned 0x0 [0194.577] IWbemClassObject:Get (in: This=0x5f2ab8, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8444*=11, plFlavor=0x23a8448*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8444*=11, plFlavor=0x23a8448*=0) returned 0x0 [0194.577] IUnknown:Release (This=0x5f2ab8) returned 0x2 [0194.577] CoTaskMemAlloc (cb=0x4) returned 0x5f6f20 [0194.577] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6f20, puReturned=0x23a3dd4 | out: apObjects=0x5f6f20*=0x5d9c10, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.578] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x5d9c10) returned 0x0 [0194.578] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.578] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.579] IUnknown:AddRef (This=0x5d9c10) returned 0x3 [0194.579] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.579] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.579] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x5d9c14) returned 0x0 [0194.579] IMarshal:GetUnmarshalClass (in: This=0x5d9c14, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.579] IUnknown:Release (This=0x5d9c14) returned 0x3 [0194.579] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.579] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.579] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.579] IUnknown:Release (This=0x5d9c10) returned 0x2 [0194.579] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.579] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.579] IUnknown:QueryInterface (in: This=0x5d9c10, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x5d9c10) returned 0x0 [0194.579] IUnknown:AddRef (This=0x5d9c10) returned 0x4 [0194.579] IUnknown:Release (This=0x5d9c10) returned 0x3 [0194.580] IUnknown:Release (This=0x5d9c10) returned 0x2 [0194.580] CoTaskMemFree (pv=0x5f6f20) [0194.580] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.580] IUnknown:AddRef (This=0x5d9c10) returned 0x3 [0194.580] IWbemClassObject:Get (in: This=0x5d9c10, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.580] IWbemClassObject:Get (in: This=0x5d9c10, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=8", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.580] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=8") returned 0x82 [0194.580] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=8") returned 0x82 [0194.581] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b0 [0194.581] SetEvent (hEvent=0x2c4) returned 1 [0194.581] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3b0, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.584] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.584] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.584] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d3d0, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d3d0) returned 0x0 [0194.584] WbemDefPath:IUnknown:AddRef (This=0x60d3d0) returned 0x3 [0194.584] WbemDefPath:IUnknown:Release (This=0x60d3d0) returned 0x2 [0194.584] WbemDefPath:IWbemPath:SetText (This=0x60d3d0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=8") returned 0x0 [0194.584] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.584] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.584] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.584] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.584] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.584] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.584] IWbemClassObject:Get (in: This=0x5d9c10, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8cc0*=0, plFlavor=0x23a8cc4*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8cc0*=11, plFlavor=0x23a8cc4*=0) returned 0x0 [0194.585] IWbemClassObject:Get (in: This=0x5d9c10, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8cc0*=11, plFlavor=0x23a8cc4*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a8cc0*=11, plFlavor=0x23a8cc4*=0) returned 0x0 [0194.585] IUnknown:Release (This=0x5d9c10) returned 0x2 [0194.585] CoTaskMemAlloc (cb=0x4) returned 0x5f6f70 [0194.585] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x5f6f70, puReturned=0x23a3dd4 | out: apObjects=0x5f6f70*=0x611dc8, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.586] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x611dc8) returned 0x0 [0194.586] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.586] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.587] IUnknown:AddRef (This=0x611dc8) returned 0x3 [0194.587] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.587] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.587] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x611dcc) returned 0x0 [0194.587] IMarshal:GetUnmarshalClass (in: This=0x611dcc, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.587] IUnknown:Release (This=0x611dcc) returned 0x3 [0194.587] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.587] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.587] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.587] IUnknown:Release (This=0x611dc8) returned 0x2 [0194.587] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.587] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.587] IUnknown:QueryInterface (in: This=0x611dc8, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x611dc8) returned 0x0 [0194.587] IUnknown:AddRef (This=0x611dc8) returned 0x4 [0194.587] IUnknown:Release (This=0x611dc8) returned 0x3 [0194.587] IUnknown:Release (This=0x611dc8) returned 0x2 [0194.587] CoTaskMemFree (pv=0x5f6f70) [0194.587] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.588] IUnknown:AddRef (This=0x611dc8) returned 0x3 [0194.588] IWbemClassObject:Get (in: This=0x611dc8, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.588] IWbemClassObject:Get (in: This=0x611dc8, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=9", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.588] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=9") returned 0x82 [0194.588] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=9") returned 0x82 [0194.589] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b4 [0194.589] SetEvent (hEvent=0x2c4) returned 1 [0194.589] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3b4, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.591] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.592] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.592] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d440, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d440) returned 0x0 [0194.592] WbemDefPath:IUnknown:AddRef (This=0x60d440) returned 0x3 [0194.592] WbemDefPath:IUnknown:Release (This=0x60d440) returned 0x2 [0194.592] WbemDefPath:IWbemPath:SetText (This=0x60d440, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=9") returned 0x0 [0194.592] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.592] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.592] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.592] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.592] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.592] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.592] IWbemClassObject:Get (in: This=0x611dc8, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a953c*=0, plFlavor=0x23a9540*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a953c*=11, plFlavor=0x23a9540*=0) returned 0x0 [0194.592] IWbemClassObject:Get (in: This=0x611dc8, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a953c*=11, plFlavor=0x23a9540*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a953c*=11, plFlavor=0x23a9540*=0) returned 0x0 [0194.593] IUnknown:Release (This=0x611dc8) returned 0x2 [0194.593] CoTaskMemAlloc (cb=0x4) returned 0x6152a0 [0194.593] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x6152a0, puReturned=0x23a3dd4 | out: apObjects=0x6152a0*=0x6121b0, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.594] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x6121b0) returned 0x0 [0194.594] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.594] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.594] IUnknown:AddRef (This=0x6121b0) returned 0x3 [0194.594] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.594] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.594] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x6121b4) returned 0x0 [0194.594] IMarshal:GetUnmarshalClass (in: This=0x6121b4, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.595] IUnknown:Release (This=0x6121b4) returned 0x3 [0194.595] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.595] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.595] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.595] IUnknown:Release (This=0x6121b0) returned 0x2 [0194.595] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.595] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.595] IUnknown:QueryInterface (in: This=0x6121b0, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x6121b0) returned 0x0 [0194.595] IUnknown:AddRef (This=0x6121b0) returned 0x4 [0194.595] IUnknown:Release (This=0x6121b0) returned 0x3 [0194.595] IUnknown:Release (This=0x6121b0) returned 0x2 [0194.595] CoTaskMemFree (pv=0x6152a0) [0194.595] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.595] IUnknown:AddRef (This=0x6121b0) returned 0x3 [0194.595] IWbemClassObject:Get (in: This=0x6121b0, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.596] IWbemClassObject:Get (in: This=0x6121b0, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=10", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.596] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=10") returned 0x84 [0194.596] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=10") returned 0x84 [0194.596] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b8 [0194.596] SetEvent (hEvent=0x2c4) returned 1 [0194.596] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3b8, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.599] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.599] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.599] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d4b0, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d4b0) returned 0x0 [0194.599] WbemDefPath:IUnknown:AddRef (This=0x60d4b0) returned 0x3 [0194.599] WbemDefPath:IUnknown:Release (This=0x60d4b0) returned 0x2 [0194.599] WbemDefPath:IWbemPath:SetText (This=0x60d4b0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=10") returned 0x0 [0194.599] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.599] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.599] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.599] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.599] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.599] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.599] IWbemClassObject:Get (in: This=0x6121b0, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a9dbc*=0, plFlavor=0x23a9dc0*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a9dbc*=11, plFlavor=0x23a9dc0*=0) returned 0x0 [0194.600] IWbemClassObject:Get (in: This=0x6121b0, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a9dbc*=11, plFlavor=0x23a9dc0*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23a9dbc*=11, plFlavor=0x23a9dc0*=0) returned 0x0 [0194.600] IUnknown:Release (This=0x6121b0) returned 0x2 [0194.600] CoTaskMemAlloc (cb=0x4) returned 0x6152f0 [0194.600] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x6152f0, puReturned=0x23a3dd4 | out: apObjects=0x6152f0*=0x615658, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.601] IUnknown:QueryInterface (in: This=0x615658, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x615658) returned 0x0 [0194.601] IUnknown:QueryInterface (in: This=0x615658, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.601] IUnknown:QueryInterface (in: This=0x615658, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.602] IUnknown:AddRef (This=0x615658) returned 0x3 [0194.602] IUnknown:QueryInterface (in: This=0x615658, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.602] IUnknown:QueryInterface (in: This=0x615658, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.602] IUnknown:QueryInterface (in: This=0x615658, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x61565c) returned 0x0 [0194.602] IMarshal:GetUnmarshalClass (in: This=0x61565c, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.602] IUnknown:Release (This=0x61565c) returned 0x3 [0194.602] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.602] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.602] IUnknown:QueryInterface (in: This=0x615658, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.602] IUnknown:Release (This=0x615658) returned 0x2 [0194.602] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.602] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.602] IUnknown:QueryInterface (in: This=0x615658, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x615658) returned 0x0 [0194.602] IUnknown:AddRef (This=0x615658) returned 0x4 [0194.602] IUnknown:Release (This=0x615658) returned 0x3 [0194.602] IUnknown:Release (This=0x615658) returned 0x2 [0194.602] CoTaskMemFree (pv=0x6152f0) [0194.603] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.603] IUnknown:AddRef (This=0x615658) returned 0x3 [0194.603] IWbemClassObject:Get (in: This=0x615658, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.603] IWbemClassObject:Get (in: This=0x615658, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=11", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.603] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=11") returned 0x84 [0194.603] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=11") returned 0x84 [0194.603] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3bc [0194.603] SetEvent (hEvent=0x2c4) returned 1 [0194.604] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3bc, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.606] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.606] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.606] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d520, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d520) returned 0x0 [0194.607] WbemDefPath:IUnknown:AddRef (This=0x60d520) returned 0x3 [0194.607] WbemDefPath:IUnknown:Release (This=0x60d520) returned 0x2 [0194.607] WbemDefPath:IWbemPath:SetText (This=0x60d520, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=11") returned 0x0 [0194.607] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.607] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.607] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.607] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.607] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.607] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.607] IWbemClassObject:Get (in: This=0x615658, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aa648*=0, plFlavor=0x23aa64c*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aa648*=11, plFlavor=0x23aa64c*=0) returned 0x0 [0194.607] IWbemClassObject:Get (in: This=0x615658, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aa648*=11, plFlavor=0x23aa64c*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aa648*=11, plFlavor=0x23aa64c*=0) returned 0x0 [0194.607] IUnknown:Release (This=0x615658) returned 0x2 [0194.607] CoTaskMemAlloc (cb=0x4) returned 0x615340 [0194.608] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x615340, puReturned=0x23a3dd4 | out: apObjects=0x615340*=0x616278, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.609] IUnknown:QueryInterface (in: This=0x616278, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x616278) returned 0x0 [0194.609] IUnknown:QueryInterface (in: This=0x616278, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.609] IUnknown:QueryInterface (in: This=0x616278, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.609] IUnknown:AddRef (This=0x616278) returned 0x3 [0194.609] IUnknown:QueryInterface (in: This=0x616278, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.609] IUnknown:QueryInterface (in: This=0x616278, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.609] IUnknown:QueryInterface (in: This=0x616278, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x61627c) returned 0x0 [0194.609] IMarshal:GetUnmarshalClass (in: This=0x61627c, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.609] IUnknown:Release (This=0x61627c) returned 0x3 [0194.609] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.609] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.609] IUnknown:QueryInterface (in: This=0x616278, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.610] IUnknown:Release (This=0x616278) returned 0x2 [0194.610] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.610] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.610] IUnknown:QueryInterface (in: This=0x616278, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x616278) returned 0x0 [0194.610] IUnknown:AddRef (This=0x616278) returned 0x4 [0194.610] IUnknown:Release (This=0x616278) returned 0x3 [0194.610] IUnknown:Release (This=0x616278) returned 0x2 [0194.610] CoTaskMemFree (pv=0x615340) [0194.610] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.610] IUnknown:AddRef (This=0x616278) returned 0x3 [0194.610] IWbemClassObject:Get (in: This=0x616278, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.610] IWbemClassObject:Get (in: This=0x616278, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=12", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.611] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=12") returned 0x84 [0194.611] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=12") returned 0x84 [0194.611] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3c0 [0194.611] SetEvent (hEvent=0x2c4) returned 1 [0194.611] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3c0, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.614] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.614] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.614] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d590, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d590) returned 0x0 [0194.614] WbemDefPath:IUnknown:AddRef (This=0x60d590) returned 0x3 [0194.614] WbemDefPath:IUnknown:Release (This=0x60d590) returned 0x2 [0194.614] WbemDefPath:IWbemPath:SetText (This=0x60d590, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=12") returned 0x0 [0194.614] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.614] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.614] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.614] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.614] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.614] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.614] IWbemClassObject:Get (in: This=0x616278, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aaec8*=0, plFlavor=0x23aaecc*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aaec8*=11, plFlavor=0x23aaecc*=0) returned 0x0 [0194.614] IWbemClassObject:Get (in: This=0x616278, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aaec8*=11, plFlavor=0x23aaecc*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23aaec8*=11, plFlavor=0x23aaecc*=0) returned 0x0 [0194.615] IUnknown:Release (This=0x616278) returned 0x2 [0194.615] CoTaskMemAlloc (cb=0x4) returned 0x615390 [0194.615] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x615390, puReturned=0x23a3dd4 | out: apObjects=0x615390*=0x616410, puReturned=0x23a3dd4*=0x1) returned 0x0 [0194.616] IUnknown:QueryInterface (in: This=0x616410, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e47c | out: ppvObject=0x21e47c*=0x616410) returned 0x0 [0194.616] IUnknown:QueryInterface (in: This=0x616410, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x21e430 | out: ppvObject=0x21e430*=0x0) returned 0x80004002 [0194.616] IUnknown:QueryInterface (in: This=0x616410, riid=0x71b71e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x21e258 | out: ppvObject=0x21e258*=0x0) returned 0x80004002 [0194.616] IUnknown:AddRef (This=0x616410) returned 0x3 [0194.616] IUnknown:QueryInterface (in: This=0x616410, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x21dd8c | out: ppvObject=0x21dd8c*=0x0) returned 0x80004002 [0194.616] IUnknown:QueryInterface (in: This=0x616410, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x21dd3c | out: ppvObject=0x21dd3c*=0x0) returned 0x80004002 [0194.616] IUnknown:QueryInterface (in: This=0x616410, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21dd48 | out: ppvObject=0x21dd48*=0x616414) returned 0x0 [0194.617] IMarshal:GetUnmarshalClass (in: This=0x616414, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x21dd50 | out: pCid=0x21dd50*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0194.617] IUnknown:Release (This=0x616414) returned 0x3 [0194.617] CoGetContextToken (in: pToken=0x21dda8 | out: pToken=0x21dda8) returned 0x0 [0194.617] CoGetContextToken (in: pToken=0x21e1bc | out: pToken=0x21e1bc) returned 0x0 [0194.617] IUnknown:QueryInterface (in: This=0x616410, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x21e23c | out: ppvObject=0x21e23c*=0x0) returned 0x80004002 [0194.617] IUnknown:Release (This=0x616410) returned 0x2 [0194.617] CoGetContextToken (in: pToken=0x21e7ac | out: pToken=0x21e7ac) returned 0x0 [0194.617] CoGetContextToken (in: pToken=0x21e70c | out: pToken=0x21e70c) returned 0x0 [0194.617] IUnknown:QueryInterface (in: This=0x616410, riid=0x21e7dc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x21e7d8 | out: ppvObject=0x21e7d8*=0x616410) returned 0x0 [0194.617] IUnknown:AddRef (This=0x616410) returned 0x4 [0194.617] IUnknown:Release (This=0x616410) returned 0x3 [0194.617] IUnknown:Release (This=0x616410) returned 0x2 [0194.617] CoTaskMemFree (pv=0x615390) [0194.617] CoGetContextToken (in: pToken=0x21eb1c | out: pToken=0x21eb1c) returned 0x0 [0194.617] IUnknown:AddRef (This=0x616410) returned 0x3 [0194.617] IWbemClassObject:Get (in: This=0x616410, wszName="__GENUS", lFlags=0, pVal=0x21ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee98*=0, plFlavor=0x21ee94*=0 | out: pVal=0x21ee18*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x21ee98*=3, plFlavor=0x21ee94*=64) returned 0x0 [0194.618] IWbemClassObject:Get (in: This=0x616410, wszName="__PATH", lFlags=0, pVal=0x21edfc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21ee80*=0, plFlavor=0x21ee7c*=0 | out: pVal=0x21edfc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=13", varVal2=0x0), pType=0x21ee80*=8, plFlavor=0x21ee7c*=64) returned 0x0 [0194.618] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=13") returned 0x84 [0194.618] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=13") returned 0x84 [0194.618] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3c4 [0194.618] SetEvent (hEvent=0x2c4) returned 1 [0194.618] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x21edd4*=0x3c4, lpdwindex=0x21ebf8 | out: lpdwindex=0x21ebf8) returned 0x0 [0194.621] CoGetContextToken (in: pToken=0x21ecac | out: pToken=0x21ecac) returned 0x0 [0194.621] CoGetContextToken (in: pToken=0x21ec0c | out: pToken=0x21ec0c) returned 0x0 [0194.621] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d600, riid=0x21ecdc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x21ecd8 | out: ppvObject=0x21ecd8*=0x60d600) returned 0x0 [0194.621] WbemDefPath:IUnknown:AddRef (This=0x60d600) returned 0x3 [0194.621] WbemDefPath:IUnknown:Release (This=0x60d600) returned 0x2 [0194.621] WbemDefPath:IWbemPath:SetText (This=0x60d600, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_NetworkAdapterConfiguration.Index=13") returned 0x0 [0194.621] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee54 | out: puCount=0x21ee54*=0x2) returned 0x0 [0194.621] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0x0, pszText=0x0 | out: puBuffLength=0x21ee50*=0xf, pszText=0x0) returned 0x0 [0194.621] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee50*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee50*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.621] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.621] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.621] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.621] IWbemClassObject:Get (in: This=0x616410, wszName="IPEnabled", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23ab748*=0, plFlavor=0x23ab74c*=0 | out: pVal=0x21ee1c*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x23ab748*=11, plFlavor=0x23ab74c*=0) returned 0x0 [0194.622] IWbemClassObject:Get (in: This=0x616410, wszName="IPEnabled", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23ab748*=11, plFlavor=0x23ab74c*=0 | out: pVal=0x21ee24*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x23ab748*=11, plFlavor=0x23ab74c*=0) returned 0x0 [0194.624] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x21ee20 | out: puCount=0x21ee20*=0x2) returned 0x0 [0194.624] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0x0, pszText=0x0 | out: puBuffLength=0x21ee1c*=0xf, pszText=0x0) returned 0x0 [0194.624] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=4, puBuffLength=0x21ee1c*=0xf, pszText="00000000000000" | out: puBuffLength=0x21ee1c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.624] IWbemClassObject:Get (in: This=0x616410, wszName="MacAddress", lFlags=0, pVal=0x21ee1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23ab7e4*=0, plFlavor=0x23ab7e8*=0 | out: pVal=0x21ee1c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="58:23:8C:86:08:DD", varVal2=0x0), pType=0x23ab7e4*=8, plFlavor=0x23ab7e8*=0) returned 0x0 [0194.624] SysStringByteLen (bstr="58:23:8C:86:08:DD") returned 0x22 [0194.624] SysStringByteLen (bstr="58:23:8C:86:08:DD") returned 0x22 [0194.625] IWbemClassObject:Get (in: This=0x616410, wszName="MacAddress", lFlags=0, pVal=0x21ee24*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x23ab7e4*=8, plFlavor=0x23ab7e8*=0 | out: pVal=0x21ee24*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="58:23:8C:86:08:DD", varVal2=0x0), pType=0x23ab7e4*=8, plFlavor=0x23ab7e8*=0) returned 0x0 [0194.625] SysStringByteLen (bstr="58:23:8C:86:08:DD") returned 0x22 [0194.625] SysStringByteLen (bstr="58:23:8C:86:08:DD") returned 0x22 [0194.625] IUnknown:Release (This=0x616410) returned 0x2 [0194.625] CoTaskMemAlloc (cb=0x4) returned 0x6153e0 [0194.625] IEnumWbemClassObject:Next (in: This=0x5999c0, lTimeout=-1, uCount=0x1, apObjects=0x6153e0, puReturned=0x23a3dd4 | out: apObjects=0x6153e0*=0x0, puReturned=0x23a3dd4*=0x0) returned 0x1 [0194.626] CoTaskMemFree (pv=0x6153e0) [0194.626] CoGetContextToken (in: pToken=0x21ed4c | out: pToken=0x21ed4c) returned 0x0 [0194.626] IUnknown:Release (This=0x5999c0) returned 0x1 [0194.626] IUnknown:Release (This=0x5999c0) returned 0x0 [0194.719] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", nBufferLength=0x105, lpBuffer=0x21e948, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Revised Proforma Invoice_New order.exe", lpFilePart=0x0) returned 0x4c [0194.722] GetEnvironmentVariableW (in: lpName="%startupfolder%", lpBuffer=0x21ecd8, nSize=0xd8 | out: lpBuffer="") returned 0x0 [0194.796] GetUserNameW (in: lpBuffer=0x21ec88, pcbBuffer=0x23ac468 | out: lpBuffer="kEecfMwgj", pcbBuffer=0x23ac468) returned 1 [0194.801] GetComputerNameW (in: lpBuffer=0x21ec88, nSize=0x23ac8dc | out: lpBuffer="Q9IATRKPRH", nSize=0x23ac8dc) returned 1 [0194.808] EtwEventRegister () returned 0x0 [0276.382] CoTaskMemAlloc (cb=0x20c) returned 0x5e0928 [0276.382] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x5e0928 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0276.389] CoTaskMemFree (pv=0x5e0928) [0276.389] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0276.395] CoTaskMemAlloc (cb=0x20c) returned 0x5e0928 [0276.395] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x5e0928 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x0 [0276.395] CoTaskMemFree (pv=0x5e0928) [0276.395] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0276.680] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data", lpFilePart=0x0) returned 0x3a [0276.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.680] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\sputnik\\sputnik\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.682] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data", lpFilePart=0x0) returned 0x31 [0276.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\kometa\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.682] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data", lpFilePart=0x0) returned 0x39 [0276.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\ucozmedia\\uran\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.682] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data", lpFilePart=0x0) returned 0x30 [0276.682] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.682] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\torch\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.683] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", lpFilePart=0x0) returned 0x41 [0276.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\maplestudio\\chromeplus\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.683] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.683] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data", lpFilePart=0x0) returned 0x32 [0276.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.683] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\orbitum\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.684] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data", lpFilePart=0x0) returned 0x38 [0276.684] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\coowon\\coowon\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.684] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", lpFilePart=0x0) returned 0x46 [0276.684] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\bravesoftware\\brave-browser\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.684] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data", lpFilePart=0x0) returned 0x31 [0276.684] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.684] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\liebao\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.685] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data", lpFilePart=0x0) returned 0x31 [0276.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\chedot\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.685] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data", lpFilePart=0x0) returned 0x36 [0276.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\7star\\7star\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.685] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data", lpFilePart=0x0) returned 0x3f [0276.685] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.685] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\epic privacy browser\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.685] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.685] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data", lpFilePart=0x0) returned 0x3b [0276.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.686] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\elements browser\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.686] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.686] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data", lpFilePart=0x0) returned 0x33 [0276.686] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.686] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\qip surf\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.687] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User Data", lpFilePart=0x0) returned 0x30 [0276.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\amigo\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.687] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data", lpFilePart=0x0) returned 0x36 [0276.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.687] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\centbrowser\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.687] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data", lpFilePart=0x0) returned 0x32 [0276.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\iridium\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.688] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data", lpFilePart=0x0) returned 0x39 [0276.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\coccoc\\browser\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.688] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data", lpFilePart=0x0) returned 0x33 [0276.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\chromium\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.688] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", lpFilePart=0x0) returned 0x3f [0276.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.688] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\yandex\\yandexbrowser\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.689] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", lpFilePart=0x0) returned 0x54 [0276.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.689] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\fenrir inc\\sleipnir5\\setting\\modules\\chromiumviewer"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.689] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data", lpFilePart=0x0) returned 0x38 [0276.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.689] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\comodo\\dragon\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.689] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\Opera Stable", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\Opera Stable", lpFilePart=0x0) returned 0x3e [0276.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.689] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\Opera Stable" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\opera software\\opera stable"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.690] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Chrome\\Chrome\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Chrome\\Chrome\\User Data", lpFilePart=0x0) returned 0x3b [0276.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.690] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Chrome\\Chrome\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\360chrome\\chrome\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.690] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data", lpFilePart=0x0) returned 0x32 [0276.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.690] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\vivaldi\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.690] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", nBufferLength=0x105, lpBuffer=0x21e428, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", lpFilePart=0x0) returned 0x3f [0276.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e664) returned 1 [0276.690] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\catalinagroup\\citrio\\user data"), fInfoLevelId=0x0, lpFileInformation=0x21e928 | out: lpFileInformation=0x21e928*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e660) returned 1 [0276.716] GetEnvironmentVariableW (in: lpName="APPDATA", lpBuffer=0x21e788, nSize=0xd8 | out: lpBuffer="") returned 0x22 [0276.717] GetEnvironmentVariableW (in: lpName="Username", lpBuffer=0x21e788, nSize=0xd8 | out: lpBuffer="") returned 0x9 [0276.722] GetFullPathNameW (in: lpFileName="C:\\Users\\All Users\\AppData\\Roaming\\FlashFXP\\3quick.dat", nBufferLength=0x105, lpBuffer=0x21e484, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\All Users\\AppData\\Roaming\\FlashFXP\\3quick.dat", lpFilePart=0x0) returned 0x36 [0276.723] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x21e6c4) returned 1 [0276.723] GetFileAttributesExW (in: lpFileName="C:\\Users\\All Users\\AppData\\Roaming\\FlashFXP\\3quick.dat" (normalized: "c:\\users\\all users\\appdata\\roaming\\flashfxp\\3quick.dat"), fInfoLevelId=0x0, lpFileInformation=0x21e988 | out: lpFileInformation=0x21e988*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0276.724] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x21e6c0) returned 1 [0276.750] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\OpenVPN-GUI\\configs", ulOptions=0x0, samDesired=0x2001f, phkResult=0x21e978 | out: phkResult=0x21e978*=0x0) returned 0x2 [0276.792] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", ulOptions=0x0, samDesired=0x20019, phkResult=0x21e908 | out: phkResult=0x21e908*=0x0) returned 0x2 [0276.795] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", ulOptions=0x0, samDesired=0x20019, phkResult=0x21e908 | out: phkResult=0x21e908*=0x0) returned 0x2 [0276.798] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", ulOptions=0x0, samDesired=0x20019, phkResult=0x21e908 | out: phkResult=0x21e908*=0x0) returned 0x2 [0276.800] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", ulOptions=0x0, samDesired=0x20019, phkResult=0x21e908 | out: phkResult=0x21e908*=0x31c) returned 0x0 [0276.801] RegQueryInfoKeyW (in: hKey=0x31c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x21e930, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x21e92c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x21e930*=0x3, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x21e92c*=0x6, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0276.802] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x0, lpName=0x23c0f48, lpcchName=0x21e94c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000001", lpcchName=0x21e94c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0276.802] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x1, lpName=0x23c0f48, lpcchName=0x21e94c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000002", lpcchName=0x21e94c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0276.802] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x2, lpName=0x23c0f48, lpcchName=0x21e94c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000003", lpcchName=0x21e94c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0276.802] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x21e908 | out: phkResult=0x21e908*=0x254) returned 0x0 [0276.804] RegQueryValueExW (in: hKey=0x254, lpValueName="Email", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.805] RegQueryValueExW (in: hKey=0x254, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.805] RegQueryValueExW (in: hKey=0x254, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.806] RegQueryValueExW (in: hKey=0x254, lpValueName="HTTP Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.807] RegQueryValueExW (in: hKey=0x254, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.807] RegCloseKey (hKey=0x254) returned 0x0 [0276.807] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x21e908 | out: phkResult=0x21e908*=0x254) returned 0x0 [0276.807] RegQueryValueExW (in: hKey=0x254, lpValueName="Email", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x1, lpData=0x0, lpcbData=0x21e924*=0x1e) returned 0x0 [0276.807] RegQueryValueExW (in: hKey=0x254, lpValueName="Email", lpReserved=0x0, lpType=0x21e928, lpData=0x23c153c, lpcbData=0x21e924*=0x1e | out: lpType=0x21e928*=0x1, lpData="franc@gdllo.de", lpcbData=0x21e924*=0x1e) returned 0x0 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x3, lpData=0x0, lpcbData=0x21e924*=0x111) returned 0x0 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x21e928, lpData=0x23c1594, lpcbData=0x21e924*=0x111 | out: lpType=0x21e928*=0x3, lpData=0x23c1594*, lpcbData=0x21e924*=0x111) returned 0x0 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="HTTP Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x0, lpData=0x0, lpcbData=0x21e924*=0x0) returned 0x2 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x3, lpData=0x0, lpcbData=0x21e924*=0x111) returned 0x0 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x21e928, lpData=0x23c16e8, lpcbData=0x21e924*=0x111 | out: lpType=0x21e928*=0x3, lpData=0x23c16e8*, lpcbData=0x21e924*=0x111) returned 0x0 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x21e928, lpData=0x0, lpcbData=0x21e924*=0x0 | out: lpType=0x21e928*=0x3, lpData=0x0, lpcbData=0x21e924*=0x111) returned 0x0 [0276.808] RegQueryValueExW (in: hKey=0x254, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x21e928, lpData=0x23c1808, lpcbData=0x21e924*=0x111 | out: lpType=0x21e928*=0x3, lpData=0x23c1808*, lpcbData=0x21e924*=0x111) returned 0x0 Thread: id = 74 os_tid = 0xb40 Thread: id = 75 os_tid = 0xb44 [0170.346] CoGetContextToken (in: pToken=0x441fb9c | out: pToken=0x441fb9c) returned 0x800401f0 [0170.346] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 Thread: id = 76 os_tid = 0xb48 Thread: id = 77 os_tid = 0xbf0 Thread: id = 78 os_tid = 0xbec Thread: id = 79 os_tid = 0xbe8 Thread: id = 136 os_tid = 0xb08 [0183.590] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0183.614] IIDFromString (in: lpsz="{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}", lpiid=0x538f48c | out: lpiid=0x538f48c) returned 0x0 [0183.615] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5c5b60) returned 0x0 [0183.616] WbemDefPath:IUnknown:QueryInterface (in: This=0x5c5b60, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0183.616] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5c5b60, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f4f8) returned 0x0 [0183.616] WbemDefPath:IUnknown:Release (This=0x5c5b60) returned 0x0 [0183.616] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f4f8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f4f8) returned 0x0 [0183.616] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f4f8, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0183.616] WbemDefPath:IUnknown:AddRef (This=0x59f4f8) returned 0x3 [0183.616] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f4f8, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0183.616] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f4f8, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0183.616] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f4f8, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5c5b40) returned 0x0 [0183.617] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5c5b40, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0183.617] WbemDefPath:IUnknown:Release (This=0x5c5b40) returned 0x3 [0183.617] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0183.618] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0183.618] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f4f8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0183.618] WbemDefPath:IUnknown:Release (This=0x59f4f8) returned 0x2 [0183.618] WbemDefPath:IUnknown:Release (This=0x59f4f8) returned 0x1 [0183.618] SetEvent (hEvent=0x2c0) returned 1 [0183.636] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5c5c80) returned 0x0 [0183.637] WbemDefPath:IUnknown:QueryInterface (in: This=0x5c5c80, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0183.637] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5c5c80, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f568) returned 0x0 [0183.637] WbemDefPath:IUnknown:Release (This=0x5c5c80) returned 0x0 [0183.637] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f568, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f568) returned 0x0 [0183.637] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f568, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0183.637] WbemDefPath:IUnknown:AddRef (This=0x59f568) returned 0x3 [0183.637] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f568, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0183.637] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f568, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0183.637] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f568, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5c5c90) returned 0x0 [0183.637] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5c5c90, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0183.638] WbemDefPath:IUnknown:Release (This=0x5c5c90) returned 0x3 [0183.638] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0183.638] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0183.638] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f568, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0183.638] WbemDefPath:IUnknown:Release (This=0x59f568) returned 0x2 [0183.638] WbemDefPath:IUnknown:Release (This=0x59f568) returned 0x1 [0183.638] SetEvent (hEvent=0x2f4) returned 1 [0183.640] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5c5cc0) returned 0x0 [0183.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x5c5cc0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0183.641] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5c5cc0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f5d8) returned 0x0 [0183.641] WbemDefPath:IUnknown:Release (This=0x5c5cc0) returned 0x0 [0183.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f5d8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f5d8) returned 0x0 [0183.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f5d8, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0183.641] WbemDefPath:IUnknown:AddRef (This=0x59f5d8) returned 0x3 [0183.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f5d8, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0183.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f5d8, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0183.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f5d8, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5c5cd0) returned 0x0 [0183.641] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5c5cd0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0183.641] WbemDefPath:IUnknown:Release (This=0x5c5cd0) returned 0x3 [0183.641] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0183.641] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0183.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f5d8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0183.642] WbemDefPath:IUnknown:Release (This=0x59f5d8) returned 0x2 [0183.642] WbemDefPath:IUnknown:Release (This=0x59f5d8) returned 0x1 [0183.642] SetEvent (hEvent=0x2f8) returned 1 [0184.340] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5c5d70) returned 0x0 [0184.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x5c5d70, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0184.341] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5c5d70, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f648) returned 0x0 [0184.341] WbemDefPath:IUnknown:Release (This=0x5c5d70) returned 0x0 [0184.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f648, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f648) returned 0x0 [0184.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f648, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0184.341] WbemDefPath:IUnknown:AddRef (This=0x59f648) returned 0x3 [0184.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f648, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0184.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f648, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0184.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f648, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5c5d80) returned 0x0 [0184.341] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5c5d80, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0184.341] WbemDefPath:IUnknown:Release (This=0x5c5d80) returned 0x3 [0184.341] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0184.341] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0184.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f648, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0184.342] WbemDefPath:IUnknown:Release (This=0x59f648) returned 0x2 [0184.342] WbemDefPath:IUnknown:Release (This=0x59f648) returned 0x1 [0184.342] SetEvent (hEvent=0x34c) returned 1 [0194.140] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5c5e10) returned 0x0 [0194.141] WbemDefPath:IUnknown:QueryInterface (in: This=0x5c5e10, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.141] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5c5e10, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f728) returned 0x0 [0194.141] WbemDefPath:IUnknown:Release (This=0x5c5e10) returned 0x0 [0194.141] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f728, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f728) returned 0x0 [0194.141] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f728, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.142] WbemDefPath:IUnknown:AddRef (This=0x59f728) returned 0x3 [0194.142] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f728, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.142] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f728, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.142] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f728, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5c5e30) returned 0x0 [0194.142] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5c5e30, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.142] WbemDefPath:IUnknown:Release (This=0x5c5e30) returned 0x3 [0194.142] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.142] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.142] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f728, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.142] WbemDefPath:IUnknown:Release (This=0x59f728) returned 0x2 [0194.142] WbemDefPath:IUnknown:Release (This=0x59f728) returned 0x1 [0194.142] SetEvent (hEvent=0x354) returned 1 [0194.186] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5734c0) returned 0x0 [0194.186] WbemDefPath:IUnknown:QueryInterface (in: This=0x5734c0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.186] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5734c0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f798) returned 0x0 [0194.186] WbemDefPath:IUnknown:Release (This=0x5734c0) returned 0x0 [0194.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f798, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f798) returned 0x0 [0194.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f798, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.187] WbemDefPath:IUnknown:AddRef (This=0x59f798) returned 0x3 [0194.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f798, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f798, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f798, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5c5e00) returned 0x0 [0194.187] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5c5e00, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.187] WbemDefPath:IUnknown:Release (This=0x5c5e00) returned 0x3 [0194.187] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.187] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f798, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.187] WbemDefPath:IUnknown:Release (This=0x59f798) returned 0x2 [0194.187] WbemDefPath:IUnknown:Release (This=0x59f798) returned 0x1 [0194.187] SetEvent (hEvent=0x358) returned 1 [0194.190] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5c5df0) returned 0x0 [0194.190] WbemDefPath:IUnknown:QueryInterface (in: This=0x5c5df0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.190] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5c5df0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f808) returned 0x0 [0194.190] WbemDefPath:IUnknown:Release (This=0x5c5df0) returned 0x0 [0194.190] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f808, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f808) returned 0x0 [0194.190] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f808, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.191] WbemDefPath:IUnknown:AddRef (This=0x59f808) returned 0x3 [0194.191] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f808, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.191] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f808, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.191] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f808, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6bb0) returned 0x0 [0194.191] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6bb0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.191] WbemDefPath:IUnknown:Release (This=0x5f6bb0) returned 0x3 [0194.191] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.191] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.191] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f808, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.191] WbemDefPath:IUnknown:Release (This=0x59f808) returned 0x2 [0194.191] WbemDefPath:IUnknown:Release (This=0x59f808) returned 0x1 [0194.191] SetEvent (hEvent=0x35c) returned 1 [0194.294] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6bf0) returned 0x0 [0194.294] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6bf0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.294] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6bf0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f878) returned 0x0 [0194.294] WbemDefPath:IUnknown:Release (This=0x5f6bf0) returned 0x0 [0194.294] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f878, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f878) returned 0x0 [0194.294] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f878, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.295] WbemDefPath:IUnknown:AddRef (This=0x59f878) returned 0x3 [0194.295] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f878, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.295] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f878, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.295] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f878, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6c20) returned 0x0 [0194.295] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6c20, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.295] WbemDefPath:IUnknown:Release (This=0x5f6c20) returned 0x3 [0194.295] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.295] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.295] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f878, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.295] WbemDefPath:IUnknown:Release (This=0x59f878) returned 0x2 [0194.295] WbemDefPath:IUnknown:Release (This=0x59f878) returned 0x1 [0194.295] SetEvent (hEvent=0x38c) returned 1 [0194.500] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6ca0) returned 0x0 [0194.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6ca0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.501] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6ca0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f8e8) returned 0x0 [0194.501] WbemDefPath:IUnknown:Release (This=0x5f6ca0) returned 0x0 [0194.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f8e8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f8e8) returned 0x0 [0194.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f8e8, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.501] WbemDefPath:IUnknown:AddRef (This=0x59f8e8) returned 0x3 [0194.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f8e8, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f8e8, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.501] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f8e8, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6cb0) returned 0x0 [0194.501] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6cb0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.501] WbemDefPath:IUnknown:Release (This=0x5f6cb0) returned 0x3 [0194.501] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.501] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.502] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f8e8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.502] WbemDefPath:IUnknown:Release (This=0x59f8e8) returned 0x2 [0194.502] WbemDefPath:IUnknown:Release (This=0x59f8e8) returned 0x1 [0194.502] SetEvent (hEvent=0x390) returned 1 [0194.524] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6cf0) returned 0x0 [0194.524] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6cf0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.525] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6cf0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f958) returned 0x0 [0194.525] WbemDefPath:IUnknown:Release (This=0x5f6cf0) returned 0x0 [0194.525] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f958, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f958) returned 0x0 [0194.525] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f958, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.525] WbemDefPath:IUnknown:AddRef (This=0x59f958) returned 0x3 [0194.525] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f958, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.525] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f958, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.525] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f958, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6d00) returned 0x0 [0194.525] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6d00, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.525] WbemDefPath:IUnknown:Release (This=0x5f6d00) returned 0x3 [0194.525] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.525] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.525] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f958, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.528] WbemDefPath:IUnknown:Release (This=0x59f958) returned 0x2 [0194.528] WbemDefPath:IUnknown:Release (This=0x59f958) returned 0x1 [0194.528] SetEvent (hEvent=0x394) returned 1 [0194.535] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6d40) returned 0x0 [0194.535] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6d40, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.535] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6d40, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x59f9c8) returned 0x0 [0194.536] WbemDefPath:IUnknown:Release (This=0x5f6d40) returned 0x0 [0194.536] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f9c8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x59f9c8) returned 0x0 [0194.536] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f9c8, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.536] WbemDefPath:IUnknown:AddRef (This=0x59f9c8) returned 0x3 [0194.536] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f9c8, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.536] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f9c8, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.536] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f9c8, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6d50) returned 0x0 [0194.536] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6d50, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.536] WbemDefPath:IUnknown:Release (This=0x5f6d50) returned 0x3 [0194.536] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.536] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.536] WbemDefPath:IUnknown:QueryInterface (in: This=0x59f9c8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.536] WbemDefPath:IUnknown:Release (This=0x59f9c8) returned 0x2 [0194.536] WbemDefPath:IUnknown:Release (This=0x59f9c8) returned 0x1 [0194.536] SetEvent (hEvent=0x398) returned 1 [0194.543] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6d90) returned 0x0 [0194.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6d90, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.543] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6d90, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d1a0) returned 0x0 [0194.543] WbemDefPath:IUnknown:Release (This=0x5f6d90) returned 0x0 [0194.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d1a0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d1a0) returned 0x0 [0194.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d1a0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.544] WbemDefPath:IUnknown:AddRef (This=0x60d1a0) returned 0x3 [0194.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d1a0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d1a0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d1a0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6da0) returned 0x0 [0194.544] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6da0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.544] WbemDefPath:IUnknown:Release (This=0x5f6da0) returned 0x3 [0194.544] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.544] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d1a0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.544] WbemDefPath:IUnknown:Release (This=0x60d1a0) returned 0x2 [0194.544] WbemDefPath:IUnknown:Release (This=0x60d1a0) returned 0x1 [0194.544] SetEvent (hEvent=0x39c) returned 1 [0194.551] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6de0) returned 0x0 [0194.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6de0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.551] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6de0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d210) returned 0x0 [0194.551] WbemDefPath:IUnknown:Release (This=0x5f6de0) returned 0x0 [0194.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d210, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d210) returned 0x0 [0194.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d210, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.551] WbemDefPath:IUnknown:AddRef (This=0x60d210) returned 0x3 [0194.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d210, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.551] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d210, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d210, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6df0) returned 0x0 [0194.552] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6df0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.552] WbemDefPath:IUnknown:Release (This=0x5f6df0) returned 0x3 [0194.552] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.552] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d210, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.552] WbemDefPath:IUnknown:Release (This=0x60d210) returned 0x2 [0194.552] WbemDefPath:IUnknown:Release (This=0x60d210) returned 0x1 [0194.552] SetEvent (hEvent=0x3a0) returned 1 [0194.559] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6e30) returned 0x0 [0194.560] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6e30, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.560] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6e30, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d280) returned 0x0 [0194.560] WbemDefPath:IUnknown:Release (This=0x5f6e30) returned 0x0 [0194.560] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d280, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d280) returned 0x0 [0194.560] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d280, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.560] WbemDefPath:IUnknown:AddRef (This=0x60d280) returned 0x3 [0194.560] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d280, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.560] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d280, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.560] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d280, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6e40) returned 0x0 [0194.560] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6e40, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.560] WbemDefPath:IUnknown:Release (This=0x5f6e40) returned 0x3 [0194.560] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.561] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.561] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d280, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.561] WbemDefPath:IUnknown:Release (This=0x60d280) returned 0x2 [0194.561] WbemDefPath:IUnknown:Release (This=0x60d280) returned 0x1 [0194.561] SetEvent (hEvent=0x3a4) returned 1 [0194.567] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6e80) returned 0x0 [0194.567] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6e80, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.567] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6e80, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d2f0) returned 0x0 [0194.567] WbemDefPath:IUnknown:Release (This=0x5f6e80) returned 0x0 [0194.567] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d2f0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d2f0) returned 0x0 [0194.567] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d2f0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.567] WbemDefPath:IUnknown:AddRef (This=0x60d2f0) returned 0x3 [0194.567] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d2f0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.567] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d2f0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.567] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d2f0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6e90) returned 0x0 [0194.568] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6e90, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.568] WbemDefPath:IUnknown:Release (This=0x5f6e90) returned 0x3 [0194.568] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.568] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.568] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d2f0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.568] WbemDefPath:IUnknown:Release (This=0x60d2f0) returned 0x2 [0194.568] WbemDefPath:IUnknown:Release (This=0x60d2f0) returned 0x1 [0194.568] SetEvent (hEvent=0x3a8) returned 1 [0194.574] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6ed0) returned 0x0 [0194.575] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6ed0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.575] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6ed0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d360) returned 0x0 [0194.575] WbemDefPath:IUnknown:Release (This=0x5f6ed0) returned 0x0 [0194.575] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d360, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d360) returned 0x0 [0194.575] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d360, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.575] WbemDefPath:IUnknown:AddRef (This=0x60d360) returned 0x3 [0194.575] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d360, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.575] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d360, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.575] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d360, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6ee0) returned 0x0 [0194.575] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6ee0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.575] WbemDefPath:IUnknown:Release (This=0x5f6ee0) returned 0x3 [0194.576] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.576] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.576] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d360, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.576] WbemDefPath:IUnknown:Release (This=0x60d360) returned 0x2 [0194.576] WbemDefPath:IUnknown:Release (This=0x60d360) returned 0x1 [0194.576] SetEvent (hEvent=0x3ac) returned 1 [0194.582] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6f20) returned 0x0 [0194.582] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6f20, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.582] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6f20, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d3d0) returned 0x0 [0194.583] WbemDefPath:IUnknown:Release (This=0x5f6f20) returned 0x0 [0194.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d3d0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d3d0) returned 0x0 [0194.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d3d0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.583] WbemDefPath:IUnknown:AddRef (This=0x60d3d0) returned 0x3 [0194.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d3d0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d3d0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d3d0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6f30) returned 0x0 [0194.583] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6f30, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.583] WbemDefPath:IUnknown:Release (This=0x5f6f30) returned 0x3 [0194.583] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.583] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d3d0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.583] WbemDefPath:IUnknown:Release (This=0x60d3d0) returned 0x2 [0194.583] WbemDefPath:IUnknown:Release (This=0x60d3d0) returned 0x1 [0194.583] SetEvent (hEvent=0x3b0) returned 1 [0194.590] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x5f6f70) returned 0x0 [0194.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x5f6f70, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.590] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5f6f70, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d440) returned 0x0 [0194.590] WbemDefPath:IUnknown:Release (This=0x5f6f70) returned 0x0 [0194.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d440, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d440) returned 0x0 [0194.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d440, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.591] WbemDefPath:IUnknown:AddRef (This=0x60d440) returned 0x3 [0194.591] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d440, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.591] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d440, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.591] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d440, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x5f6f80) returned 0x0 [0194.591] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5f6f80, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.591] WbemDefPath:IUnknown:Release (This=0x5f6f80) returned 0x3 [0194.591] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.591] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.591] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d440, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.591] WbemDefPath:IUnknown:Release (This=0x60d440) returned 0x2 [0194.591] WbemDefPath:IUnknown:Release (This=0x60d440) returned 0x1 [0194.591] SetEvent (hEvent=0x3b4) returned 1 [0194.597] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x6152a0) returned 0x0 [0194.598] WbemDefPath:IUnknown:QueryInterface (in: This=0x6152a0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.598] WbemDefPath:IClassFactory:CreateInstance (in: This=0x6152a0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d4b0) returned 0x0 [0194.598] WbemDefPath:IUnknown:Release (This=0x6152a0) returned 0x0 [0194.598] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d4b0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d4b0) returned 0x0 [0194.598] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d4b0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.598] WbemDefPath:IUnknown:AddRef (This=0x60d4b0) returned 0x3 [0194.598] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d4b0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.598] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d4b0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.598] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d4b0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x6152b0) returned 0x0 [0194.598] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x6152b0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.598] WbemDefPath:IUnknown:Release (This=0x6152b0) returned 0x3 [0194.598] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.599] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.599] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d4b0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.599] WbemDefPath:IUnknown:Release (This=0x60d4b0) returned 0x2 [0194.599] WbemDefPath:IUnknown:Release (This=0x60d4b0) returned 0x1 [0194.599] SetEvent (hEvent=0x3b8) returned 1 [0194.605] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x6152f0) returned 0x0 [0194.605] WbemDefPath:IUnknown:QueryInterface (in: This=0x6152f0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.605] WbemDefPath:IClassFactory:CreateInstance (in: This=0x6152f0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d520) returned 0x0 [0194.605] WbemDefPath:IUnknown:Release (This=0x6152f0) returned 0x0 [0194.605] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d520, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d520) returned 0x0 [0194.605] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d520, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.606] WbemDefPath:IUnknown:AddRef (This=0x60d520) returned 0x3 [0194.606] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d520, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.606] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d520, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.606] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d520, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x615300) returned 0x0 [0194.606] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x615300, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.606] WbemDefPath:IUnknown:Release (This=0x615300) returned 0x3 [0194.606] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.606] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.606] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d520, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.606] WbemDefPath:IUnknown:Release (This=0x60d520) returned 0x2 [0194.606] WbemDefPath:IUnknown:Release (This=0x60d520) returned 0x1 [0194.606] SetEvent (hEvent=0x3bc) returned 1 [0194.612] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x615340) returned 0x0 [0194.612] WbemDefPath:IUnknown:QueryInterface (in: This=0x615340, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.612] WbemDefPath:IClassFactory:CreateInstance (in: This=0x615340, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d590) returned 0x0 [0194.613] WbemDefPath:IUnknown:Release (This=0x615340) returned 0x0 [0194.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d590, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d590) returned 0x0 [0194.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d590, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.613] WbemDefPath:IUnknown:AddRef (This=0x60d590) returned 0x3 [0194.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d590, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d590, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d590, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x615350) returned 0x0 [0194.613] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x615350, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.613] WbemDefPath:IUnknown:Release (This=0x615350) returned 0x3 [0194.613] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.613] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d590, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.613] WbemDefPath:IUnknown:Release (This=0x60d590) returned 0x2 [0194.613] WbemDefPath:IUnknown:Release (This=0x60d590) returned 0x1 [0194.613] SetEvent (hEvent=0x3c0) returned 1 [0194.619] CoGetClassObject (in: rclsid=0x5cf254*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x538f1a8 | out: ppv=0x538f1a8*=0x615390) returned 0x0 [0194.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x615390, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x538f3c0 | out: ppvObject=0x538f3c0*=0x0) returned 0x80004002 [0194.620] WbemDefPath:IClassFactory:CreateInstance (in: This=0x615390, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538f3cc | out: ppvObject=0x538f3cc*=0x60d600) returned 0x0 [0194.620] WbemDefPath:IUnknown:Release (This=0x615390) returned 0x0 [0194.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d600, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538efec | out: ppvObject=0x538efec*=0x60d600) returned 0x0 [0194.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d600, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x538efa0 | out: ppvObject=0x538efa0*=0x0) returned 0x80004002 [0194.620] WbemDefPath:IUnknown:AddRef (This=0x60d600) returned 0x3 [0194.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d600, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x538e8fc | out: ppvObject=0x538e8fc*=0x0) returned 0x80004002 [0194.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d600, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x538e8ac | out: ppvObject=0x538e8ac*=0x0) returned 0x80004002 [0194.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d600, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538e8b8 | out: ppvObject=0x538e8b8*=0x6153a0) returned 0x0 [0194.620] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x6153a0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x538e8c0 | out: pCid=0x538e8c0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0194.620] WbemDefPath:IUnknown:Release (This=0x6153a0) returned 0x3 [0194.620] CoGetContextToken (in: pToken=0x538e918 | out: pToken=0x538e918) returned 0x0 [0194.621] CoGetContextToken (in: pToken=0x538ed2c | out: pToken=0x538ed2c) returned 0x0 [0194.621] WbemDefPath:IUnknown:QueryInterface (in: This=0x60d600, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x538edac | out: ppvObject=0x538edac*=0x0) returned 0x80004002 [0194.621] WbemDefPath:IUnknown:Release (This=0x60d600) returned 0x2 [0194.621] WbemDefPath:IUnknown:Release (This=0x60d600) returned 0x1 [0194.621] SetEvent (hEvent=0x3c4) returned 1 Thread: id = 137 os_tid = 0xb10 [0183.649] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0183.650] IIDFromString (in: lpsz="{4590F811-1D3A-11D0-891F-00AA004B2E24}", lpiid=0x55cf7e4 | out: lpiid=0x55cf7e4) returned 0x0 [0183.651] CoGetClassObject (in: rclsid=0x5cf2e4*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x55cf500 | out: ppv=0x55cf500*=0x5d14b0) returned 0x0 [0183.652] WbemLocator:IUnknown:QueryInterface (in: This=0x5d14b0, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x55cf718 | out: ppvObject=0x55cf718*=0x0) returned 0x80004002 [0183.652] WbemLocator:IClassFactory:CreateInstance (in: This=0x5d14b0, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cf724 | out: ppvObject=0x55cf724*=0x5c5d00) returned 0x0 [0183.652] WbemLocator:IUnknown:Release (This=0x5d14b0) returned 0x0 [0183.652] WbemLocator:IUnknown:QueryInterface (in: This=0x5c5d00, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cf344 | out: ppvObject=0x55cf344*=0x5c5d00) returned 0x0 [0183.652] WbemLocator:IUnknown:QueryInterface (in: This=0x5c5d00, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x55cf2f8 | out: ppvObject=0x55cf2f8*=0x0) returned 0x80004002 [0183.652] WbemLocator:IUnknown:AddRef (This=0x5c5d00) returned 0x3 [0183.652] WbemLocator:IUnknown:QueryInterface (in: This=0x5c5d00, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x55cec54 | out: ppvObject=0x55cec54*=0x0) returned 0x80004002 [0183.652] WbemLocator:IUnknown:QueryInterface (in: This=0x5c5d00, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x55cec04 | out: ppvObject=0x55cec04*=0x0) returned 0x80004002 [0183.652] WbemLocator:IUnknown:QueryInterface (in: This=0x5c5d00, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cec10 | out: ppvObject=0x55cec10*=0x0) returned 0x80004002 [0183.652] CoGetContextToken (in: pToken=0x55cec70 | out: pToken=0x55cec70) returned 0x0 [0183.652] CoGetObjectContext (in: riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x5d14b4 | out: ppv=0x5d14b4*=0x56edd8) returned 0x0 [0183.655] CoGetContextToken (in: pToken=0x55cf084 | out: pToken=0x55cf084) returned 0x0 [0183.655] WbemLocator:IUnknown:QueryInterface (in: This=0x5c5d00, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cf104 | out: ppvObject=0x55cf104*=0x0) returned 0x80004002 [0183.655] WbemLocator:IUnknown:Release (This=0x5c5d00) returned 0x2 [0183.655] WbemLocator:IUnknown:Release (This=0x5c5d00) returned 0x1 [0183.655] CoGetContextToken (in: pToken=0x55cf6fc | out: pToken=0x55cf6fc) returned 0x0 [0183.655] CoGetContextToken (in: pToken=0x55cf65c | out: pToken=0x55cf65c) returned 0x0 [0183.655] WbemLocator:IUnknown:QueryInterface (in: This=0x5c5d00, riid=0x55cf72c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x55cf728 | out: ppvObject=0x55cf728*=0x5c5d00) returned 0x0 [0183.655] WbemLocator:IUnknown:AddRef (This=0x5c5d00) returned 0x3 [0183.655] WbemLocator:IUnknown:Release (This=0x5c5d00) returned 0x2 [0183.664] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f5d8, puCount=0x55cf8bc | out: puCount=0x55cf8bc*=0x2) returned 0x0 [0183.664] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=8, puBuffLength=0x55cf8b8*=0x0, pszText=0x0 | out: puBuffLength=0x55cf8b8*=0xf, pszText=0x0) returned 0x0 [0183.664] WbemDefPath:IWbemPath:GetText (in: This=0x59f5d8, lFlags=8, puBuffLength=0x55cf8b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x55cf8b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0183.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x55ceae0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0183.673] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\\\wminet_utils.dll", cchWideChar=63, lpMultiByteStr=0x55cf008, cbMultiByte=65, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\\\wminet_utils.dll", lpUsedDefaultChar=0x0) returned 63 [0183.673] LoadLibraryA (lpLibFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\\\wminet_utils.dll") returned 0x6d4f0000 [0183.796] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResetSecurity", cchWideChar=13, lpMultiByteStr=0x55cf03c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResetSecuritym^m+û\x93\x03Dþ¦q\x18ó\\\x05\x01", lpUsedDefaultChar=0x0) returned 13 [0183.796] GetProcAddress (hModule=0x6d4f0000, lpProcName="ResetSecurity") returned 0x6d4f7dd0 [0183.809] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetSecurity", cchWideChar=11, lpMultiByteStr=0x55cf03c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetSecurity", lpUsedDefaultChar=0x0) returned 11 [0183.809] GetProcAddress (hModule=0x6d4f0000, lpProcName="SetSecurity") returned 0x6d4f7e20 [0183.818] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BlessIWbemServices", cchWideChar=18, lpMultiByteStr=0x55cf038, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BlessIWbemServices^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 18 [0183.818] GetProcAddress (hModule=0x6d4f0000, lpProcName="BlessIWbemServices") returned 0x6d4f6e70 [0183.845] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BlessIWbemServicesObject", cchWideChar=24, lpMultiByteStr=0x55cf030, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BlessIWbemServicesObject»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 24 [0183.845] GetProcAddress (hModule=0x6d4f0000, lpProcName="BlessIWbemServicesObject") returned 0x6d4f6ed0 [0183.878] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyHandle", cchWideChar=17, lpMultiByteStr=0x55cf038, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyHandlem^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 17 [0183.878] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetPropertyHandle") returned 0x6d4f7820 [0183.893] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WritePropertyValue", cchWideChar=18, lpMultiByteStr=0x55cf038, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WritePropertyValue^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 18 [0183.893] GetProcAddress (hModule=0x6d4f0000, lpProcName="WritePropertyValue") returned 0x6d4f7fa0 [0183.903] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Clone", cchWideChar=5, lpMultiByteStr=0x55cf044, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Clonem^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 5 [0183.904] GetProcAddress (hModule=0x6d4f0000, lpProcName="Clone") returned 0x6d4f6f30 [0183.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VerifyClientKey", cchWideChar=15, lpMultiByteStr=0x55cf038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VerifyClientKey", lpUsedDefaultChar=0x0) returned 15 [0183.912] GetProcAddress (hModule=0x6d4f0000, lpProcName="VerifyClientKey") returned 0x6d4f7f20 [0183.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetQualifierSet", cchWideChar=15, lpMultiByteStr=0x55cf038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetQualifierSet", lpUsedDefaultChar=0x0) returned 15 [0183.917] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetQualifierSet") returned 0x6d4f78e0 [0183.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Get", cchWideChar=3, lpMultiByteStr=0x55cf044, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Get", lpUsedDefaultChar=0x0) returned 3 [0183.941] GetProcAddress (hModule=0x6d4f0000, lpProcName="Get") returned 0x6d4f75c0 [0183.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Put", cchWideChar=3, lpMultiByteStr=0x55cf044, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Put", lpUsedDefaultChar=0x0) returned 3 [0183.960] GetProcAddress (hModule=0x6d4f0000, lpProcName="Put") returned 0x6d4f7a00 [0183.975] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Delete", cchWideChar=6, lpMultiByteStr=0x55cf044, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Delete^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 6 [0183.976] GetProcAddress (hModule=0x6d4f0000, lpProcName="Delete") returned 0x6d4f7300 [0183.985] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetNames", cchWideChar=8, lpMultiByteStr=0x55cf040, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetNames»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 8 [0183.986] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetNames") returned 0x6d4f77c0 [0184.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BeginEnumeration", cchWideChar=16, lpMultiByteStr=0x55cf038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BeginEnumeration»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 16 [0184.006] GetProcAddress (hModule=0x6d4f0000, lpProcName="BeginEnumeration") returned 0x6d4f6e30 [0184.014] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Next", cchWideChar=4, lpMultiByteStr=0x55cf044, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Next»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 4 [0184.014] GetProcAddress (hModule=0x6d4f0000, lpProcName="Next") returned 0x6d4f79a0 [0184.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="EndEnumeration", cchWideChar=14, lpMultiByteStr=0x55cf03c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EndEnumeration^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 14 [0184.029] GetProcAddress (hModule=0x6d4f0000, lpProcName="EndEnumeration") returned 0x6d4f73c0 [0184.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyQualifierSet", cchWideChar=23, lpMultiByteStr=0x55cf030, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyQualifierSet", lpUsedDefaultChar=0x0) returned 23 [0184.055] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetPropertyQualifierSet") returned 0x6d4f78b0 [0184.070] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Clone", cchWideChar=5, lpMultiByteStr=0x55cf044, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Clonem^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 5 [0184.070] GetProcAddress (hModule=0x6d4f0000, lpProcName="Clone") returned 0x6d4f6f30 [0184.070] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetObjectText", cchWideChar=13, lpMultiByteStr=0x55cf03c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetObjectTextm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 13 [0184.070] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetObjectText") returned 0x6d4f77f0 [0184.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SpawnDerivedClass", cchWideChar=17, lpMultiByteStr=0x55cf038, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpawnDerivedClassm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 17 [0184.082] GetProcAddress (hModule=0x6d4f0000, lpProcName="SpawnDerivedClass") returned 0x6d4f7e80 [0184.092] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SpawnInstance", cchWideChar=13, lpMultiByteStr=0x55cf03c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpawnInstancem^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 13 [0184.093] GetProcAddress (hModule=0x6d4f0000, lpProcName="SpawnInstance") returned 0x6d4f7eb0 [0184.094] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CompareTo", cchWideChar=9, lpMultiByteStr=0x55cf040, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CompareTom^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 9 [0184.095] GetProcAddress (hModule=0x6d4f0000, lpProcName="CompareTo") returned 0x6d4f7020 [0184.104] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyOrigin", cchWideChar=17, lpMultiByteStr=0x55cf038, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyOriginm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 17 [0184.104] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetPropertyOrigin") returned 0x6d4f7880 [0184.118] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="InheritsFrom", cchWideChar=12, lpMultiByteStr=0x55cf03c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InheritsFrom»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 12 [0184.118] GetProcAddress (hModule=0x6d4f0000, lpProcName="InheritsFrom") returned 0x6d4f7900 [0184.120] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethod", cchWideChar=9, lpMultiByteStr=0x55cf040, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 9 [0184.120] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetMethod") returned 0x6d4f7730 [0184.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutMethod", cchWideChar=9, lpMultiByteStr=0x55cf040, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutMethodm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 9 [0184.133] GetProcAddress (hModule=0x6d4f0000, lpProcName="PutMethod") returned 0x6d4f7bf0 [0184.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DeleteMethod", cchWideChar=12, lpMultiByteStr=0x55cf03c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DeleteMethod»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 12 [0184.153] GetProcAddress (hModule=0x6d4f0000, lpProcName="DeleteMethod") returned 0x6d4f7320 [0184.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BeginMethodEnumeration", cchWideChar=22, lpMultiByteStr=0x55cf034, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BeginMethodEnumeration^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 22 [0184.155] GetProcAddress (hModule=0x6d4f0000, lpProcName="BeginMethodEnumeration") returned 0x6d4f6e50 [0184.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NextMethod", cchWideChar=10, lpMultiByteStr=0x55cf040, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NextMethod^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 10 [0184.157] GetProcAddress (hModule=0x6d4f0000, lpProcName="NextMethod") returned 0x6d4f79d0 [0184.171] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="EndMethodEnumeration", cchWideChar=20, lpMultiByteStr=0x55cf034, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EndMethodEnumeration»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 20 [0184.171] GetProcAddress (hModule=0x6d4f0000, lpProcName="EndMethodEnumeration") returned 0x6d4f73e0 [0184.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethodQualifierSet", cchWideChar=21, lpMultiByteStr=0x55cf034, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodQualifierSetm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 21 [0184.173] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetMethodQualifierSet") returned 0x6d4f7790 [0184.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethodOrigin", cchWideChar=15, lpMultiByteStr=0x55cf038, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodOrigin", lpUsedDefaultChar=0x0) returned 15 [0184.175] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetMethodOrigin") returned 0x6d4f7760 [0184.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Get", cchWideChar=16, lpMultiByteStr=0x55cf038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Get»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 16 [0184.176] GetProcAddress (hModule=0x6d4f0000, lpProcName="QualifierSet_Get") returned 0x6d4f7c80 [0184.194] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Put", cchWideChar=16, lpMultiByteStr=0x55cf038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Put»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 16 [0184.195] GetProcAddress (hModule=0x6d4f0000, lpProcName="QualifierSet_Put") returned 0x6d4f7d10 [0184.203] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Delete", cchWideChar=19, lpMultiByteStr=0x55cf034, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Delete", lpUsedDefaultChar=0x0) returned 19 [0184.203] GetProcAddress (hModule=0x6d4f0000, lpProcName="QualifierSet_Delete") returned 0x6d4f7c40 [0184.204] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_GetNames", cchWideChar=21, lpMultiByteStr=0x55cf034, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_GetNamesm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 21 [0184.204] GetProcAddress (hModule=0x6d4f0000, lpProcName="QualifierSet_GetNames") returned 0x6d4f7cb0 [0184.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_BeginEnumeration", cchWideChar=29, lpMultiByteStr=0x55cf02c, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_BeginEnumerationm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 29 [0184.206] GetProcAddress (hModule=0x6d4f0000, lpProcName="QualifierSet_BeginEnumeration") returned 0x6d4f7c20 [0184.206] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Next", cchWideChar=17, lpMultiByteStr=0x55cf038, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Nextm^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 17 [0184.206] GetProcAddress (hModule=0x6d4f0000, lpProcName="QualifierSet_Next") returned 0x6d4f7ce0 [0184.207] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_EndEnumeration", cchWideChar=27, lpMultiByteStr=0x55cf02c, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_EndEnumeration", lpUsedDefaultChar=0x0) returned 27 [0184.208] GetProcAddress (hModule=0x6d4f0000, lpProcName="QualifierSet_EndEnumeration") returned 0x6d4f7c60 [0184.208] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetCurrentApartmentType", cchWideChar=23, lpMultiByteStr=0x55cf030, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentApartmentType", lpUsedDefaultChar=0x0) returned 23 [0184.208] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetCurrentApartmentType") returned 0x6d4f78e0 [0184.209] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetDemultiplexedStub", cchWideChar=20, lpMultiByteStr=0x55cf034, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDemultiplexedStub»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 20 [0184.209] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetDemultiplexedStub") returned 0x6d4f75f0 [0184.211] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateInstanceEnumWmi", cchWideChar=21, lpMultiByteStr=0x55cf034, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateInstanceEnumWmim^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 21 [0184.211] GetProcAddress (hModule=0x6d4f0000, lpProcName="CreateInstanceEnumWmi") returned 0x6d4f7230 [0184.214] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateClassEnumWmi", cchWideChar=18, lpMultiByteStr=0x55cf038, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateClassEnumWmi^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 18 [0184.214] GetProcAddress (hModule=0x6d4f0000, lpProcName="CreateClassEnumWmi") returned 0x6d4f7160 [0184.215] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ExecQueryWmi", cchWideChar=12, lpMultiByteStr=0x55cf03c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExecQueryWmi»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 12 [0184.216] GetProcAddress (hModule=0x6d4f0000, lpProcName="ExecQueryWmi") returned 0x6d4f74e0 [0184.241] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ExecNotificationQueryWmi", cchWideChar=24, lpMultiByteStr=0x55cf030, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExecNotificationQueryWmi»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 24 [0184.241] GetProcAddress (hModule=0x6d4f0000, lpProcName="ExecNotificationQueryWmi") returned 0x6d4f7400 [0184.243] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutInstanceWmi", cchWideChar=14, lpMultiByteStr=0x55cf03c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutInstanceWmi^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 14 [0184.243] GetProcAddress (hModule=0x6d4f0000, lpProcName="PutInstanceWmi") returned 0x6d4f7b10 [0184.265] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutClassWmi", cchWideChar=11, lpMultiByteStr=0x55cf03c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutClassWmi", lpUsedDefaultChar=0x0) returned 11 [0184.266] GetProcAddress (hModule=0x6d4f0000, lpProcName="PutClassWmi") returned 0x6d4f7a30 [0184.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CloneEnumWbemClassObject", cchWideChar=24, lpMultiByteStr=0x55cf030, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CloneEnumWbemClassObject»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 24 [0184.267] GetProcAddress (hModule=0x6d4f0000, lpProcName="CloneEnumWbemClassObject") returned 0x6d4f6f50 [0184.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ConnectServerWmi", cchWideChar=16, lpMultiByteStr=0x55cf038, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ConnectServerWmi»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 16 [0184.273] GetProcAddress (hModule=0x6d4f0000, lpProcName="ConnectServerWmi") returned 0x6d4f7050 [0184.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetErrorInfo", cchWideChar=12, lpMultiByteStr=0x55cf03c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetErrorInfo»m^m+û\x93\x03Dþ¦q\x18ó\\\x05", lpUsedDefaultChar=0x0) returned 12 [0184.281] GetProcAddress (hModule=0x6d4f0000, lpProcName="GetErrorInfo") returned 0x6d4f7650 [0184.285] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x55ceff0 | out: phkResult=0x55ceff0*=0x320) returned 0x0 [0184.286] RegQueryValueExW (in: hKey=0x320, lpValueName="WMIDisableCOMSecurity", lpReserved=0x0, lpType=0x55cf00c, lpData=0x0, lpcbData=0x55cf008*=0x0 | out: lpType=0x55cf00c*=0x0, lpData=0x0, lpcbData=0x55cf008*=0x0) returned 0x2 [0184.286] RegCloseKey (hKey=0x320) returned 0x0 [0184.286] CoCreateInstance (in: rclsid=0x6d4f3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d4f3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x55cf768 | out: ppv=0x55cf768*=0x5c5d40) returned 0x0 [0184.286] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5c5d40, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x55cf808 | out: ppNamespace=0x55cf808*=0x5c45c8) returned 0x0 [0184.295] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cf68c | out: ppvObject=0x55cf68c*=0x5d6efc) returned 0x0 [0184.295] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x5d6efc, pProxy=0x5c45c8, pAuthnSvc=0x55cf6dc, pAuthzSvc=0x55cf6d8, pServerPrincName=0x55cf6d0, pAuthnLevel=0x55cf6d4, pImpLevel=0x55cf6c4, pAuthInfo=0x55cf6c8, pCapabilites=0x55cf6cc | out: pAuthnSvc=0x55cf6dc*=0xa, pAuthzSvc=0x55cf6d8*=0x0, pServerPrincName=0x55cf6d0, pAuthnLevel=0x55cf6d4*=0x6, pImpLevel=0x55cf6c4*=0x2, pAuthInfo=0x55cf6c8, pCapabilites=0x55cf6cc*=0x1) returned 0x0 [0184.295] WbemLocator:IUnknown:Release (This=0x5d6efc) returned 0x1 [0184.295] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x6d4f35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cf680 | out: ppvObject=0x55cf680*=0x5d6f1c) returned 0x0 [0184.295] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cf66c | out: ppvObject=0x55cf66c*=0x5d6efc) returned 0x0 [0184.295] WbemLocator:IClientSecurity:SetBlanket (This=0x5d6efc, pProxy=0x5c45c8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0184.295] WbemLocator:IUnknown:Release (This=0x5d6efc) returned 0x2 [0184.295] WbemLocator:IUnknown:Release (This=0x5d6f1c) returned 0x1 [0184.295] CoTaskMemFree (pv=0x5cf398) [0184.295] WbemLocator:IUnknown:AddRef (This=0x5c45c8) returned 0x2 [0184.295] WbemLocator:IUnknown:Release (This=0x5c5d40) returned 0x0 [0184.296] CoGetContextToken (in: pToken=0x55cebc0 | out: pToken=0x55cebc0) returned 0x0 [0184.296] CoGetContextToken (in: pToken=0x55cefd4 | out: pToken=0x55cefd4) returned 0x0 [0184.296] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55cef6c | out: ppvObject=0x55cef6c*=0x5d6f04) returned 0x0 [0184.296] WbemLocator:IRpcOptions:Query (in: This=0x5d6f04, pPrx=0x5d1630, dwProperty=2, pdwValue=0x55cf060 | out: pdwValue=0x55cf060) returned 0x80004002 [0184.296] WbemLocator:IUnknown:Release (This=0x5d6f04) returned 0x2 [0184.296] CoGetContextToken (in: pToken=0x55cf5a4 | out: pToken=0x55cf5a4) returned 0x0 [0184.296] CoGetContextToken (in: pToken=0x55cf504 | out: pToken=0x55cf504) returned 0x0 [0184.296] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x55cf5d4*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x55cf4a0 | out: ppvObject=0x55cf4a0*=0x5c45c8) returned 0x0 [0184.297] WbemLocator:IUnknown:Release (This=0x5c45c8) returned 0x2 [0184.301] SysStringLen (param_1=0x0) returned 0x0 [0184.302] CoUninitialize () Thread: id = 138 os_tid = 0xb1c [0184.316] CoGetContextToken (in: pToken=0x54bf4ac | out: pToken=0x54bf4ac) returned 0x0 [0184.316] CoGetContextToken (in: pToken=0x54bf494 | out: pToken=0x54bf494) returned 0x0 [0184.317] CoGetMarshalSizeMax (in: pulSize=0x54bf450, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5d1630, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0 | out: pulSize=0x54bf450) returned 0x0 [0184.318] CoMarshalInterface (pStm=0x5a87a8, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5d1630, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 Thread: id = 139 os_tid = 0x960 [0184.325] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x5abae8*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x572f490 | out: ppvObject=0x572f490*=0x5c45c8) returned 0x0 [0184.325] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x6d6d62ec*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x572f42c | out: ppvObject=0x572f42c*=0x5c45c8) returned 0x0 [0184.326] WbemLocator:IUnknown:QueryInterface (in: This=0x5c45c8, riid=0x6d6d62ec*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x572f3e4 | out: ppvObject=0x572f3e4*=0x5c45c8) returned 0x0 [0184.328] IWbemServices:GetObject (in: This=0x5c45c8, strObjectPath="win32_processor", lFlags=0, pCtx=0x0, ppObject=0x572f5ac*=0x0, ppCallResult=0x0 | out: ppObject=0x572f5ac*=0x5eec00, ppCallResult=0x0) returned 0x0 [0194.232] CoGetContextToken (in: pToken=0x572f5ac | out: pToken=0x572f5ac) returned 0x0 [0194.232] CoGetContextToken (in: pToken=0x572f594 | out: pToken=0x572f594) returned 0x0 [0194.232] CoGetMarshalSizeMax (in: pulSize=0x572f550, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5f7988, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0 | out: pulSize=0x572f550) returned 0x0 [0194.233] CoMarshalInterface (pStm=0x5a8808, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x5f7988, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0194.234] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x5abcc8*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x572f490 | out: ppvObject=0x572f490*=0x5c4938) returned 0x0 [0194.234] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x6d6d62ec*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x572f42c | out: ppvObject=0x572f42c*=0x5c4938) returned 0x0 [0194.234] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x6d6d62ec*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x572f3e4 | out: ppvObject=0x572f3e4*=0x5c4938) returned 0x0 [0194.236] IWbemServices:GetObject (in: This=0x5c4938, strObjectPath="Win32_NetworkAdapterConfiguration", lFlags=0, pCtx=0x0, ppObject=0x572f5ac*=0x0, ppCallResult=0x0 | out: ppObject=0x572f5ac*=0x60a6d0, ppCallResult=0x0) returned 0x0 Thread: id = 141 os_tid = 0x8e0 [0194.199] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0194.201] CoGetClassObject (in: rclsid=0x5cf2e4*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71bd6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x58fecb0 | out: ppv=0x58fecb0*=0x5ea4b8) returned 0x0 [0194.202] WbemLocator:IUnknown:QueryInterface (in: This=0x5ea4b8, riid=0x71b9dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x58feec8 | out: ppvObject=0x58feec8*=0x0) returned 0x80004002 [0194.202] WbemLocator:IClassFactory:CreateInstance (in: This=0x5ea4b8, pUnkOuter=0x0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58feed4 | out: ppvObject=0x58feed4*=0x5f6be0) returned 0x0 [0194.202] WbemLocator:IUnknown:Release (This=0x5ea4b8) returned 0x0 [0194.202] WbemLocator:IUnknown:QueryInterface (in: This=0x5f6be0, riid=0x71a82a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58feaf4 | out: ppvObject=0x58feaf4*=0x5f6be0) returned 0x0 [0194.202] WbemLocator:IUnknown:QueryInterface (in: This=0x5f6be0, riid=0x71b71b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x58feaa8 | out: ppvObject=0x58feaa8*=0x0) returned 0x80004002 [0194.202] WbemLocator:IUnknown:AddRef (This=0x5f6be0) returned 0x3 [0194.202] WbemLocator:IUnknown:QueryInterface (in: This=0x5f6be0, riid=0x71b7182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x58fe404 | out: ppvObject=0x58fe404*=0x0) returned 0x80004002 [0194.202] WbemLocator:IUnknown:QueryInterface (in: This=0x5f6be0, riid=0x71b71764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x58fe3b4 | out: ppvObject=0x58fe3b4*=0x0) returned 0x80004002 [0194.202] WbemLocator:IUnknown:QueryInterface (in: This=0x5f6be0, riid=0x71aa1388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58fe3c0 | out: ppvObject=0x58fe3c0*=0x0) returned 0x80004002 [0194.202] CoGetContextToken (in: pToken=0x58fe420 | out: pToken=0x58fe420) returned 0x0 [0194.203] CoGetContextToken (in: pToken=0x58fe834 | out: pToken=0x58fe834) returned 0x0 [0194.204] WbemLocator:IUnknown:QueryInterface (in: This=0x5f6be0, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58fe8b4 | out: ppvObject=0x58fe8b4*=0x0) returned 0x80004002 [0194.204] WbemLocator:IUnknown:Release (This=0x5f6be0) returned 0x2 [0194.204] WbemLocator:IUnknown:Release (This=0x5f6be0) returned 0x1 [0194.204] CoGetContextToken (in: pToken=0x58feeac | out: pToken=0x58feeac) returned 0x0 [0194.204] CoGetContextToken (in: pToken=0x58fee0c | out: pToken=0x58fee0c) returned 0x0 [0194.204] WbemLocator:IUnknown:QueryInterface (in: This=0x5f6be0, riid=0x58feedc*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x58feed8 | out: ppvObject=0x58feed8*=0x5f6be0) returned 0x0 [0194.204] WbemLocator:IUnknown:AddRef (This=0x5f6be0) returned 0x3 [0194.204] WbemLocator:IUnknown:Release (This=0x5f6be0) returned 0x2 [0194.204] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x59f808, puCount=0x58ff06c | out: puCount=0x58ff06c*=0x2) returned 0x0 [0194.204] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=8, puBuffLength=0x58ff068*=0x0, pszText=0x0 | out: puBuffLength=0x58ff068*=0xf, pszText=0x0) returned 0x0 [0194.204] WbemDefPath:IWbemPath:GetText (in: This=0x59f808, lFlags=8, puBuffLength=0x58ff068*=0xf, pszText="00000000000000" | out: puBuffLength=0x58ff068*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0194.204] CoCreateInstance (in: rclsid=0x6d4f3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d4f3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x58fef18 | out: ppv=0x58fef18*=0x5f6c00) returned 0x0 [0194.204] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5f6c00, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x58fefb8 | out: ppNamespace=0x58fefb8*=0x5c4938) returned 0x0 [0194.221] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58fee3c | out: ppvObject=0x58fee3c*=0x5d73ac) returned 0x0 [0194.221] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x5d73ac, pProxy=0x5c4938, pAuthnSvc=0x58fee8c, pAuthzSvc=0x58fee88, pServerPrincName=0x58fee80, pAuthnLevel=0x58fee84, pImpLevel=0x58fee74, pAuthInfo=0x58fee78, pCapabilites=0x58fee7c | out: pAuthnSvc=0x58fee8c*=0xa, pAuthzSvc=0x58fee88*=0x0, pServerPrincName=0x58fee80, pAuthnLevel=0x58fee84*=0x6, pImpLevel=0x58fee74*=0x2, pAuthInfo=0x58fee78, pCapabilites=0x58fee7c*=0x1) returned 0x0 [0194.221] WbemLocator:IUnknown:Release (This=0x5d73ac) returned 0x1 [0194.221] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x6d4f35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58fee30 | out: ppvObject=0x58fee30*=0x5d73cc) returned 0x0 [0194.221] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x6d4f35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58fee1c | out: ppvObject=0x58fee1c*=0x5d73ac) returned 0x0 [0194.221] WbemLocator:IClientSecurity:SetBlanket (This=0x5d73ac, pProxy=0x5c4938, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0194.222] WbemLocator:IUnknown:Release (This=0x5d73ac) returned 0x2 [0194.222] WbemLocator:IUnknown:Release (This=0x5d73cc) returned 0x1 [0194.222] CoTaskMemFree (pv=0x5cf5d8) [0194.222] WbemLocator:IUnknown:AddRef (This=0x5c4938) returned 0x2 [0194.222] WbemLocator:IUnknown:Release (This=0x5f6c00) returned 0x0 [0194.223] CoGetContextToken (in: pToken=0x58fe370 | out: pToken=0x58fe370) returned 0x0 [0194.223] CoGetContextToken (in: pToken=0x58fe784 | out: pToken=0x58fe784) returned 0x0 [0194.223] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x71b71aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58fe71c | out: ppvObject=0x58fe71c*=0x5d73b4) returned 0x0 [0194.223] WbemLocator:IRpcOptions:Query (in: This=0x5d73b4, pPrx=0x5f7988, dwProperty=2, pdwValue=0x58fe810 | out: pdwValue=0x58fe810) returned 0x80004002 [0194.223] WbemLocator:IUnknown:Release (This=0x5d73b4) returned 0x2 [0194.223] CoGetContextToken (in: pToken=0x58fed54 | out: pToken=0x58fed54) returned 0x0 [0194.223] CoGetContextToken (in: pToken=0x58fecb4 | out: pToken=0x58fecb4) returned 0x0 [0194.223] WbemLocator:IUnknown:QueryInterface (in: This=0x5c4938, riid=0x58fed84*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x58fec50 | out: ppvObject=0x58fec50*=0x5c4938) returned 0x0 [0194.223] WbemLocator:IUnknown:Release (This=0x5c4938) returned 0x2 [0194.224] SysStringLen (param_1=0x0) returned 0x0 [0194.224] CoUninitialize () Thread: id = 142 os_tid = 0xc7c [0194.819] CoGetContextToken (in: pToken=0x4c0f92c | out: pToken=0x4c0f92c) returned 0x0 [0194.819] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71b0b24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x4c0f950 | out: ppvObject=0x4c0f950*=0x56ede4) returned 0x0 [0194.820] IComThreadingInfo:GetCurrentThreadType (in: This=0x56ede4, pThreadType=0x4c0f97c | out: pThreadType=0x4c0f97c*=0) returned 0x0 [0194.820] IUnknown:Release (This=0x56ede4) returned 0x1 [0194.820] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 Thread: id = 143 os_tid = 0xc78 [0194.921] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0194.922] CoGetContextToken (in: pToken=0x58ff734 | out: pToken=0x58ff734) returned 0x0 [0194.922] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71b0b24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x58ff758 | out: ppvObject=0x58ff758*=0x56ede4) returned 0x0 [0194.922] IComThreadingInfo:GetCurrentThreadType (in: This=0x56ede4, pThreadType=0x58ff784 | out: pThreadType=0x58ff784*=0) returned 0x0 [0194.922] IUnknown:Release (This=0x56ede4) returned 0x1 [0194.922] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0194.922] CoUninitialize () [0217.037] CoUninitialize () Thread: id = 144 os_tid = 0xc68 Thread: id = 145 os_tid = 0xc64 [0226.934] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0226.946] CoGetContextToken (in: pToken=0x562fb24 | out: pToken=0x562fb24) returned 0x0 [0226.946] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71b0b24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x562fb48 | out: ppvObject=0x562fb48*=0x56ede4) returned 0x0 [0226.946] IComThreadingInfo:GetCurrentThreadType (in: This=0x56ede4, pThreadType=0x562fb74 | out: pThreadType=0x562fb74*=0) returned 0x0 [0226.946] IUnknown:Release (This=0x56ede4) returned 0x1 [0226.946] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0226.946] CoUninitialize () [0226.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x562f70c | out: lpSystemTimeAsFileTime=0x562f70c*(dwLowDateTime=0xdf0a3c40, dwHighDateTime=0x1d7b434)) [0226.952] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x562f37c | out: pTimeZoneInformation=0x562f37c) returned 0x2 [0226.978] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x562f460 | out: phkResult=0x562f460*=0x374) returned 0x0 [0226.979] RegQueryValueExW (in: hKey=0x374, lpValueName="TZI", lpReserved=0x0, lpType=0x562f47c, lpData=0x0, lpcbData=0x562f478*=0x0 | out: lpType=0x562f47c*=0x3, lpData=0x0, lpcbData=0x562f478*=0x2c) returned 0x0 [0226.979] RegQueryValueExW (in: hKey=0x374, lpValueName="TZI", lpReserved=0x0, lpType=0x562f47c, lpData=0x23adf4c, lpcbData=0x562f478*=0x2c | out: lpType=0x562f47c*=0x3, lpData=0x23adf4c*, lpcbData=0x562f478*=0x2c) returned 0x0 [0226.980] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x562f2b4 | out: phkResult=0x562f2b4*=0x0) returned 0x2 [0226.981] RegQueryValueExW (in: hKey=0x374, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x562f454, lpData=0x0, lpcbData=0x562f450*=0x0 | out: lpType=0x562f454*=0x1, lpData=0x0, lpcbData=0x562f450*=0x20) returned 0x0 [0226.981] RegQueryValueExW (in: hKey=0x374, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x562f454, lpData=0x23ae464, lpcbData=0x562f450*=0x20 | out: lpType=0x562f454*=0x1, lpData="@tzres.dll,-320", lpcbData=0x562f450*=0x20) returned 0x0 [0226.981] RegQueryValueExW (in: hKey=0x374, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x562f454, lpData=0x0, lpcbData=0x562f450*=0x0 | out: lpType=0x562f454*=0x1, lpData=0x0, lpcbData=0x562f450*=0x20) returned 0x0 [0226.981] RegQueryValueExW (in: hKey=0x374, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x562f454, lpData=0x23ae4bc, lpcbData=0x562f450*=0x20 | out: lpType=0x562f454*=0x1, lpData="@tzres.dll,-322", lpcbData=0x562f450*=0x20) returned 0x0 [0226.982] RegQueryValueExW (in: hKey=0x374, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x562f454, lpData=0x0, lpcbData=0x562f450*=0x0 | out: lpType=0x562f454*=0x1, lpData=0x0, lpcbData=0x562f450*=0x20) returned 0x0 [0226.982] RegQueryValueExW (in: hKey=0x374, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x562f454, lpData=0x23ae514, lpcbData=0x562f450*=0x20 | out: lpType=0x562f454*=0x1, lpData="@tzres.dll,-321", lpcbData=0x562f450*=0x20) returned 0x0 [0226.990] CoTaskMemAlloc (cb=0x20c) returned 0x5e00b8 [0226.990] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x5e00b8 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0226.993] CoTaskMemFree (pv=0x5e00b8) [0226.994] CoTaskMemAlloc (cb=0x20c) returned 0x5e00b8 [0226.994] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x562f470, pwszFileMUIPath=0x5e00b8, pcchFileMUIPath=0x562f474, pululEnumerator=0x562f468 | out: pwszLanguage=0x0, pcchLanguage=0x562f470, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x562f474, pululEnumerator=0x562f468) returned 1 [0226.997] CoTaskMemFree (pv=0x0) [0226.997] CoTaskMemFree (pv=0x5e00b8) [0226.998] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x620001 [0227.001] CoTaskMemAlloc (cb=0x3ec) returned 0x5e00b8 [0227.001] LoadStringW (in: hInstance=0x620001, uID=0x140, lpBuffer=0x5e00b8, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0227.002] CoTaskMemFree (pv=0x5e00b8) [0227.002] FreeLibrary (hLibModule=0x620001) returned 1 [0227.002] CoTaskMemAlloc (cb=0x20c) returned 0x5e00b8 [0227.003] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x5e00b8 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0227.003] CoTaskMemFree (pv=0x5e00b8) [0227.003] CoTaskMemAlloc (cb=0x20c) returned 0x5e00b8 [0227.003] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x562f470, pwszFileMUIPath=0x5e00b8, pcchFileMUIPath=0x562f474, pululEnumerator=0x562f468 | out: pwszLanguage=0x0, pcchLanguage=0x562f470, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x562f474, pululEnumerator=0x562f468) returned 1 [0227.005] CoTaskMemFree (pv=0x0) [0227.005] CoTaskMemFree (pv=0x5e00b8) [0227.006] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x620001 [0227.008] CoTaskMemAlloc (cb=0x3ec) returned 0x5e00b8 [0227.008] LoadStringW (in: hInstance=0x620001, uID=0x142, lpBuffer=0x5e00b8, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0227.008] CoTaskMemFree (pv=0x5e00b8) [0227.008] FreeLibrary (hLibModule=0x620001) returned 1 [0227.008] CoTaskMemAlloc (cb=0x20c) returned 0x5e00b8 [0227.008] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x5e00b8 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0227.008] CoTaskMemFree (pv=0x5e00b8) [0227.009] CoTaskMemAlloc (cb=0x20c) returned 0x5e00b8 [0227.009] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x562f470, pwszFileMUIPath=0x5e00b8, pcchFileMUIPath=0x562f474, pululEnumerator=0x562f468 | out: pwszLanguage=0x0, pcchLanguage=0x562f470, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x562f474, pululEnumerator=0x562f468) returned 1 [0227.011] CoTaskMemFree (pv=0x0) [0227.011] CoTaskMemFree (pv=0x5e00b8) [0227.011] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x620001 [0227.018] CoTaskMemAlloc (cb=0x3ec) returned 0x5e00b8 [0227.018] LoadStringW (in: hInstance=0x620001, uID=0x141, lpBuffer=0x5e00b8, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0227.018] CoTaskMemFree (pv=0x5e00b8) [0227.018] FreeLibrary (hLibModule=0x620001) returned 1 [0227.019] RegCloseKey (hKey=0x374) returned 0x0 [0227.042] GetLastInputInfo (in: plii=0x2312364 | out: plii=0x2312364*(cbSize=0x8, dwTime=0x112743a)) returned 1 [0248.268] CoUninitialize () Thread: id = 146 os_tid = 0xca4 Thread: id = 147 os_tid = 0xcb4 [0227.047] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0227.048] CoGetContextToken (in: pToken=0x5b1f7e4 | out: pToken=0x5b1f7e4) returned 0x0 [0227.048] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71b0b24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x5b1f808 | out: ppvObject=0x5b1f808*=0x56ede4) returned 0x0 [0227.048] IComThreadingInfo:GetCurrentThreadType (in: This=0x56ede4, pThreadType=0x5b1f834 | out: pThreadType=0x5b1f834*=0) returned 0x0 [0227.048] IUnknown:Release (This=0x56ede4) returned 0x1 [0227.048] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0227.048] CoUninitialize () [0248.274] CoUninitialize () Thread: id = 148 os_tid = 0xcdc [0258.167] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0258.168] CoGetContextToken (in: pToken=0x55df764 | out: pToken=0x55df764) returned 0x0 [0258.168] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71b0b24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x55df788 | out: ppvObject=0x55df788*=0x56ede4) returned 0x0 [0258.168] IComThreadingInfo:GetCurrentThreadType (in: This=0x56ede4, pThreadType=0x55df7b4 | out: pThreadType=0x55df7b4*=0) returned 0x0 [0258.169] IUnknown:Release (This=0x56ede4) returned 0x1 [0258.169] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0258.169] CoUninitialize () [0258.171] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x55df34c | out: lpSystemTimeAsFileTime=0x55df34c*(dwLowDateTime=0xf0ee11c0, dwHighDateTime=0x1d7b434)) [0258.172] GetLastInputInfo (in: plii=0x2312364 | out: plii=0x2312364*(cbSize=0x8, dwTime=0x112e593)) returned 1 Thread: id = 149 os_tid = 0xce4 Thread: id = 150 os_tid = 0xce8 [0258.178] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0258.179] CoGetContextToken (in: pToken=0x5aaf504 | out: pToken=0x5aaf504) returned 0x0 [0258.179] IUnknown:QueryInterface (in: This=0x56edd8, riid=0x71b0b24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x5aaf528 | out: ppvObject=0x5aaf528*=0x56ede4) returned 0x0 [0258.179] IComThreadingInfo:GetCurrentThreadType (in: This=0x56ede4, pThreadType=0x5aaf554 | out: pThreadType=0x5aaf554*=0) returned 0x0 [0258.179] IUnknown:Release (This=0x56ede4) returned 0x1 [0258.179] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0258.179] CoUninitialize () Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2b9d7000" os_pid = "0x334" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d0" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b19c" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1555 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1556 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1557 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1558 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1559 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1560 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1561 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1562 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1563 start_va = 0x90000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1564 start_va = 0x110000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1565 start_va = 0x180000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1566 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1567 start_va = 0x250000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1568 start_va = 0x260000 end_va = 0x26afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 1569 start_va = 0x270000 end_va = 0x27cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1570 start_va = 0x280000 end_va = 0x283fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskcomp.dll.mui" filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui") Region: id = 1571 start_va = 0x290000 end_va = 0x299fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schedsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui") Region: id = 1572 start_va = 0x2a0000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1573 start_va = 0x3a0000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1574 start_va = 0x4a0000 end_va = 0x627fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 1575 start_va = 0x630000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1576 start_va = 0x7c0000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1577 start_va = 0x840000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 1578 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 1579 start_va = 0x8d0000 end_va = 0x8d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 1580 start_va = 0x8e0000 end_va = 0x8e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1581 start_va = 0x8f0000 end_va = 0x8f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 1582 start_va = 0x900000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 1583 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 1584 start_va = 0x940000 end_va = 0x940fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 1585 start_va = 0x950000 end_va = 0x950fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 1586 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 1587 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 1588 start_va = 0x980000 end_va = 0x999fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 1589 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 1590 start_va = 0x9b0000 end_va = 0x9b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1591 start_va = 0x9c0000 end_va = 0x9cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 1592 start_va = 0x9d0000 end_va = 0x9d7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1593 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 1594 start_va = 0x9f0000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 1595 start_va = 0xa00000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1596 start_va = 0xa10000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 1597 start_va = 0xa20000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 1598 start_va = 0xa30000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1599 start_va = 0xa40000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 1600 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 1601 start_va = 0xa60000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1602 start_va = 0xa70000 end_va = 0xa8bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 1603 start_va = 0xb10000 end_va = 0xb75fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1604 start_va = 0xc00000 end_va = 0xecefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1605 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 1606 start_va = 0xee0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 1607 start_va = 0xef0000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 1608 start_va = 0xf00000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1609 start_va = 0xf10000 end_va = 0xf10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1610 start_va = 0xf20000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 1611 start_va = 0xfa0000 end_va = 0xfa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 1612 start_va = 0xfb0000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 1613 start_va = 0x1030000 end_va = 0x1030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 1614 start_va = 0x1040000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 1615 start_va = 0x1050000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 1616 start_va = 0x1060000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 1617 start_va = 0x10e0000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010e0000" filename = "" Region: id = 1618 start_va = 0x10f0000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Region: id = 1619 start_va = 0x1100000 end_va = 0x110ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001100000" filename = "" Region: id = 1620 start_va = 0x1110000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001110000" filename = "" Region: id = 1621 start_va = 0x1120000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 1622 start_va = 0x1130000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 1623 start_va = 0x1140000 end_va = 0x1147fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 1624 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 1625 start_va = 0x11d0000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 1626 start_va = 0x11e0000 end_va = 0x11effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 1627 start_va = 0x11f0000 end_va = 0x11fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1628 start_va = 0x1200000 end_va = 0x120ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1629 start_va = 0x1210000 end_va = 0x121ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 1630 start_va = 0x1220000 end_va = 0x1227fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 1631 start_va = 0x12b0000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 1632 start_va = 0x12c0000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 1633 start_va = 0x12d0000 end_va = 0x12d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 1634 start_va = 0x12e0000 end_va = 0x12effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 1635 start_va = 0x12f0000 end_va = 0x12f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 1636 start_va = 0x1300000 end_va = 0x1302fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 1637 start_va = 0x1310000 end_va = 0x138ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 1638 start_va = 0x1390000 end_va = 0x13affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 1639 start_va = 0x13b0000 end_va = 0x142ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 1640 start_va = 0x1430000 end_va = 0x1430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001430000" filename = "" Region: id = 1641 start_va = 0x1440000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 1642 start_va = 0x14c0000 end_va = 0x14cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1643 start_va = 0x14d0000 end_va = 0x14dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1644 start_va = 0x14e0000 end_va = 0x14e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 1645 start_va = 0x1570000 end_va = 0x15effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 1646 start_va = 0x15f0000 end_va = 0x166ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 1647 start_va = 0x1670000 end_va = 0x16affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001670000" filename = "" Region: id = 1648 start_va = 0x16b0000 end_va = 0x16effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000016b0000" filename = "" Region: id = 1649 start_va = 0x16f0000 end_va = 0x176ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 1650 start_va = 0x17e0000 end_va = 0x185ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 1651 start_va = 0x1860000 end_va = 0x18dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001860000" filename = "" Region: id = 1652 start_va = 0x18e0000 end_va = 0x195ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018e0000" filename = "" Region: id = 1653 start_va = 0x1970000 end_va = 0x19effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001970000" filename = "" Region: id = 1654 start_va = 0x1a50000 end_va = 0x1acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 1655 start_va = 0x1ad0000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 1656 start_va = 0x1cc0000 end_va = 0x1dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 1657 start_va = 0x1e60000 end_va = 0x1e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1658 start_va = 0x1e90000 end_va = 0x1f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 1659 start_va = 0x1f10000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 1660 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 1661 start_va = 0x2030000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 1662 start_va = 0x20d0000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1663 start_va = 0x2150000 end_va = 0x21cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 1664 start_va = 0x2230000 end_va = 0x22affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 1665 start_va = 0x22b0000 end_va = 0x232ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 1666 start_va = 0x23f0000 end_va = 0x246ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 1667 start_va = 0x2470000 end_va = 0x24effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 1668 start_va = 0x24f0000 end_va = 0x25effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 1669 start_va = 0x2710000 end_va = 0x278ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 1670 start_va = 0x27e0000 end_va = 0x28dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 1671 start_va = 0x2940000 end_va = 0x294ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 1672 start_va = 0x2950000 end_va = 0x29cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 1673 start_va = 0x2b10000 end_va = 0x2c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 1674 start_va = 0x2c10000 end_va = 0x2d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c10000" filename = "" Region: id = 1675 start_va = 0x2d40000 end_va = 0x2dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 1676 start_va = 0x2e40000 end_va = 0x2ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 1677 start_va = 0x2ef0000 end_va = 0x2f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 1678 start_va = 0x2f90000 end_va = 0x300ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 1679 start_va = 0x3020000 end_va = 0x309ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 1680 start_va = 0x30a0000 end_va = 0x329ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 1681 start_va = 0x33c0000 end_va = 0x347ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1682 start_va = 0x3480000 end_va = 0x357ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003480000" filename = "" Region: id = 1683 start_va = 0x3580000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 1684 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 1685 start_va = 0x3740000 end_va = 0x37bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1686 start_va = 0x38e0000 end_va = 0x395ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000038e0000" filename = "" Region: id = 1687 start_va = 0x3960000 end_va = 0x3a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 1688 start_va = 0x3a70000 end_va = 0x3aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a70000" filename = "" Region: id = 1689 start_va = 0x3b00000 end_va = 0x3b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 1690 start_va = 0x3b80000 end_va = 0x3f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1691 start_va = 0x3fc0000 end_va = 0x403ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fc0000" filename = "" Region: id = 1692 start_va = 0x4080000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 1693 start_va = 0x4100000 end_va = 0x417ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 1694 start_va = 0x4270000 end_va = 0x42effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 1695 start_va = 0x4380000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 1696 start_va = 0x44b0000 end_va = 0x46affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 1697 start_va = 0x46b0000 end_va = 0x47affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046b0000" filename = "" Region: id = 1698 start_va = 0x4810000 end_va = 0x481ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004810000" filename = "" Region: id = 1699 start_va = 0x4820000 end_va = 0x491ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004820000" filename = "" Region: id = 1700 start_va = 0x4930000 end_va = 0x49affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004930000" filename = "" Region: id = 1701 start_va = 0x49b0000 end_va = 0x4aaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049b0000" filename = "" Region: id = 1702 start_va = 0x4ab0000 end_va = 0x4baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ab0000" filename = "" Region: id = 1703 start_va = 0x4bb0000 end_va = 0x5baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bb0000" filename = "" Region: id = 1704 start_va = 0x5c40000 end_va = 0x5cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c40000" filename = "" Region: id = 1705 start_va = 0x5da0000 end_va = 0x5e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005da0000" filename = "" Region: id = 1706 start_va = 0x5f50000 end_va = 0x5fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f50000" filename = "" Region: id = 1707 start_va = 0x6170000 end_va = 0x61effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006170000" filename = "" Region: id = 1708 start_va = 0x61f0000 end_va = 0x65effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061f0000" filename = "" Region: id = 1709 start_va = 0x6780000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006780000" filename = "" Region: id = 1710 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1711 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1712 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1713 start_va = 0x77020000 end_va = 0x77026fff monitored = 0 entry_point = 0x7702106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1714 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1715 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1716 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1717 start_va = 0xff450000 end_va = 0xff45afff monitored = 0 entry_point = 0xff45246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1718 start_va = 0x7fef0220000 end_va = 0x7fef0251fff monitored = 0 entry_point = 0x7fef0221060 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 1719 start_va = 0x7fef03c0000 end_va = 0x7fef03cefff monitored = 0 entry_point = 0x7fef03c9a48 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 1720 start_va = 0x7fef03d0000 end_va = 0x7fef0622fff monitored = 0 entry_point = 0x7fef03d236c region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1721 start_va = 0x7fef1ac0000 end_va = 0x7fef1c93fff monitored = 0 entry_point = 0x7fef1af6b00 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 1722 start_va = 0x7fef1db0000 end_va = 0x7fef2029fff monitored = 0 entry_point = 0x7fef1de2200 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1723 start_va = 0x7fef3780000 end_va = 0x7fef379bfff monitored = 0 entry_point = 0x7fef37811a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1724 start_va = 0x7fef37a0000 end_va = 0x7fef3801fff monitored = 0 entry_point = 0x7fef37a1198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1725 start_va = 0x7fef3810000 end_va = 0x7fef3849fff monitored = 0 entry_point = 0x7fef3811010 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 1726 start_va = 0x7fef3f10000 end_va = 0x7fef3f80fff monitored = 0 entry_point = 0x7fef3f4ecc4 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1727 start_va = 0x7fef3fc0000 end_va = 0x7fef3fdcfff monitored = 0 entry_point = 0x7fef3fc2f18 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 1728 start_va = 0x7fef41e0000 end_va = 0x7fef41ebfff monitored = 0 entry_point = 0x7fef41e602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1729 start_va = 0x7fef4490000 end_va = 0x7fef4497fff monitored = 0 entry_point = 0x7fef4491414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1730 start_va = 0x7fef44a0000 end_va = 0x7fef4510fff monitored = 0 entry_point = 0x7fef44e51d0 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1731 start_va = 0x7fef4520000 end_va = 0x7fef4531fff monitored = 0 entry_point = 0x7fef45289d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1732 start_va = 0x7fef4540000 end_va = 0x7fef45f4fff monitored = 0 entry_point = 0x7fef45bcf80 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1733 start_va = 0x7fef4600000 end_va = 0x7fef4618fff monitored = 0 entry_point = 0x7fef4601104 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1734 start_va = 0x7fef4620000 end_va = 0x7fef466ffff monitored = 0 entry_point = 0x7fef4621190 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1735 start_va = 0x7fef4670000 end_va = 0x7fef4677fff monitored = 0 entry_point = 0x7fef4671020 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1736 start_va = 0x7fef4680000 end_va = 0x7fef46d9fff monitored = 0 entry_point = 0x7fef46bdde0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1737 start_va = 0x7fef46e0000 end_va = 0x7fef4700fff monitored = 0 entry_point = 0x7fef46f03b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1738 start_va = 0x7fef4710000 end_va = 0x7fef477afff monitored = 0 entry_point = 0x7fef4754344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1739 start_va = 0x7fef4780000 end_va = 0x7fef4792fff monitored = 0 entry_point = 0x7fef4781d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1740 start_va = 0x7fef47a0000 end_va = 0x7fef4801fff monitored = 0 entry_point = 0x7fef47dbd80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1741 start_va = 0x7fef4810000 end_va = 0x7fef493bfff monitored = 0 entry_point = 0x7fef48c0ef0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1742 start_va = 0x7fef4940000 end_va = 0x7fef4959fff monitored = 0 entry_point = 0x7fef4953fbc region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1743 start_va = 0x7fef4960000 end_va = 0x7fef49e3fff monitored = 0 entry_point = 0x7fef49b1118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 1744 start_va = 0x7fef49f0000 end_va = 0x7fef4a14fff monitored = 0 entry_point = 0x7fef4a08c54 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 1745 start_va = 0x7fef4a20000 end_va = 0x7fef4a5cfff monitored = 0 entry_point = 0x7fef4a21070 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1746 start_va = 0x7fef4a60000 end_va = 0x7fef4a86fff monitored = 0 entry_point = 0x7fef4a611a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1747 start_va = 0x7fef4a90000 end_va = 0x7fef4b62fff monitored = 0 entry_point = 0x7fef4b08b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1748 start_va = 0x7fef4bb0000 end_va = 0x7fef4bf6fff monitored = 0 entry_point = 0x7fef4bb1040 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1749 start_va = 0x7fef4c00000 end_va = 0x7fef4c41fff monitored = 0 entry_point = 0x7fef4c017e4 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1750 start_va = 0x7fef4e00000 end_va = 0x7fef4e63fff monitored = 0 entry_point = 0x7fef4e01254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1751 start_va = 0x7fef4e70000 end_va = 0x7fef4ee0fff monitored = 0 entry_point = 0x7fef4e71010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1752 start_va = 0x7fef4f80000 end_va = 0x7fef4f96fff monitored = 0 entry_point = 0x7fef4f81060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1753 start_va = 0x7fef4fa0000 end_va = 0x7fef514ffff monitored = 0 entry_point = 0x7fef4fa1010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1754 start_va = 0x7fef6160000 end_va = 0x7fef61d3fff monitored = 0 entry_point = 0x7fef61666f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1755 start_va = 0x7fef7350000 end_va = 0x7fef736afff monitored = 0 entry_point = 0x7fef7351198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1756 start_va = 0x7fef7760000 end_va = 0x7fef77a4fff monitored = 0 entry_point = 0x7fef7793644 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1757 start_va = 0x7fef77b0000 end_va = 0x7fef77c1fff monitored = 0 entry_point = 0x7fef77b90bc region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1758 start_va = 0x7fef77d0000 end_va = 0x7fef78a1fff monitored = 0 entry_point = 0x7fef7861a10 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1759 start_va = 0x7fef79c0000 end_va = 0x7fef79d4fff monitored = 0 entry_point = 0x7fef79c1020 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1760 start_va = 0x7fef79e0000 end_va = 0x7fef79e8fff monitored = 0 entry_point = 0x7fef79e11a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 1761 start_va = 0x7fef7d80000 end_va = 0x7fef7d89fff monitored = 0 entry_point = 0x7fef7d83994 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1762 start_va = 0x7fef7f40000 end_va = 0x7fef7fbbfff monitored = 0 entry_point = 0x7fef7f411d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1763 start_va = 0x7fef8310000 end_va = 0x7fef83fdfff monitored = 0 entry_point = 0x7fef83112a0 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1764 start_va = 0x7fef8520000 end_va = 0x7fef8536fff monitored = 0 entry_point = 0x7fef8529d50 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1765 start_va = 0x7fef86e0000 end_va = 0x7fef8721fff monitored = 0 entry_point = 0x7fef8710048 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 1766 start_va = 0x7fef8730000 end_va = 0x7fef8749fff monitored = 0 entry_point = 0x7fef8741ae4 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 1767 start_va = 0x7fef8770000 end_va = 0x7fef877efff monitored = 0 entry_point = 0x7fef8776894 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 1768 start_va = 0x7fef88c0000 end_va = 0x7fef8936fff monitored = 0 entry_point = 0x7fef88cafd0 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1769 start_va = 0x7fefa090000 end_va = 0x7fefa099fff monitored = 0 entry_point = 0x7fefa09260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 1770 start_va = 0x7fefa0a0000 end_va = 0x7fefa1b1fff monitored = 0 entry_point = 0x7fefa0bf354 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1771 start_va = 0x7fefa4e0000 end_va = 0x7fefa4eefff monitored = 0 entry_point = 0x7fefa4e7e80 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 1772 start_va = 0x7fefa4f0000 end_va = 0x7fefa4f8fff monitored = 0 entry_point = 0x7fefa4f3668 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 1773 start_va = 0x7fefa500000 end_va = 0x7fefa508fff monitored = 0 entry_point = 0x7fefa501020 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1774 start_va = 0x7fefa510000 end_va = 0x7fefa565fff monitored = 0 entry_point = 0x7fefa511040 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1775 start_va = 0x7fefa570000 end_va = 0x7fefa5cdfff monitored = 0 entry_point = 0x7fefa579024 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1776 start_va = 0x7fefa5d0000 end_va = 0x7fefa5e7fff monitored = 0 entry_point = 0x7fefa5d1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1777 start_va = 0x7fefa5f0000 end_va = 0x7fefa600fff monitored = 0 entry_point = 0x7fefa5f16ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1778 start_va = 0x7fefa700000 end_va = 0x7fefa752fff monitored = 0 entry_point = 0x7fefa702b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1779 start_va = 0x7fefa870000 end_va = 0x7fefa87afff monitored = 0 entry_point = 0x7fefa871198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1780 start_va = 0x7fefa880000 end_va = 0x7fefa8a6fff monitored = 0 entry_point = 0x7fefa8898bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1781 start_va = 0x7fefa8b0000 end_va = 0x7fefa8c3fff monitored = 0 entry_point = 0x7fefa8b3e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1782 start_va = 0x7fefa8e0000 end_va = 0x7fefa946fff monitored = 0 entry_point = 0x7fefa8f6060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1783 start_va = 0x7fefa950000 end_va = 0x7fefa95afff monitored = 0 entry_point = 0x7fefa954f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1784 start_va = 0x7fefa960000 end_va = 0x7fefa96bfff monitored = 0 entry_point = 0x7fefa9615d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1785 start_va = 0x7fefa970000 end_va = 0x7fefa97ffff monitored = 0 entry_point = 0x7fefa97835c region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1786 start_va = 0x7fefa980000 end_va = 0x7fefa998fff monitored = 0 entry_point = 0x7fefa9811a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1787 start_va = 0x7fefa9a0000 end_va = 0x7fefa9d6fff monitored = 0 entry_point = 0x7fefa9a8424 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1788 start_va = 0x7fefa9e0000 end_va = 0x7fefa9f4fff monitored = 0 entry_point = 0x7fefa9e60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1789 start_va = 0x7fefaa00000 end_va = 0x7fefaac1fff monitored = 0 entry_point = 0x7fefaa0101c region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1790 start_va = 0x7fefad20000 end_va = 0x7fefad2dfff monitored = 0 entry_point = 0x7fefad25500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1791 start_va = 0x7fefad30000 end_va = 0x7fefad40fff monitored = 0 entry_point = 0x7fefad314c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1792 start_va = 0x7fefad50000 end_va = 0x7fefade1fff monitored = 0 entry_point = 0x7fefadc51ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1793 start_va = 0x7fefadf0000 end_va = 0x7fefae66fff monitored = 0 entry_point = 0x7fefae2e7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1794 start_va = 0x7fefae70000 end_va = 0x7fefae83fff monitored = 0 entry_point = 0x7fefae716b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1795 start_va = 0x7fefae90000 end_va = 0x7fefaea4fff monitored = 0 entry_point = 0x7fefae91050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1796 start_va = 0x7fefaeb0000 end_va = 0x7fefaebbfff monitored = 0 entry_point = 0x7fefaeb18a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1797 start_va = 0x7fefaec0000 end_va = 0x7fefaed5fff monitored = 0 entry_point = 0x7fefaec11a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1798 start_va = 0x7fefaee0000 end_va = 0x7fefaf19fff monitored = 0 entry_point = 0x7fefaefd020 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1799 start_va = 0x7fefafd0000 end_va = 0x7fefafe0fff monitored = 0 entry_point = 0x7fefafd9e7c region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1800 start_va = 0x7fefaff0000 end_va = 0x7fefb000fff monitored = 0 entry_point = 0x7fefaff1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1801 start_va = 0x7fefb150000 end_va = 0x7fefb184fff monitored = 0 entry_point = 0x7fefb151064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1802 start_va = 0x7fefb570000 end_va = 0x7fefb5c5fff monitored = 0 entry_point = 0x7fefb57bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1803 start_va = 0x7fefb5d0000 end_va = 0x7fefb5ecfff monitored = 0 entry_point = 0x7fefb5d1ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1804 start_va = 0x7fefb620000 end_va = 0x7fefb813fff monitored = 0 entry_point = 0x7fefb7ac924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 1805 start_va = 0x7fefbb30000 end_va = 0x7fefbb38fff monitored = 0 entry_point = 0x7fefbb31010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1806 start_va = 0x7fefbb40000 end_va = 0x7fefbc6bfff monitored = 0 entry_point = 0x7fefbb494bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1807 start_va = 0x7fefbda0000 end_va = 0x7fefbdccfff monitored = 0 entry_point = 0x7fefbda1010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1808 start_va = 0x7fefbf70000 end_va = 0x7fefbf7bfff monitored = 0 entry_point = 0x7fefbf71064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1809 start_va = 0x7fefbf80000 end_va = 0x7fefc03afff monitored = 0 entry_point = 0x7fefbf86de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1810 start_va = 0x7fefc040000 end_va = 0x7fefc046fff monitored = 0 entry_point = 0x7fefc0414b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1811 start_va = 0x7fefc130000 end_va = 0x7fefc14afff monitored = 0 entry_point = 0x7fefc132068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1812 start_va = 0x7fefc150000 end_va = 0x7fefc16dfff monitored = 0 entry_point = 0x7fefc1513b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1813 start_va = 0x7fefc170000 end_va = 0x7fefc181fff monitored = 0 entry_point = 0x7fefc171060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1814 start_va = 0x7fefc190000 end_va = 0x7fefc1aefff monitored = 0 entry_point = 0x7fefc195c68 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 1815 start_va = 0x7fefc260000 end_va = 0x7fefc298fff monitored = 0 entry_point = 0x7fefc26c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1816 start_va = 0x7fefc2a0000 end_va = 0x7fefc2a9fff monitored = 0 entry_point = 0x7fefc2a3cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1817 start_va = 0x7fefc2b0000 end_va = 0x7fefc2bcfff monitored = 0 entry_point = 0x7fefc2b1348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1818 start_va = 0x7fefc3a0000 end_va = 0x7fefc3e6fff monitored = 0 entry_point = 0x7fefc3a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1819 start_va = 0x7fefc490000 end_va = 0x7fefc4bffff monitored = 0 entry_point = 0x7fefc49194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1820 start_va = 0x7fefc4c0000 end_va = 0x7fefc51afff monitored = 0 entry_point = 0x7fefc4c6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1821 start_va = 0x7fefc630000 end_va = 0x7fefc636fff monitored = 0 entry_point = 0x7fefc63142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1822 start_va = 0x7fefc640000 end_va = 0x7fefc694fff monitored = 0 entry_point = 0x7fefc641054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1823 start_va = 0x7fefc6a0000 end_va = 0x7fefc6b7fff monitored = 0 entry_point = 0x7fefc6a3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1824 start_va = 0x7fefc7b0000 end_va = 0x7fefc7e1fff monitored = 0 entry_point = 0x7fefc7b144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1825 start_va = 0x7fefc7f0000 end_va = 0x7fefc7f7fff monitored = 0 entry_point = 0x7fefc7f2a6c region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1826 start_va = 0x7fefc800000 end_va = 0x7fefc809fff monitored = 0 entry_point = 0x7fefc803b40 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1827 start_va = 0x7fefc810000 end_va = 0x7fefc831fff monitored = 0 entry_point = 0x7fefc815d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1828 start_va = 0x7fefc890000 end_va = 0x7fefc8befff monitored = 0 entry_point = 0x7fefc891064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1829 start_va = 0x7fefc8d0000 end_va = 0x7fefc93cfff monitored = 0 entry_point = 0x7fefc8d1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1830 start_va = 0x7fefc940000 end_va = 0x7fefc953fff monitored = 0 entry_point = 0x7fefc944160 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1831 start_va = 0x7fefcba0000 end_va = 0x7fefcbc2fff monitored = 0 entry_point = 0x7fefcba1198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1832 start_va = 0x7fefcc40000 end_va = 0x7fefcc4afff monitored = 0 entry_point = 0x7fefcc41030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1833 start_va = 0x7fefcc70000 end_va = 0x7fefcc94fff monitored = 0 entry_point = 0x7fefcc79658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1834 start_va = 0x7fefcca0000 end_va = 0x7fefccaefff monitored = 0 entry_point = 0x7fefcca1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1835 start_va = 0x7fefccb0000 end_va = 0x7fefcd40fff monitored = 0 entry_point = 0x7fefccb1440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1836 start_va = 0x7fefcd50000 end_va = 0x7fefcd8cfff monitored = 0 entry_point = 0x7fefcd518f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1837 start_va = 0x7fefcd90000 end_va = 0x7fefcda3fff monitored = 0 entry_point = 0x7fefcd910e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1838 start_va = 0x7fefcdb0000 end_va = 0x7fefcdbefff monitored = 0 entry_point = 0x7fefcdb19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1839 start_va = 0x7fefce50000 end_va = 0x7fefce5efff monitored = 0 entry_point = 0x7fefce51020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1840 start_va = 0x7fefce60000 end_va = 0x7fefcecbfff monitored = 0 entry_point = 0x7fefce62780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1841 start_va = 0x7fefced0000 end_va = 0x7fefcf05fff monitored = 0 entry_point = 0x7fefced1474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1842 start_va = 0x7fefcf10000 end_va = 0x7fefcf29fff monitored = 0 entry_point = 0x7fefcf11558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1843 start_va = 0x7fefcf30000 end_va = 0x7fefcf6afff monitored = 0 entry_point = 0x7fefcf31324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1844 start_va = 0x7fefcf70000 end_va = 0x7fefd0dcfff monitored = 0 entry_point = 0x7fefcf710b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1845 start_va = 0x7fefd180000 end_va = 0x7fefd382fff monitored = 0 entry_point = 0x7fefd1a3330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1846 start_va = 0x7fefd390000 end_va = 0x7fefd3bdfff monitored = 0 entry_point = 0x7fefd391010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1847 start_va = 0x7fefd3c0000 end_va = 0x7fefd49afff monitored = 0 entry_point = 0x7fefd3e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1848 start_va = 0x7fefd4a0000 end_va = 0x7fefd5ccfff monitored = 0 entry_point = 0x7fefd4eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1849 start_va = 0x7fefd5d0000 end_va = 0x7fefd640fff monitored = 0 entry_point = 0x7fefd5e1e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1850 start_va = 0x7fefd650000 end_va = 0x7fefd758fff monitored = 0 entry_point = 0x7fefd651064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1851 start_va = 0x7fefd760000 end_va = 0x7fefd7b1fff monitored = 0 entry_point = 0x7fefd7610d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1852 start_va = 0x7fefd7c0000 end_va = 0x7fefd996fff monitored = 0 entry_point = 0x7fefd7c1010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1853 start_va = 0x7fefda20000 end_va = 0x7fefda86fff monitored = 0 entry_point = 0x7fefda2b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1854 start_va = 0x7fefda90000 end_va = 0x7fefda9dfff monitored = 0 entry_point = 0x7fefda91080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1855 start_va = 0x7fefdaa0000 end_va = 0x7fefdaa7fff monitored = 0 entry_point = 0x7fefdaa1504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1856 start_va = 0x7fefdb50000 end_va = 0x7fefdbe8fff monitored = 0 entry_point = 0x7fefdb51c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1857 start_va = 0x7fefdbf0000 end_va = 0x7fefdcb8fff monitored = 0 entry_point = 0x7fefdc6a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1858 start_va = 0x7fefdcc0000 end_va = 0x7fefdd96fff monitored = 0 entry_point = 0x7fefdcc3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1859 start_va = 0x7fefdda0000 end_va = 0x7fefddecfff monitored = 0 entry_point = 0x7fefdda1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1860 start_va = 0x7fefddf0000 end_va = 0x7fefeb77fff monitored = 0 entry_point = 0x7fefde6cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1861 start_va = 0x7fefeb80000 end_va = 0x7fefeb9efff monitored = 0 entry_point = 0x7fefeb860e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1862 start_va = 0x7feff0d0000 end_va = 0x7feff16efff monitored = 0 entry_point = 0x7feff0d25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1863 start_va = 0x7feff180000 end_va = 0x7feff180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1864 start_va = 0x7fffff52000 end_va = 0x7fffff53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff52000" filename = "" Region: id = 1865 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 1866 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 1867 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 1868 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 1869 start_va = 0x7fffff70000 end_va = 0x7fffff71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 1870 start_va = 0x7fffff72000 end_va = 0x7fffff73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 1871 start_va = 0x7fffff74000 end_va = 0x7fffff75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 1872 start_va = 0x7fffff76000 end_va = 0x7fffff77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 1873 start_va = 0x7fffff78000 end_va = 0x7fffff79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 1874 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 1875 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 1876 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 1877 start_va = 0x7fffff82000 end_va = 0x7fffff83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 1878 start_va = 0x7fffff84000 end_va = 0x7fffff85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 1879 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 1880 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 1881 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 1882 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 1883 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 1884 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1885 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 1886 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 1887 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1888 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1889 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1890 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1891 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1892 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1893 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1894 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1895 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1896 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1897 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1898 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1899 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2709 start_va = 0xb80000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 2710 start_va = 0x1c00000 end_va = 0x1c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 2711 start_va = 0x1dd0000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 2712 start_va = 0x2350000 end_va = 0x23cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 2713 start_va = 0x2640000 end_va = 0x26bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 2714 start_va = 0x2a40000 end_va = 0x2abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 2715 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 2716 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 2717 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2718 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2719 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2720 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2737 start_va = 0xa90000 end_va = 0xa92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Thread: id = 80 os_tid = 0xb28 Thread: id = 81 os_tid = 0xf64 Thread: id = 82 os_tid = 0xe28 Thread: id = 83 os_tid = 0xe24 Thread: id = 84 os_tid = 0xd8c Thread: id = 85 os_tid = 0x8c8 Thread: id = 86 os_tid = 0x898 Thread: id = 87 os_tid = 0x890 Thread: id = 88 os_tid = 0x5f0 Thread: id = 89 os_tid = 0x204 Thread: id = 90 os_tid = 0x210 Thread: id = 91 os_tid = 0x6b8 Thread: id = 92 os_tid = 0x23c Thread: id = 93 os_tid = 0x600 Thread: id = 94 os_tid = 0x7cc Thread: id = 95 os_tid = 0x408 Thread: id = 96 os_tid = 0x284 Thread: id = 97 os_tid = 0x740 Thread: id = 98 os_tid = 0x700 Thread: id = 99 os_tid = 0x6d4 Thread: id = 100 os_tid = 0x6c4 Thread: id = 101 os_tid = 0x6c0 Thread: id = 102 os_tid = 0x690 Thread: id = 103 os_tid = 0x67c Thread: id = 104 os_tid = 0x46c Thread: id = 105 os_tid = 0x464 Thread: id = 106 os_tid = 0x460 Thread: id = 107 os_tid = 0x440 Thread: id = 108 os_tid = 0x42c Thread: id = 109 os_tid = 0x3f8 Thread: id = 110 os_tid = 0x3e4 Thread: id = 111 os_tid = 0x3d8 Thread: id = 112 os_tid = 0x340 Thread: id = 113 os_tid = 0x338 Thread: id = 130 os_tid = 0xbe4 Thread: id = 131 os_tid = 0xbe0 Thread: id = 132 os_tid = 0xbdc Thread: id = 133 os_tid = 0xbd8 Thread: id = 134 os_tid = 0xbd4 Thread: id = 135 os_tid = 0xbd0 Process: id = "7" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x47437000" os_pid = "0xc80" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0004975a" [0xc000000f] Region: id = 1907 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1908 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1909 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1910 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1911 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1912 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1913 start_va = 0xd0000 end_va = 0xd4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1914 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1915 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1916 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1917 start_va = 0x110000 end_va = 0x11cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1918 start_va = 0x130000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1919 start_va = 0x150000 end_va = 0x152fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 1920 start_va = 0x180000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1921 start_va = 0x200000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1922 start_va = 0x340000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1923 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1924 start_va = 0x5d0000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1925 start_va = 0x760000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 1926 start_va = 0x820000 end_va = 0xaeefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1927 start_va = 0xb40000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 1928 start_va = 0xc70000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 1929 start_va = 0xd00000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1930 start_va = 0xdd0000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 1931 start_va = 0xe70000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 1932 start_va = 0xf90000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 1933 start_va = 0x10d0000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 1934 start_va = 0x1150000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 1935 start_va = 0x72460000 end_va = 0x72462fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "security.dll" filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll") Region: id = 1936 start_va = 0x72470000 end_va = 0x72472fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmi.dll" filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll") Region: id = 1937 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1938 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1939 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1940 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1941 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1942 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1943 start_va = 0x13fd40000 end_va = 0x13fdabfff monitored = 0 entry_point = 0x13fd7b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 1944 start_va = 0x7feef600000 end_va = 0x7feef7f9fff monitored = 0 entry_point = 0x7feef614c9c region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 1945 start_va = 0x7fef0000000 end_va = 0x7fef0011fff monitored = 0 entry_point = 0x7fef000aab8 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1946 start_va = 0x7fef0260000 end_va = 0x7fef0267fff monitored = 0 entry_point = 0x7fef02611a0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1947 start_va = 0x7fef0350000 end_va = 0x7fef0359fff monitored = 0 entry_point = 0x7fef03531c8 region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 1948 start_va = 0x7fef4520000 end_va = 0x7fef4531fff monitored = 0 entry_point = 0x7fef45289d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1949 start_va = 0x7fef46e0000 end_va = 0x7fef4700fff monitored = 0 entry_point = 0x7fef46f03b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1950 start_va = 0x7fef4780000 end_va = 0x7fef4792fff monitored = 0 entry_point = 0x7fef4781d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1951 start_va = 0x7fef4a60000 end_va = 0x7fef4a86fff monitored = 0 entry_point = 0x7fef4a611a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1952 start_va = 0x7fef4a90000 end_va = 0x7fef4b62fff monitored = 0 entry_point = 0x7fef4b08b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1953 start_va = 0x7fef7730000 end_va = 0x7fef775bfff monitored = 0 entry_point = 0x7fef7748194 region_type = mapped_file name = "wmipcima.dll" filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll") Region: id = 1954 start_va = 0x7fef8540000 end_va = 0x7fef8582fff monitored = 0 entry_point = 0x7fef8561b50 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1955 start_va = 0x7fef8940000 end_va = 0x7fef894efff monitored = 0 entry_point = 0x7fef8941040 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1956 start_va = 0x7fefa960000 end_va = 0x7fefa96bfff monitored = 0 entry_point = 0x7fefa9615d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1957 start_va = 0x7fefad20000 end_va = 0x7fefad2dfff monitored = 0 entry_point = 0x7fefad25500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1958 start_va = 0x7fefadf0000 end_va = 0x7fefae66fff monitored = 0 entry_point = 0x7fefae2e7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1959 start_va = 0x7fefae70000 end_va = 0x7fefae83fff monitored = 0 entry_point = 0x7fefae716b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1960 start_va = 0x7fefae90000 end_va = 0x7fefaea4fff monitored = 0 entry_point = 0x7fefae91050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1961 start_va = 0x7fefaeb0000 end_va = 0x7fefaebbfff monitored = 0 entry_point = 0x7fefaeb18a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1962 start_va = 0x7fefaec0000 end_va = 0x7fefaed5fff monitored = 0 entry_point = 0x7fefaec11a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1963 start_va = 0x7fefaff0000 end_va = 0x7fefb000fff monitored = 0 entry_point = 0x7fefaff1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1964 start_va = 0x7fefbcc0000 end_va = 0x7fefbcebfff monitored = 0 entry_point = 0x7fefbcc15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1965 start_va = 0x7fefbda0000 end_va = 0x7fefbdccfff monitored = 0 entry_point = 0x7fefbda1010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1966 start_va = 0x7fefc2a0000 end_va = 0x7fefc2a9fff monitored = 0 entry_point = 0x7fefc2a3cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1967 start_va = 0x7fefc3a0000 end_va = 0x7fefc3e6fff monitored = 0 entry_point = 0x7fefc3a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1968 start_va = 0x7fefc430000 end_va = 0x7fefc486fff monitored = 0 entry_point = 0x7fefc435e38 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1969 start_va = 0x7fefc490000 end_va = 0x7fefc4bffff monitored = 0 entry_point = 0x7fefc49194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1970 start_va = 0x7fefc6a0000 end_va = 0x7fefc6b7fff monitored = 0 entry_point = 0x7fefc6a3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1971 start_va = 0x7fefc810000 end_va = 0x7fefc831fff monitored = 0 entry_point = 0x7fefc815d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1972 start_va = 0x7fefcba0000 end_va = 0x7fefcbc2fff monitored = 0 entry_point = 0x7fefcba1198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1973 start_va = 0x7fefcc40000 end_va = 0x7fefcc4afff monitored = 0 entry_point = 0x7fefcc41030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1974 start_va = 0x7fefcc70000 end_va = 0x7fefcc94fff monitored = 0 entry_point = 0x7fefcc79658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1975 start_va = 0x7fefcca0000 end_va = 0x7fefccaefff monitored = 0 entry_point = 0x7fefcca1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1976 start_va = 0x7fefcd50000 end_va = 0x7fefcd8cfff monitored = 0 entry_point = 0x7fefcd518f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1977 start_va = 0x7fefcd90000 end_va = 0x7fefcda3fff monitored = 0 entry_point = 0x7fefcd910e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1978 start_va = 0x7fefce50000 end_va = 0x7fefce5efff monitored = 0 entry_point = 0x7fefce51020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1979 start_va = 0x7fefce60000 end_va = 0x7fefcecbfff monitored = 0 entry_point = 0x7fefce62780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1980 start_va = 0x7fefced0000 end_va = 0x7fefcf05fff monitored = 0 entry_point = 0x7fefced1474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1981 start_va = 0x7fefcf10000 end_va = 0x7fefcf29fff monitored = 0 entry_point = 0x7fefcf11558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1982 start_va = 0x7fefcf30000 end_va = 0x7fefcf6afff monitored = 0 entry_point = 0x7fefcf31324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1983 start_va = 0x7fefcf70000 end_va = 0x7fefd0dcfff monitored = 0 entry_point = 0x7fefcf710b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1984 start_va = 0x7fefd180000 end_va = 0x7fefd382fff monitored = 0 entry_point = 0x7fefd1a3330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1985 start_va = 0x7fefd390000 end_va = 0x7fefd3bdfff monitored = 0 entry_point = 0x7fefd391010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1986 start_va = 0x7fefd3c0000 end_va = 0x7fefd49afff monitored = 0 entry_point = 0x7fefd3e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1987 start_va = 0x7fefd4a0000 end_va = 0x7fefd5ccfff monitored = 0 entry_point = 0x7fefd4eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1988 start_va = 0x7fefd650000 end_va = 0x7fefd758fff monitored = 0 entry_point = 0x7fefd651064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1989 start_va = 0x7fefd760000 end_va = 0x7fefd7b1fff monitored = 0 entry_point = 0x7fefd7610d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1990 start_va = 0x7fefd7c0000 end_va = 0x7fefd996fff monitored = 0 entry_point = 0x7fefd7c1010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1991 start_va = 0x7fefda20000 end_va = 0x7fefda86fff monitored = 0 entry_point = 0x7fefda2b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1992 start_va = 0x7fefda90000 end_va = 0x7fefda9dfff monitored = 0 entry_point = 0x7fefda91080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1993 start_va = 0x7fefdaa0000 end_va = 0x7fefdaa7fff monitored = 0 entry_point = 0x7fefdaa1504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1994 start_va = 0x7fefdb50000 end_va = 0x7fefdbe8fff monitored = 0 entry_point = 0x7fefdb51c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1995 start_va = 0x7fefdbf0000 end_va = 0x7fefdcb8fff monitored = 0 entry_point = 0x7fefdc6a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1996 start_va = 0x7fefdcc0000 end_va = 0x7fefdd96fff monitored = 0 entry_point = 0x7fefdcc3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1997 start_va = 0x7fefdda0000 end_va = 0x7fefddecfff monitored = 0 entry_point = 0x7fefdda1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1998 start_va = 0x7fefeb80000 end_va = 0x7fefeb9efff monitored = 0 entry_point = 0x7fefeb860e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1999 start_va = 0x7feff0d0000 end_va = 0x7feff16efff monitored = 0 entry_point = 0x7feff0d25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2000 start_va = 0x7feff180000 end_va = 0x7feff180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2001 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2002 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2003 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2004 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2005 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2006 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2007 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2008 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2009 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2010 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2011 start_va = 0x120000 end_va = 0x122fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2041 start_va = 0x120000 end_va = 0x121fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2042 start_va = 0x140000 end_va = 0x144fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2043 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2044 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2045 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2046 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2047 start_va = 0xbc0000 end_va = 0xc13fff monitored = 0 entry_point = 0xbd3450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2048 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2049 start_va = 0xbc0000 end_va = 0xc13fff monitored = 0 entry_point = 0xbd3450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2050 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2051 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2052 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2053 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2054 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2055 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2056 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2057 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2058 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2059 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2060 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2061 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2062 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2063 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2064 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2065 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2066 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2067 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2068 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2069 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2070 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2071 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2072 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2073 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2074 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2075 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2076 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2077 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2078 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2079 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2080 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2081 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2082 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2083 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2084 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2085 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2086 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2087 start_va = 0xbc0000 end_va = 0xc68fff monitored = 0 entry_point = 0xbd18d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2088 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2089 start_va = 0xbc0000 end_va = 0xc68fff monitored = 0 entry_point = 0xbd18d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2090 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2091 start_va = 0xbc0000 end_va = 0xc68fff monitored = 0 entry_point = 0xbd18d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2092 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2093 start_va = 0xbc0000 end_va = 0xc68fff monitored = 0 entry_point = 0xbd18d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2094 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2095 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2096 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2097 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2098 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2099 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2100 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2101 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2102 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2103 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2104 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2105 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2106 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2107 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2108 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2109 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2110 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2111 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2112 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2113 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2114 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2115 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2116 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2117 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2118 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2119 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2120 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2121 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2122 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2123 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2124 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2125 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2126 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2127 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2128 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2129 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2130 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2131 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2132 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2133 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2134 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2135 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2136 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2137 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2138 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2139 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2140 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2141 start_va = 0xbc0000 end_va = 0xc4afff monitored = 0 entry_point = 0xc351ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2142 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2143 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2144 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2145 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2146 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2147 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2148 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2149 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2150 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2151 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2152 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2153 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2154 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2155 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2156 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2157 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2158 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2159 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2160 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2161 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2162 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2163 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2164 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2165 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2166 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2167 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2168 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2169 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2170 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2171 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2172 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2173 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2174 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2175 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2176 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2177 start_va = 0xbc0000 end_va = 0xc69fff monitored = 0 entry_point = 0xbd4100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2178 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2179 start_va = 0xbc0000 end_va = 0xc69fff monitored = 0 entry_point = 0xbd4100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2180 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2181 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2182 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2183 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2184 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2185 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2186 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2187 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2188 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2189 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2190 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2191 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2192 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2193 start_va = 0xbc0000 end_va = 0xc11fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "advapi32.dll.mui" filename = "\\Windows\\System32\\en-US\\advapi32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\advapi32.dll.mui") Region: id = 2194 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2195 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2196 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2197 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2198 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2199 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2200 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2201 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2202 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2203 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2204 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2205 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2206 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2207 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2208 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2209 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2210 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2211 start_va = 0xef0000 end_va = 0xf43fff monitored = 0 entry_point = 0xf03450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2212 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2213 start_va = 0xef0000 end_va = 0xf43fff monitored = 0 entry_point = 0xf03450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2214 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2215 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2216 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2217 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2218 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2219 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2220 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2221 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2222 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2223 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2224 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2225 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2226 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2227 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2228 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2229 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2230 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2231 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2232 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2233 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2234 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2235 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2236 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2237 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2238 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2239 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2240 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2241 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2242 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2243 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2244 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2245 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2246 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2247 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2248 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2249 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2250 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2251 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2252 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2253 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2254 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2255 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2256 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2257 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2258 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2259 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2260 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2261 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2262 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2263 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2264 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2265 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2266 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2267 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2268 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2269 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2270 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2271 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2272 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2273 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2274 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2275 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2276 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2277 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2278 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2279 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2280 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2281 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2282 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2283 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2284 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2285 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2286 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2287 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2288 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2289 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2290 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2291 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2292 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2293 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2294 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2295 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2296 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2297 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2298 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2299 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2300 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2301 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2302 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2303 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2304 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2305 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2306 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2307 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2308 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2309 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2310 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2311 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2312 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2313 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2314 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2315 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2316 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2317 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2318 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2319 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2320 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2321 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2322 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2323 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2324 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2325 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2326 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2327 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2328 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2329 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2330 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2331 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2332 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2333 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2334 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2335 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2336 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2337 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2338 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2339 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2340 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2341 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2342 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2343 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2344 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2345 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2346 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2347 start_va = 0x1010000 end_va = 0x10b9fff monitored = 0 entry_point = 0x1024100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2348 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2349 start_va = 0x1010000 end_va = 0x10b9fff monitored = 0 entry_point = 0x1024100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2350 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2351 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2352 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2353 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2354 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2355 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2356 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2357 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2358 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2359 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2360 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2361 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2362 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2363 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2364 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2365 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2366 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2367 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2368 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2369 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2370 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2371 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2372 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2373 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2374 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2375 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2376 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2377 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2378 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2379 start_va = 0xef0000 end_va = 0xf43fff monitored = 0 entry_point = 0xf03450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2380 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2381 start_va = 0xef0000 end_va = 0xf43fff monitored = 0 entry_point = 0xf03450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2382 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2383 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2384 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2385 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2386 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2387 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2388 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2389 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2390 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2391 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2392 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2393 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2394 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2395 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2396 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2397 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2398 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2399 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2400 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2401 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2402 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2403 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2404 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2405 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2406 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2407 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2408 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2409 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2410 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2411 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2412 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2413 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2414 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2415 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2416 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2417 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2418 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2419 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2420 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2421 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2422 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2423 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2424 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2425 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2426 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2427 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2428 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2429 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2430 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2431 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2432 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2433 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2434 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2435 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2436 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2437 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2438 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2439 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2440 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2441 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2442 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2443 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2444 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2445 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2446 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2447 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2448 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2449 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2450 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2451 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2452 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2453 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2454 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2455 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2456 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2457 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2458 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2459 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2460 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2461 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2462 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2463 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2464 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2465 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2466 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2467 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2468 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2469 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2470 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2471 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2472 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2473 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2474 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2475 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2476 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2477 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2478 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2479 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2480 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2481 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2482 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2483 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2484 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2485 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2486 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2487 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2488 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2489 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2490 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2491 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2492 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2493 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2494 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2495 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2496 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2497 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2498 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2499 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2500 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2501 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2502 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2503 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2504 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2505 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2506 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2507 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2508 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2509 start_va = 0x1010000 end_va = 0x10b9fff monitored = 0 entry_point = 0x1024100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2510 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2511 start_va = 0x1010000 end_va = 0x10b9fff monitored = 0 entry_point = 0x1024100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2512 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2513 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2514 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2515 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2516 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2517 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2518 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2519 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2520 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2521 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2522 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2523 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2524 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2525 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2526 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2527 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2528 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2529 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2530 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2531 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2532 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2533 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2534 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2535 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2536 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2537 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2538 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2539 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 2540 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 2541 start_va = 0xef0000 end_va = 0xf43fff monitored = 0 entry_point = 0xf03450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2542 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2543 start_va = 0xef0000 end_va = 0xf43fff monitored = 0 entry_point = 0xf03450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 2544 start_va = 0x140000 end_va = 0x141fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 2545 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2546 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2547 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2548 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2549 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2550 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2551 start_va = 0x300000 end_va = 0x320fff monitored = 0 entry_point = 0x31a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 2552 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 2553 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2554 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2555 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2556 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2557 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2558 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2559 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2560 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2561 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2562 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2563 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2564 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2565 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2566 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2567 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2568 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2569 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2570 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2571 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xb368c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 2572 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 2573 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2574 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2575 start_va = 0x1250000 end_va = 0x132bfff monitored = 0 entry_point = 0x12c5ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 2576 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 2577 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2578 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2579 start_va = 0x1250000 end_va = 0x1331fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 2580 start_va = 0x300000 end_va = 0x328fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 2581 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2582 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2583 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2584 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2585 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2586 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2587 start_va = 0x1010000 end_va = 0x10b8fff monitored = 0 entry_point = 0x10218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2588 start_va = 0x140000 end_va = 0x144fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 2589 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2590 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2591 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2592 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2593 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2594 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2595 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2596 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2597 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2598 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2599 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2600 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2601 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2602 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2603 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2604 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2605 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2606 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2607 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2608 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2609 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2610 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2611 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2612 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2613 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2614 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2615 start_va = 0xaf0000 end_va = 0xb3ffff monitored = 0 entry_point = 0xaf2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2616 start_va = 0x160000 end_va = 0x172fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 2617 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2618 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2619 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2620 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2621 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2622 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2623 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2624 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2625 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2626 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2627 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2628 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2629 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2630 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2631 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2632 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2633 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2634 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2635 start_va = 0xef0000 end_va = 0xf7afff monitored = 0 entry_point = 0xf651ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2636 start_va = 0x140000 end_va = 0x149fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2637 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2638 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2639 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2640 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2641 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2642 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2643 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2644 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2645 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2646 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2647 start_va = 0x160000 end_va = 0x179fff monitored = 1 entry_point = 0x161380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 2648 start_va = 0x140000 end_va = 0x14bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 2649 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2650 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2651 start_va = 0x300000 end_va = 0x327fff monitored = 0 entry_point = 0x301860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 2652 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 2653 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2654 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2655 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2656 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2657 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2658 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2659 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2660 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2661 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2662 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2663 start_va = 0x140000 end_va = 0x14afff monitored = 0 entry_point = 0x1411a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 2664 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 2665 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2666 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2667 start_va = 0x140000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 2668 start_va = 0x160000 end_va = 0x16dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 2669 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2670 start_va = 0x1250000 end_va = 0x2044fff monitored = 0 entry_point = 0x1333268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 2671 start_va = 0x1010000 end_va = 0x10b9fff monitored = 0 entry_point = 0x1024100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2672 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2673 start_va = 0x1010000 end_va = 0x10b9fff monitored = 0 entry_point = 0x1024100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 2674 start_va = 0x140000 end_va = 0x143fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 2675 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2676 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2677 start_va = 0xaf0000 end_va = 0xb37fff monitored = 0 entry_point = 0xb2fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 2678 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 2679 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2680 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2681 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2682 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2683 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2684 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2685 start_va = 0x1250000 end_va = 0x1338fff monitored = 0 entry_point = 0x132906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 2686 start_va = 0x140000 end_va = 0x148fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 2687 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2688 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2689 start_va = 0x1250000 end_va = 0x139cfff monitored = 0 entry_point = 0x1352a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 2690 start_va = 0x140000 end_va = 0x145fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 2691 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2692 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2693 start_va = 0x140000 end_va = 0x14efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 2694 start_va = 0xef0000 end_va = 0xf49fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 2695 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2696 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2697 start_va = 0x140000 end_va = 0x14ffff monitored = 0 entry_point = 0x14a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 2698 start_va = 0x160000 end_va = 0x161fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 2699 start_va = 0x7fef79b0000 end_va = 0x7fef79bafff monitored = 0 entry_point = 0x7fef79b46ec region_type = mapped_file name = "perfos.dll" filename = "\\Windows\\System32\\perfos.dll" (normalized: "c:\\windows\\system32\\perfos.dll") Region: id = 2700 start_va = 0x1320000 end_va = 0x139ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 2701 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2702 start_va = 0x13a0000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 2703 start_va = 0x13a0000 end_va = 0x149ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 2704 start_va = 0x1580000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 2705 start_va = 0x1590000 end_va = 0x168ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001590000" filename = "" Region: id = 2722 start_va = 0x140000 end_va = 0x142fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2723 start_va = 0x7fefa880000 end_va = 0x7fefa8a6fff monitored = 0 entry_point = 0x7fefa8898bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2724 start_va = 0x7fefa870000 end_va = 0x7fefa87afff monitored = 0 entry_point = 0x7fefa871198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2725 start_va = 0x7fefa5f0000 end_va = 0x7fefa600fff monitored = 0 entry_point = 0x7fefa5f16ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2726 start_va = 0x7fefa5d0000 end_va = 0x7fefa5e7fff monitored = 0 entry_point = 0x7fefa5d1bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2727 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2728 start_va = 0x170000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2729 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2730 start_va = 0x170000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2731 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2732 start_va = 0x170000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2733 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2734 start_va = 0x170000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2735 start_va = 0x7fefc4c0000 end_va = 0x7fefc51afff monitored = 0 entry_point = 0x7fefc4c6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2736 start_va = 0x1690000 end_va = 0x181ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 2738 start_va = 0x160000 end_va = 0x164fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Thread: id = 114 os_tid = 0xb04 Thread: id = 115 os_tid = 0xca0 Thread: id = 116 os_tid = 0xc9c Thread: id = 117 os_tid = 0xc98 Thread: id = 118 os_tid = 0xc94 Thread: id = 119 os_tid = 0xc8c Thread: id = 120 os_tid = 0xc88 Thread: id = 121 os_tid = 0xc84 Thread: id = 140 os_tid = 0xc48 Process: id = "8" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x5af21000" os_pid = "0x698" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b19c" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2749 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2750 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2751 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2752 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2753 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2754 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2755 start_va = 0xd0000 end_va = 0xd4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2756 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2757 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2758 start_va = 0x100000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2759 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 2760 start_va = 0x190000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2761 start_va = 0x220000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2762 start_va = 0x230000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 2763 start_va = 0x370000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2764 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 2765 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2766 start_va = 0x790000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 2767 start_va = 0x850000 end_va = 0xb1efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2768 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 2769 start_va = 0xc40000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 2770 start_va = 0xcf0000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 2771 start_va = 0xe70000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 2772 start_va = 0xfc0000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 2773 start_va = 0x1090000 end_va = 0x110ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2774 start_va = 0x1160000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 2775 start_va = 0x1210000 end_va = 0x128ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 2776 start_va = 0x12b0000 end_va = 0x132ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 2777 start_va = 0x76c40000 end_va = 0x76d5efff monitored = 0 entry_point = 0x76c55340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2778 start_va = 0x76d60000 end_va = 0x76e59fff monitored = 0 entry_point = 0x76d7a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2779 start_va = 0x76e60000 end_va = 0x77008fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2780 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2781 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2782 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2783 start_va = 0x13fd40000 end_va = 0x13fdabfff monitored = 0 entry_point = 0x13fd7b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2784 start_va = 0x7feef580000 end_va = 0x7feef5cdfff monitored = 0 entry_point = 0x7feef581198 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 2785 start_va = 0x7feef5d0000 end_va = 0x7feef5f4fff monitored = 0 entry_point = 0x7feef5e8d6c region_type = mapped_file name = "wmiperfclass.dll" filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll") Region: id = 2786 start_va = 0x7fef4520000 end_va = 0x7fef4531fff monitored = 0 entry_point = 0x7fef45289d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2787 start_va = 0x7fef46e0000 end_va = 0x7fef4700fff monitored = 0 entry_point = 0x7fef46f03b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2788 start_va = 0x7fef4780000 end_va = 0x7fef4792fff monitored = 0 entry_point = 0x7fef4781d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2789 start_va = 0x7fef4a60000 end_va = 0x7fef4a86fff monitored = 0 entry_point = 0x7fef4a611a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2790 start_va = 0x7fef4a90000 end_va = 0x7fef4b62fff monitored = 0 entry_point = 0x7fef4b08b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2791 start_va = 0x7fef78b0000 end_va = 0x7fef7935fff monitored = 0 entry_point = 0x7fef78bffd0 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2792 start_va = 0x7fef7940000 end_va = 0x7fef797bfff monitored = 0 entry_point = 0x7fef7965aa8 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 2793 start_va = 0x7fefad20000 end_va = 0x7fefad2dfff monitored = 0 entry_point = 0x7fefad25500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2794 start_va = 0x7fefadf0000 end_va = 0x7fefae66fff monitored = 0 entry_point = 0x7fefae2e7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2795 start_va = 0x7fefbda0000 end_va = 0x7fefbdccfff monitored = 0 entry_point = 0x7fefbda1010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2796 start_va = 0x7fefc3a0000 end_va = 0x7fefc3e6fff monitored = 0 entry_point = 0x7fefc3a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2797 start_va = 0x7fefc6a0000 end_va = 0x7fefc6b7fff monitored = 0 entry_point = 0x7fefc6a3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2798 start_va = 0x7fefc810000 end_va = 0x7fefc831fff monitored = 0 entry_point = 0x7fefc815d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2799 start_va = 0x7fefc8d0000 end_va = 0x7fefc93cfff monitored = 0 entry_point = 0x7fefc8d1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2800 start_va = 0x7fefcca0000 end_va = 0x7fefccaefff monitored = 0 entry_point = 0x7fefcca1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2801 start_va = 0x7fefcd90000 end_va = 0x7fefcda3fff monitored = 0 entry_point = 0x7fefcd910e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2802 start_va = 0x7fefce60000 end_va = 0x7fefcecbfff monitored = 0 entry_point = 0x7fefce62780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2803 start_va = 0x7fefd180000 end_va = 0x7fefd382fff monitored = 0 entry_point = 0x7fefd1a3330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2804 start_va = 0x7fefd390000 end_va = 0x7fefd3bdfff monitored = 0 entry_point = 0x7fefd391010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2805 start_va = 0x7fefd3c0000 end_va = 0x7fefd49afff monitored = 0 entry_point = 0x7fefd3e0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2806 start_va = 0x7fefd4a0000 end_va = 0x7fefd5ccfff monitored = 0 entry_point = 0x7fefd4eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2807 start_va = 0x7fefd650000 end_va = 0x7fefd758fff monitored = 0 entry_point = 0x7fefd651064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2808 start_va = 0x7fefd760000 end_va = 0x7fefd7b1fff monitored = 0 entry_point = 0x7fefd7610d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2809 start_va = 0x7fefda20000 end_va = 0x7fefda86fff monitored = 0 entry_point = 0x7fefda2b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2810 start_va = 0x7fefda90000 end_va = 0x7fefda9dfff monitored = 0 entry_point = 0x7fefda91080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2811 start_va = 0x7fefdaa0000 end_va = 0x7fefdaa7fff monitored = 0 entry_point = 0x7fefdaa1504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2812 start_va = 0x7fefdb50000 end_va = 0x7fefdbe8fff monitored = 0 entry_point = 0x7fefdb51c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2813 start_va = 0x7fefdbf0000 end_va = 0x7fefdcb8fff monitored = 0 entry_point = 0x7fefdc6a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2814 start_va = 0x7fefdcc0000 end_va = 0x7fefdd96fff monitored = 0 entry_point = 0x7fefdcc3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2815 start_va = 0x7fefdda0000 end_va = 0x7fefddecfff monitored = 0 entry_point = 0x7fefdda1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2816 start_va = 0x7fefeb80000 end_va = 0x7fefeb9efff monitored = 0 entry_point = 0x7fefeb860e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2817 start_va = 0x7feff0d0000 end_va = 0x7feff16efff monitored = 0 entry_point = 0x7feff0d25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2818 start_va = 0x7feff180000 end_va = 0x7feff180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2819 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2820 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2821 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2822 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2823 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2824 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2825 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2826 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2827 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2828 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 122 os_tid = 0xc4c Thread: id = 123 os_tid = 0x6ac Thread: id = 124 os_tid = 0x3a0 Thread: id = 125 os_tid = 0x6bc Thread: id = 126 os_tid = 0x4e0 Thread: id = 127 os_tid = 0x710 Thread: id = 128 os_tid = 0x4dc Thread: id = 129 os_tid = 0x2a0